I've just tested this in a simple test project and using just those two settings, my sessions are removed just fine. It's not exactly 10 seconds, but usually 12-15. This is caused by the internal Mendix event that cleans up sessions not lining up exactly with the session timeout.
Wild guess: could it be that the SSO is responsible? Normally when a user is logged out of the system you are returning to the login page. But with a SSO functionality you immediately get redirected to the authentication server and thus logs you in again.
The whole point of SSO is that it authenticates you seamlessly using your Windows account, so I am interested to hear how you expect session timeouts to work in this situation. Say the system logs you out after 5 mins - surely the next keep-alive will trigger SSO to reconnect you automatically? I don't see how you can expect SSO to work in some situations, but not others.
If you really need to disconnect users from your application, I think you need to create your own mechanism - such as setting a date-time field linked to the account entity, and updating it to CurrentDateTime each time the user clicks a button (they all need to be microflow buttons) or opens a record, or uses a menu. Then have a scheduled event that searches for accounts where the last activity is more than 10 mins, and trigger a URLRedirect to a different web page away from your application. The session can then be removed in the normal manner.