It is browser based or is it IdP based?
I am looking their official document, I could not find any details about session management. Is there anyone aware or session in SAML?
Technical Document: https://www.oasis-open.org/committees/download.php/11511/sstc-saml-tech-overview-2.0-draft-03.pdf
Executive Document: http://www.oasis-open.org/committees/download.php/11785/sstc-saml-exec-overview-2.0-draft-06.pdf
There is no "session management" in SAML, per se. Sessions are the responsibilities of the Identity Provider (IdP) and Service Provider (SP) individually. There are some key value pairs that can guide session creation on both sides (such as SessionNotOnOrAfter or NotOnOrAfter), but it's very rare to see them in use in that manner.
Most commonly, you will find an SP has a control available in their admin panel that allows the IdP's business unit using the SaaS provider to set something like an Idle Timeout and a Max Timeout based on their business requirements. On the IdP side, they'll manage it based on their own internal security requirements as well.
