Open Ports


Question: Does the server your IdP is running on only have the minimal required network ports open?


A Shibboleth IdP server only requires ports 443, 8443 and optionally port 80 to operate correctly.

PortDescription
80http - clear text. This is optional and if open should automatically redirect the user to port 443, https.
443https - secure http. The user interacts with the IdP user interface over a secure channel. Usernames and Passwords will be send from the users browser to the IdP, they must be sent securely.
8443Secure back channel port used by service providers to communicate to Identity providers for the exchange of user attributes. This is a secure and encrypted channel.


Access via other protocol required to perform for example server management functions should be restricted to specific IP addresses or IP ranges or preferable protected by a VPN server where you can track who is attempting to access the server.


Recommendation: The AAF recommends that only the ports required for the IdP to operate correctly (80, 443 and 8443) should be open to the world.