Change documentation from recommending 2048 bit keys to using 3072 bit
keys.

Given that we're recommending people generate ten-year keys, 2048 bit
keys are probably a bit short. Almost all commercial certificate
authorities now recommend 4096 bit keys, and eduGAIN requires 3072 bit
keys for new federations.

This change aligns the SimpleSAMLphp documentation with the lower
eduGAIN requirement, since that still meets most standards bodies
recommendations for 2028 (ten years from now). cf
https://www.keylength.com/

Extend @mapgrady's patch for simplesamlphp/simplesamlphp#498 to allow Scoping to be disabled on a per-idp basis as well as globally

Following up on the idea mentioned in #937: If the transport is secure fall back to the `PasswordProtectedTransport` authn context class ref, otherwise keep the current default of `Password`.

Requires a version of the SAML2 library with simplesamlphp/saml2#129 merged due to the reference on a newly defined Constant.

The SAML2int spec suggests that IdPs should advertise two name
identifier formats, and SAML itself supports this. It seems that
SimpleSAMLphp does too, when handling metadata in XML (it is implemented
as an array). However the internal metadata format uses getString,
limiting us to only a single NameIDFormat. So far as I can tell, all
that's needed to fix this is to change the metadata parser to use
getArrayizeString to accept either a string or an array, and to cast
that as a string when necessary.
This may solve issue simplesamlphp/simplesamlphp#91

This resolves #888.

The SingleSignOn endpoint is not indexed, and as such, we should prioritize HTTP-Redirect when available in order to comply with SAML2Int.

The SingleSignOn endpoint is not indexed, and as such, we should prioritize HTTP-Redirect when available in order to comply with SAML2Int.