The Security Considerations document provides some minimal discussion of risks that are mitigated through freshness checks or replay checks, but the actual spec set says nothing about the use of the IssueInstant or ID attributes at the protocol layer.
Discussion of bearer assertion or artifact replay checking exists, but nothing at the protocol layer.
This is a significant omission depending on specific use cases, such as the use of signed messages in place of mutual TLS in the SOAP binding, or with the use of signed AuthnRequests or LogoutRequests in various profiles.