oxAuth (OAuth) / Shibboleth (SAML) are, by definition, Internet facing. oxTrust (admin UI) should not be Internet facing. And of course, LDAP should not be Internet facing (it listens on localhost by default in the Gluu Server).
Some customers do use a proxy layer in front of Gluu as an additional layer of security, but it's not necessary. You can either continue to use the Apache HTTPD server or proxy directly to Jetty.
But in general, I don't think it's problematic from a security perspective to have oxauth/shibboleth be internet facing. The worst that can happen is that the there is an SSL bug which exposes the SSL keys. But this can happen with any TLS web server. The apache server itself does not have access to the JVM, so your private keys for federation are protected.
Net-net, I would say keep it simple. More complexity frequently leads to less security anyway.