...
Thus the IdP session tracks all authentication events that occur during the lifetime of the session. When the idp.session.trackSPSessionstrackSPSessions flag is enabled, the IdP session also tracks successful requests to access SPs; this facility is required to support single logout. The IdP session stores authentication results keyed on the ID of the authentication flow that drives the authentication process. The consequence of this design is that a subsequent invocation of the same authentication flow, for example in response to a forced authentication request, would overwrite a previous result of the same flow. Authentication results stored in the IdP session are themselves subject to expiration by a sliding window up to an absolute limit. If an SP makes a request to the IdP and there is no active authentication result that satisfies the security demands of the SP, the user is forced to reauthenticate.
...
In some cases it may be permissible to allow some authentication methods to have longer lifetimes than others; for example, an authentication result produced by a hardware token may be valid for a day whereas that of a password credential is valid for an hour. These policies are accommodated by defining a conservative idp.authn.defaultLifetimedefaultLifetime and more liberal periods for specific authentication methods. A hypothetical security policy follows with the configuration required to implement it.
...