...
The Shibboleth URL
If the user will go to the application first, and the application will generate a Request form and post it to Shibboleth, then starts with the application URL and the application sends the user back to Shibboleth, then the application needs to know the Shibboleth URL. In almost every case the applications build a SAML (XML) Request identifying their organization and asking Shibboleth to send the data. When this request is POST-ed to Shibboleth, the application needs the URL to which the Request form will be posted. This isof the Shibboleth function that handles a posted request:
https://auth.yale.edu/idp/profile/SAML2/POST/SSO
If the application does not need to send a request and will accept an unsolicited SAML Reply form from Shibboleth, then the application does not need to be configured with any Shibboleth URL. Instead, the URL can be turned into a hyperlink in a Yale Web page. For example, the Yale Portal menu that points to Hewitt ("My Benefits") is a hyperlink direct to Shibboleth that provides the Hewitt login URL as the "target" parameter and the Hewitt SAML providerId as another parameterThere is an alternate mechanism in the SAML standard where the application redirects the browser to Shibboleth with the request encoded as a parameter on an GET request, but because the Web standards limit the maximum legal size of a GET URL, this is a dangerous technique and the POST is universally preferred.
However, the application doesn't have to send a Request at all. Shibboleth will generate one if you give it just the "providerid" (the name of the application as it was configured to Shibboleth) and the URL of the application's logon page. By example, the Yale Portal contains a link to the MyBenefits function provided by partner Hewitt. Yale generates a dummy Request from the parameters provided in the link, so the first time the user actually goes to the Hewitt server he already has the Shibboleth generate SAML Response with the data needed to logon to Hewitt. The Portal link looks like this:
https://auth.yale.edu/idp/profile/SAML2/Unsolicited/SSO?providerId=hewitt.com:saml2.0&target=https%3A%2F%2Fsso.hewitt.com%2FytrThere is a component of Shibboleth listening at the /profile/SAML2/Unsolicited/SSO URL and when it gets an HTTP GET of this form it generates a dummy SAML Request using these two parameters and then transfers to the
normal request processingReplace the providerid= and the target= with appropriate values.
The Yale Certificate
The SAML generated by Shibboleth has been digitally signed using a private key that only Shibboleth knows. The Relying Party (application) has to be configured with an X.509 Certificate containing the public key that can be used to validate the SAML message to ensure that it was really sent by Yale and has not been altered. There are separate Certificates for dev, test, and prod:
...