This is a basic question about SAML protocol and how it specifies verification of a SAML token.
Looking an different diagrams and resources, it looks like the service provider doesn't need to make calls to the Identity Provider (IdP) in order to verify a SAML token.
I am interested in clarifying step 5 (Request the Assertion Consumer Service at the SP) from wikiSAMPL_wiki.
Mainly token verification is done on Service Provider without additional calls to IdP.
Token validation consists of the 3 steps:
1.Verify token is well-formed
2.Verify token is coming from the intended authority
3.Verify token is meant for the current application
Is this assumption right ?
From a very high level, yes, your three steps are correct.
More specific:
1 will include decoding the base64 encoded response, checking against schema, etc.
2 will be done via signature validation, checking the authority, seeing if it's a response to a sent AuthnRequest and matching it, etc.
3 comes from checking the relay state and ensuring that it is a location that is "protected" by the service provider