From what I recall (since we left Keycloak a while ago) if you set the SSO Session idle to 5 minutes that means that after 5 minutes the token will expire.
I think that in KC you need to check the expiration time before any action you do and if the expiration is about to expire (let’s say in 3 seconds) you need to refresh the token using KC (we used the API of KC so we refreshed it manually) and then the token will be valid for another 5 minutes
The “sso session max” means that no matter how many times you will refresh the token - after a certain time (lets say 10 hours) the session can’t be refresh anymore and new token need to be created
from what i recall the industry standards are:
access token should be 5 minutes
refresh token (SSO Session idle ) should be around 120 minutes
sso session max depends on business logic if you want a user \service token to be valid forever or not
but again, it’s all up to your needs