URLs prefixed with /sfShibbolethAuth must be protected by Shibboleth in order to take advantage of this plugin correctly in a production environment.

In a development environment that is NOT on a production server, you can set the app_sfShibboleth_fake option to true via settings.yml, allowing this plugin to present you with a choice of test accounts. Never do so on a production server.