One Use Case :-
When a PicketLink SP receives a SAML assertion from the IDP, we do save the assertion in the httpsession.
Now in your application code, you can call EJBs using this SAML assertion (from httpsession) as token. At the receiving end, the STS login modules that are configured for the EJB can validate this token via
a) Check for issuer
b) Check for expiration
c) Validate the signature of the token