Last tested: Sep 18, 2019
Looker doesn't use tokens at all when authenticating with SAML.
In fact, we are 100% decoupled from Okta’s notion of sessions and how they keep users logged in or not.
When a user hits the ‘Authenticate’ button, we redirect the user’s browser to the SAML IdP and (implicitly) say “the user using this browser wants to log in, let me know if this is someone you trust and please give me info about them”. The IdP eventually redirects the user’s browser back to us with a signed SAML doc (or not if the IdP doesn’t trust this user). We verify the doc and then extract the info about the user that we care about (email, name, groups, etc).
We then forget about that SAML doc. There is no token-like thing we retain from that doc (other than the stable user id). We then maintain our own sessions and cookies to authenticate each request from a logged-in user as they use looker. But, that is all completely decoupled from any tokens or the like from the SAML IdP.