It doesn't make much sense to use a max-age that is less than the effective session-timeout. A session-timeout of 480 means the session will be deleted after the session is idle for 8 hours. However, a cookie max-age of 3600 means that the user's browser will only keep the cookie containing the reference to the user's session ID for 1 hour. This means that if the user is idle for more than an hour, unless the session id is encoded in the request URL (e.g. via HttpServletResponse.encodeURL(...)), subsequent requests will lose their session reference and a new session will be created. The original one will eventually expire after another 7 hours. As to whether SAML is responsible for the observed premature logouts, I don't know.