Hello
Maybe the following will be of help
https://docops.ca.com/ca-single-sign-on/12-52-sp2/en/programming/programming-in-c/saml-2-0-property-reference
According to this document, the timeout is configured in the IdP realm for the authentication URL.
SP sets session timeouts based on the realm timeout that corresponds to the configured SAML authentication scheme that protects the target resource
User session timeouts are governed by the realm that the user first logs into. If a user enters a new realm through single sign-on, the time-out values for the new realm are still governed by the session that was established by the initial login at the first realm. If you have different time-out values for different realms, and you want to have each realm use its own time-out values, you can override the time-outs of the original realm.
To override the time-outs of the original realm, configure your Web Agent and realms as described in the following process:
Set the value of the EnforceRealmTimeouts parameter to yes.
Use the Policy Server User Interface to do the following tasks:
For each realm where you want to supersede the original time-outs (any realm that SSO functionality allows the user to access), do the following:
To override the Maximum Timeout value,
Create Authentication event RULE with action OnAuthAccept
Create response of type WebAgent-OnAuthAccept-Session-Max-Timeout, and set to the desired value in seconds.
In the Policy add the Authentication event RULE then set the set the new responses to that rule
To override the Idle Timeout value, follow the same steps changing only the responses type to WebAgent-OnAuthAccept-Session-Idle-Timeout response attribute.
IMPORTANT: For proper SESSION management and to avoid unexpected timeouts when session override is used it is required to configure the EnforceRealmTimeouts=yes and the RULES an RESPONSES in all agents and realms.
So required have EnforceRealmTimeouts set to YES and the RULE/REPONSES configured in the parent realm as well as the child realm. The result will be if the client accesses the parent realm after visiting the child realm the override will follow the client to the parent realm.
See also
MyTechReference » CA Siteminder Session timeout
Hope this is helpful