When acting as a Identity Provider the system will always perform re-authentication when a Service Provider sends "forceAuthn=true" in the SAML authentication request.
If the Service Provider does not send "forceAuthn=true" then the Identity Provider will return a SAML Assertion without requiring authentication, for a session that is already authenticated.
Follow these steps to enable forced re-authentication:
Add, or edit a SAML Federation with SAML Role Identity Provider enabled
Select tab "Role Identity Provider"
Click "Edit default values"
Check "Enable force re-authentication" and click on save
Optional step, if you already have a list of Service Providers, then edit each one and check "Enable force re-authentication" and click on save.
Save the SAML Federation when done, then click publish.
After performing these steps, the Identity Provider will now always require re-authentication, even if user has an authenticated session.