Individual applications have their own timeouts - they're application dependent
The NCEdCloud IAM Service RapidIdentity Portal:
Login Screen inactivity timeout (you go to the login screen but don't login) = 5 minutes
If timed-out there, close the unused login window/tab, open a new window/tab and start over (DON'T use the Back arrow/button)
Once in the NCEdCloud portal, the inactivity timeout = 8 Hours
The SAML assertion timeout is valid for 5 minutes (the assertion itself)
Individual Applications can have a different timeout for their session(s). If it is > 5 minutes and that timeout occurs, they will check the SAML assertion and then handle it however they're configured.
In general, it is best that users completely close their browser sessions (Chrome, Safari, Firefox, etc.) when they are done
One example is Google Apps. If Google Apps is integrated with the IAM Service and a user logs in, they stay logged in until they close the browser, which could be days or weeks.