I have a disconnect with respect to activity-based timeout policy and its usefulness. How come AAD be involved in the idle-time-out implementation of web-app session ? Should not an Idle-Timeout come from the application itself, and if a timeout is detected, the application can invalidate the existing token (although it’s lifetime may still be valid) and redirect the user back to AAD.
So if I have set activity-based timeout for one web-app (for eg., portal.azure.com) as 2 hours. When AAD sends the SAML/ID-token to the app, would AAD sends out this activity-based timeout information so that if application supports it , it can notify the user if user is staring the app-screen for 2 hours. If user does not do any activity on the app, the Java-script of the app will send out the sign-out request to AAD to sign the user out.