I believe that redirecting the user to the FusionAuth authorize url will extend the session (and the doc above implies it: The length of time an SSO session can be inactive before it is closed.).
This is not working as I expected. When I didn't provide a trustChallenge to the Two Factor Start API, I couldn't get the Change Password API to work. The message indicated that I needed to provide a trustToken, even though I was passing this into the API.
The workaround I found is that it worked when I provided a trustChallenge in the Two Factor Start API and the Change Password API.
This suggests that you have an integration error. My recommendation would be to turn on debug enabled for the SAML IdP in question and review the event logs for troubleshooting guidance.