The Assertion is contained in SAMLResponse which is part of the http response from the IDP.  It happens via url for the redirect binding and happens as a form parameter in the post binding.

Pedro Igor wrote:

 

I'm asking this for two reasons:

 

 

       1) If the user has an active security context in a SP his token will never be validated again for requests sent after the IDP's response (if the SAMLResponse is not propagated between the requests). While user's session is valid he will have access for the SP's resources even with a expired token. I just want to know if this is the expected behaviour ....

In an ideal world, the session at SP should be equal to the token expiration time. In a practical world, we suggest that the SP administrator should configure the session lengths to what the IDP administrator has given to them (wrt to token expiration).

2) Supose I have a SP 1 using IDP 1 and SP 2 using IDP 2. I have also configured a trust relationship between both IDP. When the user is authenticated in SP 1 and he wants to access SP 2 the assertion needs to be propagated. Wich is the best way to do that ? Today I'm using the same SAMLResponse returned by the IDP 1 to the SP 1 to call SP 2... Is this a good approach ?

It is not clearly defined how the trust relationship between IDP1 and IDP2 is defined from a token perspective.  So when the SP2 gets a token issued by IDP1, it needs to validate it with IDP2 via back channel calls (SOAP profile maybe). IDP2 decides whether it should approve or not (it may have its own back channel communication with IDP1).  This is an advanced use case which matches the discussion at http://community.jboss.org/thread/174647?tstart=0