The usual practice when using such intermediary SP for SSO to (typically a legacy) application is to:
- process and validate the SAML Authentication Response and the Assertion at the SP
- SP then encodes a cookie on a common domain or a token provided as a request parameter/HTTP header
- cookie/token is typically constructed using a symmetric cryptography with a shared secret and e.g. HMAC
- SP redirects user to the application which verifies the provided cookie or token and grants access
I don't think you're missing anything. Perhaps your provider just confused things and gave you wrong information. It makes sense to include the SAML token itself in the response from SP to your application (e.g. for audit purposes), but it makes no sense to expect your application to understand or validate the SAML message once it's been done already by the intermediary SP.