Open Ports

Question: Does the server your IdP is running on only have the minimal required network ports open?

A Shibboleth IdP server only requires ports 443 optionally port 80 to operate correctly.

80http - clear text. This is optional and if open should automatically redirect the user to port 443, https.
443https - secure http. The user interacts with the IdP user interface over a secure channel. Usernames and Passwords will be send from the users browser to the IdP, they must be sent securely.
8443Secure back channel port used by service providers to communicate to Identity providers for the exchange of user attributes. This is a secure and encrypted channel.

Access via other protocol required to perform for example server management functions should be restricted to specific IP addresses or IP ranges or preferable protected by a VPN server where you can track who is attempting to access the server.

Recommendation: The AAF recommends that only the ports required for the IdP to operate correctly (80 and 443) should be open to the world.

Supporting back-channel connections to your IdP usually over TCP port 8443, from SAML service providers is no longer recommended.

Service providers that implemented the older SAML v1.0 and V1.1 standards required IdPs to provide a back-channel connection for the retrieval of user attributes. These older versions of the SAML protocol have been superseded with the SAML v.2.0 standard.