You've got your simpleSAMLphp working as an IdP or SP. Great! But you are going to exchange sensitive information, so spend a few moments to make your setup truly secure.
simpleSAMLphp installation
Make sure you've downloaded a recent version (or used the one from your distribution's repository) to make sure there are no known security issues. Also ensure that you only expose the www/ folder to the web server. This is fine if you've used the Alias approach from the simpleSAMLphp manual. In any case you must never expose the certs/ directory.
Consider to subscribe to the announcements list to be notified of new releases, which may fix security issues.
HTTPS
Because user passwords (in the IdP case) or sensitive session and user information (in the SP case) is exchanged, you run your service on HTTPS. It's nowadays best to simply not serve any content over plain HTTP at all, and make http nothing more than a redirect to https. This blog post provides a good start for a solid SSL configuration, which you can verify with the SSLlabs SSLtest.
simpleSAMLphp configuration
Set or verify the following options in simpleSAMLphp's configuration.
config.php
It's advised to set showerrors to false, so the error reporting is not too verbose: the stacktraces will give away information about your system, and will probably confuse your users much more than aid them in understanding their problem. Also, require the admin password to access simpleSAMLphp's configuration page; while this is not perfect it does hide some information.
'admin.protectindexpage' => true,
'showerrors' => false,
The value for secretsalt should be a sufficiently long and sufficiently random string; say 32 random characters. The comment above the setting explains a good way to generate such a string. It will be used for generating secure hashes.
'secretsalt' => 'yourrandomstring',
To properly secure your cookies, set the secure flag to prevent them being sent over plain text connection (assuming you only use https connections), and httponly to prevent JavaScript to access the cookie, to thwart Cross Site Scripting attacks.
'session.cookie.secure' => true,
'session.phpsession.httponly' => true,
Finally you need to configure which domains simpleSAMLphp will accept when it constructs a redirect, to avoid your installation becoming an open http redirect facility. Fill the trusted.url.domains setting with an array of the DNS domains that your installation will redirect to; usually your own domain is enough. You can set it to an empty array (not 'null') and simpleSAMLphp will usually do the right thing automatically. (This is the default since 1.14, but needs to be set for older versions.)
'trusted.url.domains' => [],
authsources.php or saml20-idp-hosted.php
You want to use a modern hashing algorithm: SHA-256 instead of SHA-1. In the context of SURFconext this is only relevant for IdP's and this change needs to be made in saml20-idp-hosted.php. For SP's you can change this in authsources.php, but it will not add value in the SURFconext ecosystem.
In SSP 2.0 this is already the default. In SSP 1.12-1.19, the required config setting is already present in the relevant file, you just need to uncomment it:
'signature.algorithm' => 'http://www.w3.org/2001/04/xmldsig-more#rsa-sha256',