...
Only one program can use port 8080 on your computer at a time. When you test Shibboleth on your local Sandbox, it also uses 8080. Using the same local port number for both the Sandbox and the SSH tunnel will generate an error message if you accidentally run both at the same time. SSH will generate error messages that it cannot create the tunnel if you have forgotten to shut down the Sandbox Tomcat, and Tomcat will generate error messages that it cannot bind to the port if you forget forget to shut down SSH before starting the Sandbox. This is a feature, because you really don't want to spend hours trying to figure out what is wrong only to discover that you are debugging the wrong Shibboleth server.
Configure Redirector
...
Browser Point of View
The Browser tries to follow a URL to "https://auth.yale.edu/idp". DNS resolves this address to a Virtual IP address on the F5 front-end. The F5 presents the SSL Certificate identifying itself as "auth.yale.edu", decrypts the data, and forwards it to the VM. Shibboleth is actually running on some host named "example.its.yale.internal" in a part of the network that only the F5 (and SSH through the VPN) can access.
Shibboleth has to Redirect the Browser. This may happen several times where Shibboleth Redirects the Browser to a different one of its own URLs, but it also happens when Shibboleth redirects the Browser to CAS and supplies a URL used by CAS to return the Browser to Shibboleth. In all these cases, Shibboleth has to somehow generate the original "https://auth.yale.edu/idp" URL because the browser cannot talk to the VM directly. The problem is that the F5 acts as auth.yale.edu and Shibboleth is running on a machine with a different name. There are two ways a Shibboleth component can know about the "auth.yale.edu" name. It can be configured with that name in a property file used during the Jenkins Install of Shibboleth onto the VM. Alternately, it can received that name in the HTTP "Host: https://auth.yale.edu" header generated originally by the Browser and then optionally modified by the F5.
During testing you may do everything on your desktop, or you may bypass the F5 and go directly to the VM over the SSH tunnel. Either way you have to be aware of the hostname configured as a property to the Shibboleth to which you are talking, and you have to consider what Host header the Browser is going to generate and whether it will be modified before it gets to Shibboleth. Otherwise, you get halfway through the test and suddenly the Browser gets redirected to an unexpected network address that is not your Shibboleth test machine.
Configure Redirector
Redirector runs inside your Browser. Every time the Browser is about to go to a network URL, Redirector inspects it. If the destination URL matches a pattern, Redirector replaces the string with a different string. This is essentially the same as the Find and Replace function of every Text editor. You can match text with either a Wildcard or Regular Expression. Wildcard is simpler and is perfectly adequate for Shibboleth testing.
...