In a two-tier architecture, the portal is in a demilitarized zone (DMZ), while Service Provider remains secure within the enterprise. The portal accesses Service Provider over SPML or with a RemoteContext.
Implementing a two-tier architecture means you must take additional security precautions. It is recommended that you perform the following steps to secure your network:
Install a firewall between the portal server and the Service Provider server.
Use either HTTPS or HTTP in conjunction with SSL for communications between the servers. This is especially true if Service Provider resides in an untrusted domain.
Restrict the IP addresses that the portal server and Service Provider server can use to communicate.
The following diagram illustrates how Service Provider can be implemented in a two-tier architecture.