I have used Shibboleth with manual login, meaning the user clicks the login link on a website which opens the external page where the Shibboleth login page is. Once authenticated it redirects them back to the original site to a Shibboleth enabled page.
My question is once logged in, and they go to another site, how can I authenticate them in automatically since they already have a Shibboleth session from the first site. Do they have to click an action like the first site which in turn will autologin them in with some implicit redirects the user doesn't see, or can I do this without the user clicking a login link without doing a check on every page load.
You can check for the presence of one of Shibboleth's headers, for example Shib_Authentication_Instant, and redirect if that's not present. You can do that on the server level rather than in your application logic, using, for example, mod_shib for Apache.
If you want to show "public content" and additional "member content", things get trickier. I guess you could have a landing page that requests some Shib-protected resource (1x1 invisible GIF with nonce in a query parameter, something AJAXy, whatever): If your user is already Shib-authenticated, you can see that the resource is being loaded. (Otherwise, he'll be stuck in an invisible login dialog for that resource, which shouldn't matter, and you store that he's not authenticable in the session. This is not security-critical: if the user removes it, he'll go through the gif procedure again, and member content should depend on the headers that your shibbolized web server inserts for you anyway.)
But this is a crude hack, and usability depends on a "good" timeout for the marker gif request.