Works by looking up browser sessions stored in Redis to see if the user
has any active SAML sessions for the group a resource belongs to.

When we are in a web request we use the current session.
Outside of web requests we check for background sessions.