...
So the general rule is that the cas.target.url and the IdP initiated "Unsolicited" URL host names and protocols have to match.
SP Initiated
At one point I thought that it would be possible to run an SP Initiated test case to a Sandbox Shibboleth running on the local desktop or through an SSH tunnel to a VM in the machine room.
However, the only proven solution is to install code on the Pre-Production Shibboleth VM and then put an entry in the hosts file to point the "auth.yale.edu" name to the IP address of the Pre-Production VIP on the F5.
The rest of this section will describe the problem with all other mechanisms.
The IdP Initiated test was simplified because the code that handles the "Unsolicited/SSO" URL does not do any checks on the network address. Technically, the "Unsolicited/SSO" is a Shibboleth programming convention and not part of the SAML standard, so checks are not required.
...