...
The IdP session stores each AuthenticationResult keyed on the ID of the login flow that handles the authentication process. The consequence of this design is that a subsequent invocation of the same login flow, for example in response to a forced authentication request, would overwrite a previous result of the same flow. Results stored in the IdP session are themselves subject to expiration by a sliding window up to an absolute limit. If an SP makes a request to the IdP and there is no active authentication result that satisfies the security demands of the SP, the user is forced to reauthenticate.
(A deeper dive into the internals of this design can be found in the Sessions topic.)
Address Binding
IdP sessions are by default bound to an "address" in order to prevent trivial session takeover simply through session cookie exposure. This can be disabled via the Idp.session.consistentAddress property or relaxed in various ways through the relaxed in various ways through the iidp.sessp.sessioon.c.connsiistententAddAddressCessCondinditionion ext extennsion p poiint. It it. It is deeply ill-adv deeply ill-advised ed to simply disable this checking o simply disable this checking entiirely and it ily and it is deeply un deeply unsafe to afe to operate perate networks that hietworks that hide a plethora of cle a plethora of clienents behs behind a sind a single address.gle address.
...