Hello everyone,

I've stumbled upon this bug when using the tool Kimai, which uses your lib for SAML authentication and I got a problem when setting up the app behind a Caddy proxy and figured out that I had to configure Caddy to also set the X-Forwarded-Port header to make the SAML auth working (GH Discussion).

In the Caddy docs it says:

For these X-Forwarded-* headers, by default, the proxy will ignore their values from incoming requests, to prevent spoofing.

Which includes the X-Forwarded-Port header. I then asked ChatGpt what the alternative is and it said that usually apps/libs should rely on the X-Forwarded-Proto header instead of X-Forwarded-Port header to reduce the risks for spoofing. I have to admit that I don't know if ChatGPT is right here, but it sounds good. Maybe you'll know better than I do.

So I'd suggest a change your logic here. So that the OneLogin_Saml2_Utils::getSelfPort() method considers the X-Forwarded-Proto header if the X-Forwarded-Port header is not set.

I'll prepare a PR for that in a couple of minutes.