Impact of Heart bleed for Gluu Customers This blog provides a good analysis to understand the impact of Heart bleed
If you are running a Shibboleth IDP front ended by an Apache HTTPD server, the private SAML IDP key in the JVM’s memory (i.e. tomcat) would not be exposed to the Apache httpd process.
However, if the web server’s private key is compromised, and then you have HTTP, not HTTPS!
Password credentials could have leaked. After patching and re-keying the server, people should be advised to reset their password credentials.
I think this is the biggest impact. It highlights the cost of our societal over-reliance on passwords–basically the cost of doing nothing. Passwords stolen from one site are used elsewhere. So even if your web server wasn’t compromised, a person maybe has the same password in a server that was. So the integrity of password authentication has managed to slip to a new all-time low.