Spring SAML issues an ExpiringUsernameAuthenticationToken for authenticated users. The token begins to return false in its isAuthenticated() method as soon as the SAML Assertion used to authenticate the user reaches its sessionNotOnOrAfter time.
This behavior can be disabled by overriding SAMLAuthenticationProvider and changing the getExpirationDate(credential) method, which returns the time when the statement expires, or null if it never happens. Then the application will rely entirely on the expiration of the session configured in the container.
As soon as the ExpiringUsernameAuthenticationToken expires, Spring Security will pass the current token to the AuthenticationManager (configured in securityContext.xml under <security:authentication-manager> ).
You can influence what happens next by adding your own AuthenticationProvider capable of handling the ExpiringUsernameAuthenticationToken . Otherwise, the system crashes with a ProviderNotFoundException or some other AuthenticationException like BadCredentialsException (in case you are simultaneously using username and password authentication).
The exception is subsequently handled by an ExceptionTranslationFilter , which starts a new authentication process, invoking EntryPoint configured authentication, for example. SAMLEntryPoint , which either starts IDP default authentication or displays an IDP selection page. The process, as you say, will also perform a local logoff.
By default, the system behaves the same for all HTTP calls - AJAX or not. You can define other behavior by splitting your API and regular URLs into separate <security:http> elements and use different EntryPoints ( AuthenticationEntryPoint interface) for each of them. For example, Http403ForbiddenEntryPoint might be appropriate for your AJAX calls.