Is the SAML request sent everytime to the IdP whenever some authentication is required or is it first checked in the session stored in the browsers cookies and automatically authenticated if the session is found ?
To get access to a web application (SP) you generally need to present something to it to prove you are entitled to access it. Usually this entitlement is a username/password combination. Once the SP verifies your entitlement (compares username/password with db perhaps), it generates a session for you that is time limited according to the SP's policy.
When you access the SP using SAML, you have no username/password. In this case, your entitlement comes from your attributes which your IdP releases to the SP. Once the SP verifies your attributes it generates your session, which is exactly the same type of session you'd get from a username/password verification.
There are a number of ways the SP would ask the IdP for attributes again:
SAML attributes have expired (they have a time to live).SAML attributes have expired. This might be the case in a high security SP where you may only have clearance for an hour perhaps. Your SAML attributes may only have a TTL of one hour. The SP would then ask for your attributes from your IdP to refresh your entitlement.If the SP's native session expires but your SAML attributes are still valid it may choose not to ask your IdP but to create a new session based on your current SAML attributes. It all depends on the security policy of the SP.
If you go to another SP, you generally don't have to authenticate at your IdP again as your IdP may have a session for you after the login for the first SP and will just release your attributes to the second SP.