A while ago I raised KEYCLOAK-686 about the fact that there is a secret maximum SSO Session Max Lifespan that is not evident or validated by the admin web application.
I think the same thing is probably true of SSO Idle Timeout. If I set this to something like 30 days, and I leave something idle overnight, I hit the SSO Idle Timeout anyway. I'm not sure what the real maximum is for SSO Idle Timeout, but it seems like it is maybe measured in hours.
Alarik