Need some guidance on SSO functionality using Auth0 as SAML provider

We are a B2B SaaS company and currently use OTP based platform login. Some of our customers prefer to use their own IDP for authentication and hence we need to support Auth0 as an IDP which will essentially facilitate SAML based authentication.

We are react+node app and just because we have to support multiple IDPs , we preferred to use passport & passport-saml node packages for now.

The basic flow is working fine. We forward the user to Auth0 and then Auth0 sends back the SAML assertion. We extract the condition for the session boundary –

<saml:Conditions NotBefore="2022-06-10T08:49:19.713Z" NotOnOrAfter="2022-06-10T09:49:19.713Z">

Using this we build our JWT , where the refresh token lives till “NotOnOrAfter”. My question is at what interval should we redirect the request to Auth0 SAML endpoint :

  • If we redirect after “NotOnOrAfter” then user will be forced to login again
  • If we redirect sometime before the saml condition expiry, Auth0 may extend with a new assertion

Can someone throw some suggestions here ? If we redirect the active user to Auth0 SAML endpoint say a minute before “NotOnOrAfter” , will Auth0 detect that the current session is valid and send a new SAML assertion with extended “NotOnOrAfter” value ?