Firewall rules

  • The Shibboleth IdP software requires TCP port 443 to be open to incoming traffic from all sources at the firewall (assuming use of the recommended standard HTTPS port).
  • The IdP software requires outbound access to TCP port 80 (HTTP) for access to the UK federation metadata
  • The IdP software requires access to an authentication source, which is usually LDAP or Active Directory. If authenticating using LDAP or Active Directory then it will probably require one or more of the following (you can open all of them while configuring and testing, then close all that are not needed)
    • TCP port 389 for LDAP (plaintext and/or startTLS)
    • TCP port 636 for LDAPS (SSL/TLS)
    • TCP port 3268 for LDAP Domain Controller Global Catalogue (plaintext and/or startTLS)
    • TCP port 3269 for LDAPS Domain Controller Global Catalogue (SSL/TLS)

If you need to support the deprecated SAML 1 protocol then you will also need to have TCP port 8443 open to incoming traffic from all sources in order to support the attribute query back channel.