How is Azure ACS authentication secured?

Question

Thanks to Gaurav Mantri for answering my earlier question Azure ACS Set Up in C#.

However can someone explains to me, how the following line is secured

Answer 1

You specify the key which will be used for message exchange.

When you configure Azure ACS in the management portal, you specify private key which will be used to sign tokens(Certificates and Keys tab).

When you configure web application to use Azure ACS, reference to the certificate to validate signature is added to web.config:

<issuerNameRegistry type="System.IdentityModel.Tokens.ValidatingIssuerNameRegistry, System.IdentityModel.Tokens.ValidatingIssuerNameRegistry">
    <authority name="https://xxxxx.accesscontrol.windows.net/">
      <keys>
        <add thumbprint="XXXXXXXXXXXXXXXXXXXXXXXXXXXXXX" />
      </keys>
      <validIssuers>
        <add name="https://xxxxx.accesscontrol.windows.net/" />
      </validIssuers>
    </authority>
  </issuerNameRegistry>

UPDATE The certificate is passed to the web application by ACS along with signed security token in the X509Certificate element (I've removed namespaces):

<RequestSecurityTokenResponse>
    <Lifetime>
        <Created>2013-06-19T06:15:16.618Z</Created>
        <Expires>2013-06-19T07:15:16.618Z</Expires>
    </Lifetime>
   <AppliesTo>
       <EndpointReference>
           <Address>http://xxx.cloudapp.net/</Address>
      </EndpointReference>
   </AppliesTo>
   <RequestedSecurityToken>
       <Assertion ID="xxx" IssueInstant="2013-06-19T06:15:16.636Z" Version="2.0" xmlns="urn:oasis:names:tc:SAML:2.0:assertion">
           <Issuer>https://xxx.accesscontrol.windows.net/</Issuer>
           <Signature>
               <SignedInfo>
                   <CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
                   <SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256" />
                   <Reference URI="xxx">
                       <Transforms>
                           <Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" />
                           <Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
                       </Transforms>
                       <DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256" />
                       <DigestValue>xxx</ds:DigestValue>
                   </Reference>
              </SignedInfo>
              <SignatureValue>xxx</SignatureValue>
              <KeyInfo>
                  <X509Data>
                      <X509Certificate>xxx</X509Certificate>
                  </X509Data>
              </KeyInfo>
        </Signature>
        <Subject>
            <NameID>iiiii</NameID>
            <SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer" />
        </Subject>
        <Conditions NotBefore="2013-06-19T06:15:16.618Z" NotOnOrAfter="2013-06-19T07:15:16.618Z">
            <AudienceRestriction><Audience>http://xxx.cloudapp.net/</Audience></AudienceRestriction>
        </Conditions>
        <AttributeStatement>
            <Attribute Name="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name"><AttributeValue>aaa</AttributeValue></Attribute>
        </AttributeStatement>
        <AuthnStatement AuthnInstant="2013-06-19T06:15:15.999Z">
            <AuthnContext>
                <AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:Password</AuthnContextClassRef>
           </AuthnContext>
        </AuthnStatement>
   </Assertion>