>The way I believe GLUU works (and this may be an incorrect assumption), when you go to a site that we integrated SSO and GLUU with, GLUU will have a Web page to sign on and once authenticated, will forward the user to the site they were navigating to. Is that correct?
Seems like a correct description. In a more detailed view, it would be like this:
1. User accesses some resource where he doesn't have a session yet
2. Resource redirects his browser to one of Shibboleth IdP's endpoints responsible for SSO (Shibboleth is a component of Gluu framework responsible for SAML flows). You can view those endpoints in its metadata at [https://sso.gatewayticketing.com/idp/shibboleth](https://sso.gatewayticketing.com/idp/shibboleth)
3. If user doesn't yet have a session at Shibboleth also, it will redirect him to oxAuth (a core Gluu's component responsible for authentication) and he will be presented with oxAuth's login page. Things may develop differently from here, depending of what authentication method is configured. In the simplest case it will be LDAP bind against internal LDAP directory, or some backend directory (like, your AD servers)
4. After successful authentication a session for this user is created at oxAuth (so normally this user won't be asked to login again for some time) and user is redirected back to Shibboleth, where another session is created automatically (each component has its own sessions, you can say they all "spawn" their session from oxAuth's session).
5. Shibboleth redirects user's browser back to SP with SAML response, and SP makes decision whether to allow this user to access the initial resource.