The W3 provides a standards for XML Signatures. In quick summary, a subset of an XML document is hashed, then the digest is signed with a private key and the result is added to the document as new elements. The receiver can repeat the hash and decode the signature using a public key.
There is no particular requirement how the public key is obtained. The receiver may just know it. However, the sender is allowed to include XML structures containing a KeyInfo element with the Public key. To be self-validating, however, the most common contents of a KeyInfo would be an X.509 Certificate.
This is one of the methods of Authentication defined by the SAML 2.0 standard. We probably would not have though of it otherwise. Web Services security is built on top of XML Signatures. Therefore, when CAS is extended to support Web Services requests for tickets, some form of XML Signature validation will be a plausible method of validating the requestor.