Programming Windows® Identity Foundation (Dev - Pro)
I would argue you shouldn't care :-), but we are curious, aren't we? And there's value in knowing how things actually work.
The validation happens on the app with no contact with the STS (e.g. ADFS), that's because in general, the token is digitally signed (and optionally encrypted) and WIF has all the information and means to check the integrity of it.
A great source of WIF internals can be found in Vittorio's book:
There's a lot of information on how all the modules interact and work.
Well, it could be that one of passive single sign-on protocols could be your choice. You can choose between the WS-Federation, SAML protocol or Shibboleth but the first one, WS-Federation is easily supported on .NET with the Windows Indentity Foundation subsystem.
The way WS-Federation works is that it you externalize the authentication/authorization to a separate web application (so called Security Token Service). Each of federated client applications (so called Relying Parties) rely on the information provided by the service.
The basic control flows is like this:
WIF gives you tools to build both STSes and RPs easily and integration of legacy application is also simple - you can either make an effort to handle the protocol at the legacy application level or provide a "brige", a .NET application using WIF which relies on STS and passes the auth information to the legacy application.
What is also great is that with WIF you still stick with old, good notions like Forms Authentication and Membership Providers - it could be a preferred choice of STS implementation.
The WS-Federation protocol itself not only provides the single sign-on but also lets you easily handle single sign off (which is not supported by some other protocols like openid).
Read more on the topic in this book:
Programming Windows Identity Foundation
If you want Windows Live or Google logins, you need to look at integrating WIF with Azure ACS.
Refer Access Control Service Samples and Documentation.
Also see the how-to's etc. in the TechNet Wiki Windows Identity Foundation (WIF) and Azure AppFabric Access Control Service (ACS) Content Map and Windows Identity Foundation (WIF) Content Map.