It's done using the X509 Certificate.
SecurityTokenService
(STS) "signs the SAML token" using a certificate which is trusted by other services too. So the trust is established using the common thing, i.e. the certificate, which STS, and other services also trust!
While calling other web services, SAML token issued by the STS is sent through the SOAP header. If the SAML token is signed by the certificate your other service trusts, then your service understands that the token is issued by the 'trusted' STS.
In Windows Identity Foundation
, you can configure the signing certificate for STS.
In case of other web services, the trusted certificate can be configured in the Service Host using ServiceCredential class.