The SAML2 Post Authentication Plugin (org.forgerock.openam.authentication.modules.saml2.SAML2PostAuthenticationPlugin) is an optional component which can be added to a chain which includes the SAML2 authentication module. It is responsible for configuring the session in such a way that it correctly responds to IdP-initiated single logout requests, and can additionally be configured to support SP-initiated single logout.
Supporting IdP-initiated single logout
By adding the SAML2 Post Authentication Plugin to your authentication chain, sessions which are logged in to your SP will be logged out when the IdP initiates logout (this may be a rather jarring experience for them, as they will simply be kicked out of the system upon the next action performed in the SP’s service). There is no additional configuration required, and supporting SP-initiated single logout is not required if not desired.
Supporting SP-initiated single logout
By setting the Single Logout Enabled boolean inside the authentication module’s configuration to true, a request to log out from the SP will attempt to log out the IdP’s logged in session also. Upon successful logout from the IdP, the user will be redirected to the value provided in the Single Logout URL field – this value must be a fully-qualified URL. You may not support SP-initiated single logout without supporting IdP-initiated single logout.