To impose active session requirements, you need to attach either the
requireSessionWith content settingssetting to the resource. Mechanisms for doing this include native configuration approaches (Apache, Sun/iPlanet) and a generic configuration mechanism used with IIS or FastCGI.
In the "passive", or lazy session mode, the same set of resources can be exposed to both authenticated and unauthenticated access at the same time. This is obviously incompatible with both static resources (which would be left exposed, making authentication moot) and static access control (which would deny unauthenticated access). Thus, it's useful for dynamic applications that typically want to offer a "guest" mode by default, or possibly support multiple forms of authentication, and initiate a user login via SAML only when desired or chosen by the user.
When using passive protection, you do NOT apply the
requireSession content settingssetting to the resource, but merely ensure that the SP software is active for the request (or often simply for the entire virtual host). For details, refer to the appropriate web server configuration topic (Apache, IIS, Sun/iPlanet, FastCGI).
If you want the user to login and begin a session, your application must issue an HTTP redirect to the location of a SessionInitiator handler using parameters described here. In a "modern" SP configuration, the location to redirect to is usually "/Shibboleth.sso/Login".