...
The following InCommon servers were not running a vulnerable version of OpenSSL and therefore were not affected by this bug:
- Federation Manager (service1.internet2.edu)
- Metadata Services (wayf.incommonfederation.org, md.incommon.org)
- Discovery Service (wayf.incommonfederation.org)
- Error Handling Service (ds.incommon.org)
The following InCommon server was affected by the bug, which serves a single HTML resource, was found to be running a vulnerable version of OpenSSL:
- ops.incommon.org
The above server was patched, its TLS certificate was revoked, and a new TLS key was and certificate were installed. This restored the integrity of the server's single HTML resource (i.e., the fingerprints of the metadata signing certificate).
...
If you deploy the Shibboleth SP on Windows, versions 2.5.0 (or later), consult the Shibboleth Security Advisory issued on 9 April 2014.
SimpleSAMLphp deployments may be particularly vulnerable. Please read If you are using simpleSAMLphp, we recommend reading the entire thread entitled "heartbleed and SimpleSAMLphp" on the simpleSAMLphp mailing list.
...