NextAuth's signOut only clears your browser/client session, you still have to make an API call to your IAM backend's end-session-endpoint with the correct parameters.

When a page loads, start a timer (and restart it with user activity if necessary) and when the timer runs out, make the call to the end-session-endpoint. If that call is successful, next-auth will pickup the session state as 'unauthenticated' then you can (for example) router.push to your login page.