Using VS2017 I created a new MVC application. Authentication was set to work/school accounts using on-prem ADFS server. The VS wizard asked for ADFS metadata and relying party's URL information, which I entered. On the ADFS side I configured a WS-Federation trust. The application is authenticating/working just fine.
Referencing this blog... Mega Takeaway: What this also means is that every SaaS application must have a copy of the public portion of your ADFS token signing certificate.
...my question is how is the relying party able to verify the digital signature of the SAML token when it was no information about the token signing certificate? Or does it? How?
The ADFS metadata contains all the public keys.
The built-in code extracts the metadata and get the information from there.