What do different SAML token validation calls specifically do?

I am trying to validate a SAML token that was created by our WIF-based custom STS inside a REST web service.

There are a couple of functions to do validation. One is SecurityTokenHandlerCollection.ValidateToken() and another is SamlSecurityTokenAuthenticator.ValidateToken().

Unfortunately the online Microsoft MSDN help for these开发者_C百科 classes and functions is worthless and does not describe at all what it is these functions are doing.

What are these functions validating and how are they doing it? What are the differences between them? Are they automatically looking up the certificate in the Windows Certificate Store to check the signature of the token, and validating the encrypted credentials object? Because I don't pass a certificate name in anywhere. Or are there other manual operations I need to do myself to validate the token?

I realize one returns a ClaimsIdentityCollection and the other returns a collection of IAuthorizationPolicy objects. But is that the only difference? I can't tell.

I can find plenty of information out on the web about the STS and claims and even validating claims, which I am doing successfully, but I can hardly find any information on validating the token itself to make sure it is one I created.

In most cases you don't need to worry about the token validation details. All this is taken care for you by WIF.

But if you really want to know, the best source of information is Vittorio's book: http://www.amazon.com/Programming-Windows%C2%AE-Identity-Foundation-Dev/dp/0735627185

There are some details here: http://msdn.microsoft.com/en-us/library/ff359114.aspx

Another good way of learning is by looking at the extensions built to handle non-SAML tokens (e.g SWT). Download the samples here and look for the REST services.