I am using the new Seam Identify Management, the event is raised and my @Observer catches it. Try to let Seam do the authenticate (don't write your own authenticate method) ... see the documentation regarding this point, it doesn't say you can't, but it says you don't have to, and I found that my authenticate method didn't work anymore when I switched to the new Seam Identity Management.
As for the @Observer, there are no special requirements, it can be in any class.
For logout, I extended the IdentityManager class and overrode the logout action, because it raises the event after the user is logged out, which is correct but kind of useless because the User is not available anymore (for audit logging or whatever else you need to do). It would be nice to have a pre-logout event!
Hopen this helps,
Also, the User is stored in the Session by Seam, you don't have to do this yourself.