// See also WSS4J SAMLUtil.getCredentialFromKeyInfo
KeyInfo keyInfo = signature.getKeyInfo();
X509Certificate cert = keyInfo.getX509Certificate();
if (cert != null) {
valid = signature.checkSignatureValue(cert);
} else {
PublicKey pk = keyInfo.getPublicKey();
if (pk != null) {
valid = signature.checkSignatureValue(pk);
}