The state value does seem to have an associated lifetime and some tests indicate that this lifetime is affected by the value you configured for SSO Cookie Timeout in your account settings. This means the end-user will have to complete whatever is associated with the redirect rule step before the value configured for that timeout. Have in mind this was based on quick tests so I’ll try to confirm this situation and ideally document any lifetime information in the documentation you linked.
In addition, the user can start authentication flows (that include redirect rule) at multiple browsers and this will mean the use of multiple states which are independent and that can all be continued with success so there’s no strict one to one limitation to the user itself. However, also based on observations from a quick test, if you start multiple transaction from the same browser session you will only be able to complete one of them.