Exposing SAML IdP Virtual Server on the internet

Hello everyone

 

I have configured a Virtual Server for SAML.

 

F5 version 13.1 is used as IdP . All is working great.

 

Security team decided to make the VS only accessible from inside our private network or using a VPN Tunnel To make it work for mobile devices with mobile apps, we have to use a PerApp Vpn Or OnDemand VPN with the F5 Access app

 

To simplify things for mobile devices using mobile apps. We are thinking of exposing the VS (through a firewall of course) to give access to users from the net. They would not need to connect with the F5 Access.

 

Has anyone evaluated the risk of exposing a SAML Idp on the internet Are there any vulnerabilities?

 

Exported Idp Metadata sent to SP is signed SAML configuration forces the signing of the SAML response sent to SP

 

I guess , many companies do it

 

Thank you

 

Mike