The timeout of the SAML assertion is managed by the IdP.
I know I've worked with your app before, but can you confirm:
- is the SAML2 challenge always presented at the start? Even if there would be a valid session in the cookie jar?
- do you *ever* see this behavior at the start of the app?