…TPS'] is absent (#2638)

* HTTP: have getServerHTTPS() honor https baseurlpath when $_SERVER['HTTPS'] is absent

When SimpleSAMLphp is invoked from an external script (e.g. via
\SimpleSAML\Auth\Simple from a host application's controller) behind a
TLS-terminating upstream proxy, $_SERVER['HTTPS'] is absent in PHP --
nginx's stock fastcgi_params ships `fastcgi_param HTTPS $https
if_not_empty;`, and $https is empty when nginx itself receives a plain
HTTP connection from the upstream proxy.

In that topology getServerHTTPS() returns false for what is actually an
HTTPS request, which cascades through five callers -- most visibly via
Session::getSessionFromRequest() throwing CriticalConfigurationError
('Setting secure cookie on plain HTTP') from the secure-cookie check.

The maintainer-prescribed workaround for reverse-proxy deployments
(see PRs #795, #376, #324, #491) is to set
baseurlpath to a full URL. That works for Utils\HTTP::getBaseURL()'s
full-URL branch but is silently ignored by getServerHTTPS() and its
four downstream callers.

This change has getServerHTTPS() consult the admin-set baseurlpath as a
secondary signal -- but only when:
  (a) $_SERVER['HTTPS'] is COMPLETELY ABSENT (preserves explicit 'off')
  (b) baseurlpath is a full https:// URL
  (c) baseurlpath's host exactly matches the current request's host
      (case-insensitive)

No client-controlled header (X-Forwarded-Proto etc.) is read at any
point -- consistent with the maintainer position taken in PRs #795,

Adds 8 PHPUnit tests covering: the bug demonstration, the host-match
guard, the HTTPS=on short-circuit, explicit HTTPS=off preservation,
case-insensitive host comparison, host-with-port in the request,
relative-path baseurlpath rejection, and http:// baseurlpath rejection.

Verified against upstream master: 880 -> 888 tests, 0 regressions.

* tests: fix PSR-12 spacing (2 blank lines after methods)

PHPCS reported 8 violations from PR #2638 — 7x 'Expected 2 blank lines
after method, found 1' and 1x 'closing brace for the class must go on
the next line after the body'. Auto-fixed by phpcbf. No behavioral
change; all 888 unit tests still pass.

* HTTP: drop defensive try/catch around Configuration::getInstance()

`getBaseURL()` (same file) calls `Configuration::getInstance()`
without a try/catch; the new `getServerHTTPS()` fallback should
follow the same pattern for consistency. The catch's `return false`
was untested (would require Configuration to throw, which it doesn't
in normal operation) — codecov flagged it as the 1 line of missing
patch coverage on PR #2638.

* HTTP: add debug logging to getServerHTTPS() baseurlpath fallback

Per review feedback (@thijskh): when $_SERVER['HTTPS'] is absent and
getServerHTTPS() falls back to the baseurlpath check, log a debug-level
line explaining which variable drove the HTTPS-or-not conclusion, so
deployers who don't get the URL they expect can diagnose it.

Three distinct debug lines cover the three fallback outcomes:
  - baseurlpath host matches current host -> treated as HTTPS
  - baseurlpath host does NOT match -> not HTTPS (names both hosts)
  - baseurlpath is not a full https:// URL -> not HTTPS, with a hint to
    set baseurlpath/application.baseURL for upstream-TLS-terminating
    deployments

Logging is confined to the new fallback branch; the pre-existing
$_SERVER['HTTPS'] cases are unchanged and unlogged to avoid noise on
the common path. All three lines are exercised by existing tests.

* Reject ExpectedIssuer mismatches for SP-initiated flows.Solicited and unsolicited responses.

SAML2INT “Response MUST be signed” feature flag

code sniffer fixes

phstan issues fixed

* Refactor SAML validation to throw on invalid SubjectConfirmation, update tests, and switch error strings to sprintf

* Load SAML2Int policy from saml2int.conf.php.dist instead of config.php

* Add documentation for the saml2int config file