A Shibboleth Identity Provider (IdP) server requires port 443 and optionally port 80 to operate correctly.

80http - clear text. This is optional and if open should automatically redirect the user to port 443, https.
443https - secure http. The user interacts with the IdP user interface over a secure channel. Usernames and Passwords will be send from the users browser to the IdP, they must be sent securely.
8443Secure back channel port in use by SAML v1.0/1.1 service providers to communicate to Identity providers for the exchange of user attributes. This is a secure and encrypted channel.

Restrict access, to perform server management functions, to specific IP addresses, address ranges or VPN access with user tracking. 

Recommendation: The AAF recommends that only the ports required for the IdP to operate correctly (80 and 443) should be open to the world. Support for back-channel connections to the IdP over TCP port 8443, from SAML service providers is no longer recommended.

Service providers that implement the older SAML v1.0 and V1.1 standards require IdPs to provide a back-channel connection for the retrieval of user attributes. The SAML v2.0 standard supersedes the older versions of the SAML protocol.