At the moment, session lifetime is controlled by the server/session/timeout parameter. We would like to make it possible to control the IAG session lifetime based on the ID token's lifetime. (Similar to what is possible in Verify Access Federation, WebSEAL OAuth Introspection etc.)
We would support an attribute in the inbound SSO request that could be used to map to the session lifetime.
This would NOT be the id_token lifetime as that is not a suitable timeout/lifetime to use for standard web sessions.