While I am starting to understand, one more thing I do not quite get
The normative case is for the client to send a token request to the SAML authority, and get a SAML token in return. The Client then sends the message lus the token to the web service in question (probably SOAP).
My question is, how does the web service validate that the token is validate? Does he hit the SAML authority? How does that work?