SAML Post Authentication Plugin doesn't handle the session termination scenario, but only active-logout requests.
- Configure an SP & IDP
- On the SP, configure the SAML2 Module
- enable SLO
- add an SLO URL
- Add the SAML2 module in a chain and add _org.forgerock.openam.authentication.modules.saml2.SAML2PostAuthenticationPlugin_as a chain PAP
- Hit the newly created chain and perform SSO using the demo user
- Now, on a different browser, log in as admin in the SP and delete the demo user session
- Observe the IDP session is still active.
Session synchronization can be used as it handles session timeouts, terminations and logout requests. However, IDP should support SOAP SLO as it uses the back-channel binding only.