Please confirm whether Oauth/SAML tokens will be authenticated and validated at APIGEE Edge(SP) or with external identity provider?

Yes - the machine user will authenticate against Apigee's token endpoint for which you will get a token.When you use that token to call the MGmt API, Apigee will verify it against Apigee's token store (auth server)

Can we validate Machine users authenticates against Enterprise Active Directory using Ping Fed for Apigee deployment (claim) , if not then in the documentation I had seen we need to configure SAML Login/Authenticate URLs

Machine user is created in Apigee's user store (always) but completely managed by you using the zoneadmin role. If you would like to use a generic user from Ping then you can generate the token outside and then pass that token to your pipeline to deploy the code. Just like how you would do for a human user

How is acurl and get_token utility, different from SAML authentication or internally all are using same Oauth2/SAML

Yes - they are. They hit the OAuth endpoint of Apigee and then generate a token. For a human user, you will need to login to get a passcode (on your browser) and then pass that to the utility to generate a token.

What would be the generated token expiry time?

I believe its 12 hours for the access token and 30 days for the refresh token. You can generate the token and then decode the JWT (using jwt.io) to see the iat and exp in the access token and refresh token JWT payload

What would be Expiry time of machine user password?

I believe its the same as human user