...
The IdP uses items called LoginHandlers to authenticate a user. Each LoginHandler is responsible for being able to perform one, or more, type of authentication process. Some examples processes would be to validate a username/password against an LDAP directory, validate an X.509 certificate, or check a one-time-password. Each LoginHandler has associated with it an authentication method duration. The duration is an inactivity timeout for the authentication method. It identifies the amount of time, after initial authentication, that this method may be used to single sign-on a user in to service. If the method is used within active period the inactivity timeout is resetOnce that amount of time passes the user must authenticate again in order to use that particular authentication method.
User Session
The user session tracks information about the user (e.g. what authentication methods are currently active, to which services has the user authenticated, etc.). This information is used by the IdP to determine whether a user should be single sign-on'ed to a service provider (if they have an active authentication method), to determine which services should receive logout requests (once the IdP has SLO support), and may be used within the attribute resolver and attribute filtering process. A session also has an inactivity timeout. This timeout is reset any time the user is authenticated to a service provider.
...
Now, the user goes to log in to SP 4 which would require X.509 authentication. The user is asked to re-authenticate because the authentication method duration inactivity timeout has passed (it was only 15 mins) for that LoginHandler. The user goes to log in to SP 5 which would require UP authentication. The user is not prompted to re-authenticate because the authentication duration has not passed for this authentication method. The inactivity clock on this method is also reset, so the method if good for another hour.
Now, assume that the UP login method has a 10 hour authentication duration. User The user goes to SP 1 and uses UP authentication . User and then goes to bed and sleeps a nice 9 hours. User After the user wakes up he goes to SP 5 which requires UP authentication and is asked to re-authenticate. In this case, it is not because the authentication method duration passed but because the session was terminated due to inactivity and, thus, terminated all authentication methods.