Supporting back-channel connections to your IdP usually over TCP port 8443, from SAML service providers is no longer recommended.

Service providers that implemented the older SAML v1.0 and V1.1 standards required IdPs to provide a back-channel connection for the retrieval of user attributes. These older versions of the SAML protocol have been superseded with the SAML v.2.0 standard.

We believe there no longer exists any service providers of significance that only support SAML 1.0 or 1.1. If they do exist, they present a security risk the Identity providers they use as the software they are running is well and truly end-of-life.

To remove the potential risk from these older service providers and reduce the potential attack vector of your IdP, the AAF recommends that all IdP’s turn off access to your IdP via port 8443.

Instructions for turning off this access are included on our support pages - Actions for AAF IdP administrators.