...
There are a number of different interacting pieces that contribute to "reuse" of authentication without constantly pestering the end user. These pieces are often used to " soften " the impact of broad MFA requirements in mamy deployments by compromising between requiring MFA for relatively low-value/risk systems in return for reducing the frequency with which it has to be done. Examples of these interacting pieces include SSO sessions and various solution-specific mechanisms for "skipping" MFA for some period of time after a successful use. Duo's "Remember Me" feature is a common example.
Because SSO is a largely inherent assumption of protocols like SAML or OIDC, it is understood that "MFA happened" is not necessarily an indication that it happened immediately prior to the issuing of an assertion. In most protocols, SAML included, there is a field used to signal " when " authentication actually happened, but even that value can be somewhat ambiguous when different factors are involved, since at best it would might indicate when the most recent use of a factor happened. In most cases, this is a reasonable enough approximation that it can serve as an effective signal to applications that care about this sort of "freshness" issue, giving them the ability to control this theshold to meet their needs.
Unfortunately it is a common problem with some of the MFA solutions that their " reuse " features often happen in ways that don't allow the IdP software to properly distinguish whether a user actually was challenged, though this is improving a bit over time. This can lead to false claims that the time of authentication is much more recent than it actually is.
The REFEDS MFA profile does not provide any specific guidance about how long a use of MFA should " last " before being refreshed. It would probably seem reasonable to most people that a day is fine, but a year is not. A month? A week? That's more gray.
...