Assuming you trust the metadata registration practices of the InCommon Federation, you will want to verify the XML signature on each and every metadata aggregate you consume. Failure to do so will seriously compromise your metadata refresh process.
To verify the XML signature on a SAML metadata aggregate, you need an authentic copy of the metadata signing certificate, that is, the certificate that contains the public key corresponding to the private metadata signing key. The certificate must be obtained securely since all subsequent operations depend on it.
You may check the integrity of the downloaded certificate in a variety of ways. For example, on a GNU/Linux system, you could use
openssl to check the integrity of the metadata signing certificate as follows:
Once the certificate file is locally installed, you can use it to verify the signature on the metadata file.