By default the idp status page should not be accessible by other IP addresses than localhost. This is clearly stated here in the original Shibboleth documentation, at least for version 2: [idpStatus](https://wiki.shibboleth.net/confluence/display/SHIB2/IdPStatus). The new config mechanisms for v3 are explained [here](https://wiki.shibboleth.net/confluence/display/IDP30/AdministrativeConfiguration). The settings in Gluu are still set to default, which should, as far as I understand, block access by anything than localhost: ``` /opt/shibboleth-idp/conf/access-control.xml: <entry key="AccessByIPAddress"> <bean id="AccessByIPAddress" parent="shibboleth.IPRangeAccessControl" p:allowedRanges="#{ {'127.0.0.1/32', '::1/128'} }" /> </entry> ``` and ``` /opt/shibboleth-idp/conf/admin/general-admin.xml: <util:list id="shibboleth.AvailableAdminFlows"> <!-- Status Page --> <bean parent="shibboleth.AdminFlow" c:id="http://shibboleth.net/ns/profiles/status" p:loggingId="%{idp.service.logging.status:Status}" p:policyName="%{idp.status.accessPolicy:AccessByIPAddress}" /> ``` **However, it seems /idp/status is allways accessible by browser**, regardless of the ip adresses listed. I could not find any documentation or comment in the source / config files why the configured settings are ignored. I have been searching for hours now. I suspect the status page was made open in Gluu by default to make debugging easier. But it should be documented how exactly this is done by Gluu. And the config files should be commented to inform the user that changes made there will have no effect.