Problema autenticazione su alcuni idp

Buongiorno,
sto implementando l’autenticazione SPID per alcuni servizi comunali.
Il nostro metadata è stato pubblicato ieri e al momento risulta funzionante su i seguenti idp:

  • Aruba
  • Intesa
  • Spiditalia

mentre sugli altri restituisce sempre l’errore:
Formato richiesta non ricevibile - Contattare il gestore del servizio

Il metadata pubblico è il seguente:

<?xml version="1.0" encoding="UTF-8" standalone="no"?>
<md:EntityDescriptor xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata" 
    ID="pfxfca1ccb4-8d31-bd5b-6233-0bc579f8f3e9" 
    entityID="https://istruzione.comune.lastra-a-signa.fi.it/refezione/sp.do">
    <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:SignedInfo>
    <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
    <ds:SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"/>
    <ds:Reference URI="#pfxfca1ccb4-8d31-bd5b-6233-0bc579f8f3e9">
        <ds:Transforms>
        <ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
        <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
        </ds:Transforms>
        <ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/>
        <ds:DigestValue>5oeZBCcb2NiS4dTmpGlAtVyaEETM55mR4Kbjuv0P28w=</ds:DigestValue>
    </ds:Reference>
</ds:SignedInfo>
<ds:SignatureValue>
</ds:SignatureValue>
<ds:KeyInfo>
<ds:KeyValue>
<ds:RSAKeyValue>
<ds:Modulus>
</ds:Modulus>
<ds:Exponent>AQAB</ds:Exponent>
</ds:RSAKeyValue>
</ds:KeyValue>
<ds:X509Data>
<ds:X509Certificate>
</ds:X509Certificate>
</ds:X509Data>
</ds:KeyInfo>
</ds:Signature>
    <md:SPSSODescriptor AuthnRequestsSigned="true" WantAssertionsSigned="true" 
        protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
        <md:KeyDescriptor use="signing">
            <ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
				<ds:X509Data>
					<ds:X509Certificate></ds:X509Certificate>
				</ds:X509Data>
			</ds:KeyInfo>
        </md:KeyDescriptor> 
        <md:SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" 
            Location="https://istruzione.comune.lastra-a-signa.fi.it/refezione/sp-logout.do" 
            ResponseLocation="https://istruzione.comune.lastra-a-signa.fi.it/refezione/sp-logout-response.do"/>
        <md:NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:transient</md:NameIDFormat>
        <md:AssertionConsumerService 
            Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" 
            Location="https://istruzione.comune.lastra-a-signa.fi.it/refezione/sp-login.do" index="0" isDefault="true"/>
        <md:AttributeConsumingService index="0">
            <md:ServiceName xml:lang="it">Portale Refezione Scolastica - Comune di Lastra a Signa</md:ServiceName>
            <md:ServiceDescription xml:lang="it">Portale Refezione Scolastica - Comune di Lastra a Signa</md:ServiceDescription>            
            <md:RequestedAttribute Name="name" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic"/> 
            <md:RequestedAttribute Name="fiscalNumber" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic"/> 
            <md:RequestedAttribute Name="familyName" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic"/> 
            <md:RequestedAttribute Name="spidCode" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic"/> 
            <md:RequestedAttribute Name="gender" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic"/> 
            <md:RequestedAttribute Name="dateOfBirth" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic"/> 
            <md:RequestedAttribute Name="countyOfBirth" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic"/> 
            <md:RequestedAttribute Name="idCard" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic"/> 
            <md:RequestedAttribute Name="registeredOffice" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic"/> 
            <md:RequestedAttribute Name="email" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic"/> 
            <md:RequestedAttribute Name="digitalAddress" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic"/> 
            <md:RequestedAttribute Name="ivaCode" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic"/> 
            <md:RequestedAttribute Name="placeOfBirth" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic"/> 
            <md:RequestedAttribute Name="companyName" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic"/> 
            <md:RequestedAttribute Name="mobilePhone" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic"/> 
            <md:RequestedAttribute Name="address" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic"/> 
            <md:RequestedAttribute Name="expirationDate" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic"/> 
        </md:AttributeConsumingService>
    </md:SPSSODescriptor>
    <md:Organization>
        <md:OrganizationName xml:lang="it">Comune di Lastra a Signa</md:OrganizationName>
        <md:OrganizationDisplayName xml:lang="it">Comune di Lastra a Signa</md:OrganizationDisplayName>
        <md:OrganizationURL xml:lang="it">https://istruzione.comune.lastra-a-signa.fi.it</md:OrganizationURL>    
    </md:Organization>
</md:EntityDescriptor>

La richiesta AuthnRequest generata (qui per poste) è:

            <?xml version="1.0" encoding="UTF-8"?>
    <samlp:AuthnRequest xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" 
    xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" 
    AssertionConsumerServiceURL="https://istruzione.comune.lastra-a-signa.fi.it/refezione/sp-login.do" 
    AttributeConsumingServiceIndex="0" Destination="https://posteid.poste.it/jod-fs/ssoserviceredirect" 
    ID="_958c80a7-7dd0-4f91-b57b-cc2f24223a18" 
    IssueInstant="2020-03-18T09:53:21.328Z" 
    ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" 
    Version="2.0">
    <saml:Issuer 
    Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity" 
    NameQualifier="https://istruzione.comune.lastra-a-signa.fi.it/refezione/sp.do">https://istruzione.comune.lastra-a-signa.fi.it/refezione/sp.do
    </saml:Issuer>
    <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
    <ds:SignedInfo>
    <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
    <ds:SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"/><ds:Reference URI="">
    <ds:Transforms><ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
    <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/></ds:Transforms>
    <ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/><ds:DigestValue>C5q0vcCT9fDJFvaTEd/hEmx63jw=</ds:DigestValue>
    </ds:Reference></ds:SignedInfo><ds:SignatureValue></ds:SignatureValue><ds:KeyInfo><ds:X509Data>
    <ds:X509SubjectName></ds:X509SubjectName>
    <ds:X509Certificate></ds:X509Certificate>
    </ds:X509Data></ds:KeyInfo></ds:Signature>
    <samlp:NameIDPolicy 
Format="urn:oasis:names:tc:SAML:2.0:nameid-format:transient"/>
<samlp:RequestedAuthnContext Comparison="minimum"><saml:AuthnContextClassRef>https://www.spid.gov.it/SpidL2</saml:AuthnContextClassRef>
    </samlp:RequestedAuthnContext>
    </samlp:AuthnRequest>

In caso vi servissero ulteriori dettagli resto a disposizione.
Grazie