...
- Sessions at the identity provider are used to provide single sign-on, removing the need for additional authentication. An IdP can also cache information for speed and track sessions at service providers for logout.
- Sessions at the discovery service can automate IdP selection, removing the need for additional user interaction.
- Sessions at the service provider persist a login across individual HTTP requests from a single client. They can be maintained on a coarse or fine grain, with individual sessions for each application.
- Each application can (and usually does) maintain distinct sessions with the browser.
...
A session established by the application may persist well beyond the Shibboleth session. Unless the application is enhanced, logouts from the application often will not terminate a Shibboleth session initiated to access the resource. Unless configured and designed to do so, the converse is true as well: logging out of Shibboleth will not remove application sessions. The duration of sessions should be coordinated when possible, since their expiration affects the user experience and can cause confusion. This should be weighed against the vulnerability of impersonation, malicious or otherwise, due usually to user negligence.