The SAML Profiles specification for the Web Browser SSO Profile, line 477ff. says:

The ForceAuthn attribute, if present with a value of true, obligates the identity provider to freshly establish this identity, rather than relying on an existing session it may have with the principal.

But how the identity provider handles "existing sessions" (when it starts or ends one) is not said. More generally, line 391f. says:

It is assumed that the user is using a standard commercial browser and can authenticate to the identity provider by some means outside the scope of SAML.

An indication that such a session might end at all is given by the SessionNotOnOrAfter attribute in the SAML Core specfication, line 1061ff.

Specifies a time instant at which the session between the principal identified by the subject and the SAML authority issuing this statement MUST be considered ended.

But that does not cover the question whether a session might end after an unsuccessful re-authentication attempt, for example.

Am I right to assume that the SAML specification leaves it up to the identity provider how (or even whether) to keep sessions and issue session cookies to the web browser? Would it even be spec-compliant if an identity provider forced a user to type their password during every logon flow?