There are two authentication refresh timeout that can be used in CPL or policy:

1. authenticate.credential_refresh_time
2. authenticate.surrogate_refresh_time

The equivalent setting is under the Authentication realm, Configuration > Authentication > IWA > IWA General.

When the timeout is set under the policy, the proxy does not seem to be taking the one set in the policy, instead, it uses the one been set in the authentication realm.

For example, in the policy:

<Proxy>
authenticate(myrealm) authenticate.surrogate_refresh_time(1800)

In the authentication realm, it is set to 15 minutes by default.

Instead, the proxy uses the 15 minutes timeout.

This is the expected behavior.

The proxy will use the lowest time set in either the authentication realm or the policy.

In this case, if the authentication realm is set to 15 minutes, and the policy is set to 30 minutes, the proxy will use the 15 minutes set in the authentication realm.

This is an expected behavior or by design.

However there is a workaround where if there is a requirement to use the timeout for specific group or users beside the one set in the authentication realm, you can set the timeout in the authentication realm higher that what is been set in the policy. For example, the requirement is to have this group of user to have a timeout of 20 minutes, so would need to set the timeout in the authentication realm higher than 20 minutes, maybe 21 minutes for the policy timeout to take effect.