we've found a lot of these issues when our organization federates out to third party vendors
the most notorious are discoveries where the third party vendor's identity provider doesn't time out an established session, so if you capture the saml assertion, you could replay it to login over and over and over....you get the point