...
If the IdP is configured for one or more of the methods requested by the SP, then that method may be used. If the Service Provider does not specify a particular method, and the user does not have an existing session, then the default method , identified on the relying party's configuration, is used. If no default is specifiedidentified there, the IdP chooses a method randomlywill choose one of the available methods; the way this choice is made is unspecified and you should not rely on it being the same from release to release.
If the user has an existing session, and that session indicates that there is an active authentication method that meets the SP's requirements, then the PreviousSession login handler is used if it is configured. This is what gives Shibboleth its SSO support. If the SP does not request a particular method in its request, note that the default method in the configuration is NOT consulted when determining whether to honor active methods. In this case, any active method can be used to satisfy the request.
...