We rely on the redirect user from rules feature:
The docs here don’t show any details about the state value.
Does it have an expiry time?
I assume not but, do previously issued state values become invalid when a new one is issued for a given user?
Any details worth sharing are great.
The state value does seem to have an associated lifetime and some tests indicate that this lifetime is affected by the value you configured for SSO Cookie Timeout in your account settings. This means the end-user will have to complete whatever is associated with the redirect rule step before the value configured for that timeout. Have in mind this was based on quick tests so I’ll try to confirm this situation and ideally document any lifetime information in the documentation you linked.
In addition, the user can start authentication flows (that include redirect rule) at multiple browsers and this will mean the use of multiple states which are independent and that can all be continued with success so there’s no strict one to one limitation to the user itself. However, also based on observations from a quick test, if you start multiple transaction from the same browser session you will only be able to complete one of them.