So I'm noticing now that my issue is a little more complicated.
My application is an HTML5 web app using backbone, etc and JAX-RS APIs on the server side. This is true of both the IDP and the SP. On the IDP side, the REST resource to do logins is not secured (since you're not logged in yet). Everything is passing in that, and near the end of the call I'm doing
Which is triggering my authentication handler. What's not happening is forwarding to the SP correctly after login. Do I need to allow it to do a full HTTP POST (rather than an AJAX call?)
So... after some thinking (and people reminding me on twitter) I realized that in its current state I cannot use picketlink to redirect to that URL. the #whatever does not get sent to the server, only the client. I ended up using a servlet filter to rewrite /app/e/2 to /app/index.html#view-e2 to work around this. It means that we cannot redirect automatically to #view-e2 if they bookmark it and log out, probably only a minor inconvenience.