Currently, all AWS SSO sessions last 8 hours (and that's irrespective of the upstream IdP session expiration). That is exactly what the `expiresAt` field is for; it's from the expiration returned with the by AWS SSO (well, AWS SSO returns it as `expiresIn` to be compliant with the OAuth spec). Permission set times matter because it's possible for those credentials to be captured by something that doesn't have access to the AWS SSO token. It's not necessarily particularly likely for it to happen that way, but for your highest-privilege permission sets it's a worthwhile extra protection. Additionally, it means your console sessions will expire more often, and while you can just log back in, the increased friction is useful to direct you back into longer-duration, more narrowly-scoped roles rather than using your admin permission set all day (say, a bit like why you should use `sudo` rather than `su`).