SSO Session Idle vs SSO Session Max

By love of god - I can’t understand what is the difference between “SSO Session Idle” and “SSO Session Max”!

this is what I found from googling:
“SSO Session Idle Specify the SSO Session Idle timeout. By default, the value is set to 30 minutes. SSO Session Max Specify the maximum time before a user session is expired and invalidated. By default, the value is set to 10 hours”

In our scenario, we are doing a user login using the Admin Rest API.
and once the access token is explored we use the refresh token to create a new one.
from what I noticed that once I do that the refresh token expiration is rest to 30 minutes again.
so what is this 10 hours parameter?

our goal is that if a user is idle for more than 1 hour - he will need to do login again.
what is the best way to achieve this ?

thank!

https://wjw465150.gitbooks.io/keycloak-documentation/content/server_admin/topics/sessions/timeouts.html
Basically you need SSO Session Idle 60 Minutes
And the SSO Session Max is the max time a user can remain active, after that he needs another valid session. (your user ca start to be active after 59 Minutes about 10 times, afterwards he will need another session)

@edwint88
thanks for the reply!
just to make sure I got it right.
if I set SSO Session Max to 10 hours - so even if the user is active for 10 hours (and I’m using the refresh token to generate a new access token) - after 10- hours i can longer refresh the access token and the user session is no longer active (and i will have to log him out so he can reconnect)?