Hi Jean Luc,
No, as far as I know there is no support in SAMLv2 for this, and thus also no support for it in PicketLink. In one of the SAMLv2 specification documents, called "Profiles for the OASIS Security Assertion Markup Language (SAML) V2.0", section 220.127.116.11 (<Response> Message Processing Rules) there is a paragraph which might be interesting for you:
If an <AuthnStatement> used to establish a security context for the principal contains a SessionNotOnOrAfter attribute, the security context SHOULD be discarded once this time is reached, unless the service provider reestablishes the principal's identity by repeating the use of this profile.
This section gives some requirements and recommendations related to how a service provider should process the authentication response that comes back from the IDP. In this case (because of the SHOULD instead of MUST) it's a recommendation. PicketLink currently does nothing with that recommendation.
You can read between the lines that the service provider is responsible for re-authenticating as soon as the session of the user times out. The IDP can only give a hint of when the session needs to be refreshed.
Implementing an automatic refresh in PicketLink is not straightforward. For refreshing the session, PicketLink needs to be "in control" of the browser of the user, because communication with the IDP can only take place indirectly through the browser of the user. So PicketLink needs to sense that a servlet session timeout has taken place, and take care of the refresh at that time. After handling the refresh, it should redirect back again to the correct page in the application. Normally, you would handle the ViewExpiredException in your pages.xml, redirecting to your login page. But that only works if you have a login page where the user needs to select her preferred IDP. If you have a default IDP that handles all logins, you probably don't have a login page. In that case you can redirect to a page that calls externalAuthenticator.samlSignOn(). Just regard this as some hints, I didn't try or test this.
Thanks for the detailed (as usual) answer. We'll look into a periodic refresh from the browser.