Tokens passed in OnBehalfOf element are not validated. It's the responsibility of the TokenProvider implementation to validate that.
A proposal has been discussed here:
OnBehalfOf token validation is moved to the TokenIssueOperation and the ReceivedToken is enhanced with the following attributes:
- was it a token of ws-security header (like ReceivedToken), onbehalfof, actas
- successfully validated (it could be a token which depends on other constraints to be fully accepted)
- original DOM element
- transformed DOM element (used if the token is passed by ref, also supported by SAML spec)
- principal (mostly, you only need the principal to issue a new token)