Hi Viren,
I've not personally heard of an issue like this before, seems pretty unusual.
1) Are there any scenarios in which the user (who is active) is logged out earlier than the max timeout?
>> Logged out vs having their remaining time reduced are different things. Logged out could happen if the session was logged out on another tab. Time remaining being reduced would be more if they moved to another realm with a shorter timeout. Or if they were idle longer than they realized.
2) Are there any scenarios that would cause the SM_TIMETOEXPIRE max timeout value to drop drastically?
>> I can only think of where the time had actually passed. Perhaps in another tab using the same session and it has synched with the older session.
3) Is it possible for a user to login with the same credentials twice and be given two different session IDs? If so, does siteminder invalidate one of the sessions by drastically reducing the SM_TIMETOEXPIRE value on one of the sessions?
>> Yes, for example if you use two different browser types, there is no session sharing so they end up with unique values. If you use two tabs, since you have both login forms already loaded, on the initial login the serversessionid will be different. But as soon as you refresh the tabs, the serversessionid, serversessionspec, SMSESSION cookie, etc should synch up.
4) Any theories one what may be causing users to get prematurely logged out or to cause the SM_TIMETOEXPIRE value to drop drastically?
>> Very hard to tell without data. Maybe an old cookie is being replayed from cache, hence the sudden drop in time or it is even expired already causing the logout. Or as I said, there are different realm timeouts in play, but no EnforceRealmTimeouts set in ACO.
If this is a serious or widespread issue, you may want to consider opening a Support case to get assistance.
Thanks!