As per my understanding, there is no relation between wfresh and the lifetime element in the RST. The wfresh parameter can only ensure that the original authentication is not too long ago. If it is 5 then it means that the IDP token must not have been issued longer ago than 5 minutes. If it's 0, the browser user must re-authenticate himself. The wfresh value must be checked against the Created element in the cached IDP token. You should still be able to configure how long an IDP token is valid by default.
I proposed in dev mailing list, that some application specific configuration is required. You should be able to configure the lifetime as well per application but this is for the RP token whereas wfresh relates to the IDP (authentication) token.