# File lib/gapps_openid.rb, line 291
    def self.verify(xml, signature_value) 
      doc = REXML::Document.new(xml)

      return nil if REXML::XPath.first(doc, "//ds:Signature").nil? and signature_value.nil?    

      decoded_sig = Base64.decode64(signature_value)
      certs = self.parse_certificates(doc)
      raise "No signature in document" if certs.nil? or certs.empty?
      raise "Missing signature value" if signature_value.nil?


      signing_certificate = certs.first
      raise "Invalid signature" if !signing_certificate.public_key.verify(OpenSSL::Digest::SHA1.new, decoded_sig, xml)
      raise "Certificate chain not valid" if !self.valid_chain?(certs)

      # Signature is valid, return CN of the subject
      subject = signing_certificate.subject.to_a
      signed_by = subject.last[1]
      return signed_by
    end