SAML2AuthenticationHander should take in an option "ForceAuthn" with possible values being "true" or "false" which could be in picketlink.xml's Handler section with an option being "ForceAuthn", just like "NAMEID_FORMAT".

Then in its private class SPAuthenticationHandler, (for version 2.6.0.Final) add (after line 382), add

auth.setForceAuthn(<the_above_mentioned_configured_value>);

if the option does exist in picketlink.xml file.

This flag is telling the IDP side to force user authentication, instead of reusing an existing user session on the IDP side even if it is not expired.