...
Shibboleth can automatically establish a session whenever a particular URL (or URL pattern) is accessed. This means that any user accessing that resource must be able to authenticate at an IdP trusted by the SP. To always require that a session exist, a ShibRequireSession on ShibRequestSetting requireSession 1 Apache directive is added either to the web server's configuration, or the requireSession property is added to the SP's <RequestMap>.
Applications can also request that a session be created on demand by redirecting a user to a local URL bound to a <SessionInitiator>. This lazy session initiation should be used carefully to avoid unintended access being granted. SWITCH maintains a demonstration site with excellent examples and instructions for use of lazy sessions.
For additional details, refer to the topic on protecting content.
Use of Shibboleth Authentication & Attributes
...