I have a web application which uses an identity provider for authentication in accordance with SAML 2.0 protocol.
Does this web application (service provider) have to validate a security token (provided by IdP when an user log in the web application) for each web server request.
In my opinion, there is no need to validate security token for each server request. The SAML protocol requires token validation only for necessary cases (authentication, authorization).
Am I right or I have implement token validation for each web server request?