Assuming the use case where the client gets a token from a SAML authority (IdP) and send the token to a web service:
On a previous thread an expert posted the following concerning how a web service validates incoming tokens:
it comes back signed using the public key of the the identity organization and you check that the signature is valid (chain of trust, not expired)
I assume that the web service does not go to the IDP, but will write its own code in order to validate the message
Do products like Shibboleth provide any tools in which to assist in the validation of the token?