...
Shibboleth can automatically establish a session whenever a particular URL (or URL pattern) is accessed. This means that any user accessing that resource must be able to authenticate at an IdP trusted by the SP. To require that a session exist, the Apache command "ShibRequestSetting requireSession 1" is added either to the web server's configuration, or the requireSession property is added to the SP's <RequestMap>.
Applications can also request that a session be created on demand by redirecting a user to a local URL bound to a <SessionInitiator> (more typically this is handled via the path "/Shibboleth.sso/Login"). This lazy session initiation should be used carefully to avoid unintended access being granted. SWITCH maintains a demonstration site with excellent examples and instructions for use of lazy sessions.
...