Dear Duy,
Basically in order to ensure that SAML-enabled systems are only passing information between trusted sources, you must create a trust relationship between the applications that are sending and receiving information. Instead of a host of one-to-one trust relationships between a client and the systems in your landscape,SAML 2.0 enables you to create a star-based trust relationship, with an identity provider at its center. All service providers trust the identity provider and rely on the identity provider to authenticate users before providing access to a resource. There is no requirement for user IDs (and passwords) to be identical between the identity provider and any service providers.
More information: SAML 2.0 - http://help.sap.com/saphelp_nw70ehp2/helpdata/en/17/6d45fc91e84ef1bf0152f2b947dc35/content.htm
Trusting a Security Token Service - http://help.sap.com/saphelp_nw70ehp2/helpdata/en/e0/efe61f938e4ab19471c64b1a2268e4/content.htm
Regards,
Adrian