...
To impose active session requirements, you attach the requireSession content setting to the resource. Mechanisms for doing this include native configuration approaches (Apache, ) and a generic configuration mechanism used with IIS or FastCGI.
...
When using passive protection, you do NOT apply the requireSession content setting to the resource, but merely ensure that the SP software is active for the request (or often simply for the entire virtual host). For details, refer to the appropriate web server configuration topic (Apache, IIS, FastCGI).
To determine whether a session exists with your application, you can check for the presence of one of the "fixed" CGI variables or headers, such as "Shib-Identity-Provider"/"HTTP_SHIB_IDENTITY_PROVIDER".
...