Question: Does the server your IdP is running on only have the minimal required network ports open?
A Shibboleth IdP server only requires ports 443, 8443 and optionally port 80 to operate correctly.
|80||http - clear text. This is optional and if open should automatically redirect the user to port 443, https.|
|443||https - secure http. The user interacts with the IdP user interface over a secure channel. Usernames and Passwords will be send from the users browser to the IdP, they must be sent securely.|
|8443||Secure back channel port used by service providers to communicate to Identity providers for the exchange of user attributes. This is a secure and encrypted channel.|
Access via other protocol required to perform for example server management functions should be restricted to specific IP addresses or IP ranges or preferable protected by a VPN server where you can track who is attempting to access the server.
Recommendation: The AAF recommends that only the ports required for the IdP to operate correctly (80, 443 and 8443) should be open to the world.