From 8d0e426654fe0351a66c72d43ebb4a3ef0798d3d Mon Sep 17 00:00:00 2001
From: Josh Cummings <josh.cummings@gmail.com>
Date: Tue, 11 Jul 2023 10:36:03 -0600
Subject: [PATCH] Generate Shared Test SAML Response

Issue gh-13433
---
 .../saml2/Saml2LoginConfigurerTests.java      | 44 ++++++++++++---
 .../Saml2LoginBeanDefinitionParserTests.java  | 54 ++++++++++++++-----
 .../authentication/TestOpenSamlObjects.java   |  5 +-
 3 files changed, 83 insertions(+), 20 deletions(-)

diff --git a/config/src/test/java/org/springframework/security/config/annotation/web/configurers/saml2/Saml2LoginConfigurerTests.java b/config/src/test/java/org/springframework/security/config/annotation/web/configurers/saml2/Saml2LoginConfigurerTests.java
index a6c1d57f46..105d6f469a 100644
--- a/config/src/test/java/org/springframework/security/config/annotation/web/configurers/saml2/Saml2LoginConfigurerTests.java
+++ b/config/src/test/java/org/springframework/security/config/annotation/web/configurers/saml2/Saml2LoginConfigurerTests.java
@@ -18,18 +18,26 @@ package org.springframework.security.config.annotation.web.configurers.saml2;
 
 import java.io.IOException;
 import java.net.URLDecoder;
+import java.nio.charset.StandardCharsets;
 import java.util.Base64;
 import java.util.Collections;
 
 import jakarta.servlet.ServletException;
 import jakarta.servlet.http.HttpServletRequest;
 import jakarta.servlet.http.HttpServletResponse;
+import net.shibboleth.utilities.java.support.xml.SerializeSupport;
 import org.junit.jupiter.api.AfterEach;
 import org.junit.jupiter.api.Assertions;
+import org.junit.jupiter.api.BeforeAll;
 import org.junit.jupiter.api.BeforeEach;
 import org.junit.jupiter.api.Test;
 import org.junit.jupiter.api.extension.ExtendWith;
 import org.mockito.ArgumentCaptor;
+import org.opensaml.core.xml.config.XMLObjectProviderRegistrySupport;
+import org.opensaml.core.xml.io.Marshaller;
+import org.opensaml.saml.saml2.core.Assertion;
+import org.opensaml.saml.saml2.core.Response;
+import org.w3c.dom.Element;
 
 import org.springframework.beans.factory.annotation.Autowired;
 import org.springframework.context.ConfigurableApplicationContext;
@@ -55,6 +63,7 @@ import org.springframework.security.core.annotation.AuthenticationPrincipal;
 import org.springframework.security.core.authority.SimpleGrantedAuthority;
 import org.springframework.security.core.context.SecurityContextChangedListener;
 import org.springframework.security.core.context.SecurityContextHolderStrategy;
+import org.springframework.security.saml2.core.OpenSamlInitializationService;
 import org.springframework.security.saml2.core.Saml2ErrorCodes;
 import org.springframework.security.saml2.core.Saml2Utils;
 import org.springframework.security.saml2.core.TestSaml2X509Credentials;
@@ -63,6 +72,7 @@ import org.springframework.security.saml2.provider.service.authentication.Saml2A
 import org.springframework.security.saml2.provider.service.authentication.Saml2Authentication;
 import org.springframework.security.saml2.provider.service.authentication.Saml2AuthenticationException;
 import org.springframework.security.saml2.provider.service.authentication.Saml2AuthenticationToken;
+import org.springframework.security.saml2.provider.service.authentication.TestOpenSamlObjects;
 import org.springframework.security.saml2.provider.service.registration.InMemoryRelyingPartyRegistrationRepository;
 import org.springframework.security.saml2.provider.service.registration.RelyingPartyRegistration;
 import org.springframework.security.saml2.provider.service.registration.RelyingPartyRegistrationRepository;
@@ -111,7 +121,17 @@ import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.
 @ExtendWith(SpringTestContextExtension.class)
 public class Saml2LoginConfigurerTests {
 
-	private static final String SIGNED_RESPONSE = "PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48c2FtbDJwOlJlc3BvbnNlIHhtbG5zOnNhbWwycD0idXJuOm9hc2lzOm5hbWVzOnRjOlNBTUw6Mi4wOnByb3RvY29sIiBEZXN0aW5hdGlvbj0iaHR0cHM6Ly9ycC5leGFtcGxlLm9yZy9hY3MiIElEPSJfZGE1MGNkNzUtMGRjNy00YTRmLWE0ZDktY2UzNmQ0N2E4Mzc2IiBJc3N1ZUluc3RhbnQ9IjIwMjMtMDctMTBUMjM6NDM6MjMuMjAxWiIgVmVyc2lvbj0iMi4wIj48c2FtbDI6SXNzdWVyIHhtbG5zOnNhbWwyPSJ1cm46b2FzaXM6bmFtZXM6dGM6U0FNTDoyLjA6YXNzZXJ0aW9uIj5hcC1lbnRpdHktaWQ8L3NhbWwyOklzc3Vlcj48ZHM6U2lnbmF0dXJlIHhtbG5zOmRzPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwLzA5L3htbGRzaWcjIj4KPGRzOlNpZ25lZEluZm8+CjxkczpDYW5vbmljYWxpemF0aW9uTWV0aG9kIEFsZ29yaXRobT0iaHR0cDovL3d3dy53My5vcmcvMjAwMS8xMC94bWwtZXhjLWMxNG4jIi8+CjxkczpTaWduYXR1cmVNZXRob2QgQWxnb3JpdGhtPSJodHRwOi8vd3d3LnczLm9yZy8yMDAxLzA0L3htbGRzaWctbW9yZSNyc2Etc2hhMjU2Ii8+CjxkczpSZWZlcmVuY2UgVVJJPSIjX2RhNTBjZDc1LTBkYzctNGE0Zi1hNGQ5LWNlMzZkNDdhODM3NiI+CjxkczpUcmFuc2Zvcm1zPgo8ZHM6VHJhbnNmb3JtIEFsZ29yaXRobT0iaHR0cDovL3d3dy53My5vcmcvMjAwMC8wOS94bWxkc2lnI2VudmVsb3BlZC1zaWduYXR1cmUiLz4KPGRzOlRyYW5zZm9ybSBBbGdvcml0aG09Imh0dHA6Ly93d3cudzMub3JnLzIwMDEvMTAveG1sLWV4Yy1jMTRuIyIvPgo8L2RzOlRyYW5zZm9ybXM+CjxkczpEaWdlc3RNZXRob2QgQWxnb3JpdGhtPSJodHRwOi8vd3d3LnczLm9yZy8yMDAxLzA0L3htbGVuYyNzaGEyNTYiLz4KPGRzOkRpZ2VzdFZhbHVlPmYzV2trallleHlBc1l0VDBaNHp0SWZyQlFacjE5UXFQMzhEQmkzb21ZMzQ9PC9kczpEaWdlc3RWYWx1ZT4KPC9kczpSZWZlcmVuY2U+CjwvZHM6U2lnbmVkSW5mbz4KPGRzOlNpZ25hdHVyZVZhbHVlPgpsNHFndVFZNUhCdE1LcVBDeTFGWVpYQ0piNDVMSVc1NExTb1NVREVPZmpFSXpvSkN3Ymw3bHhRSDJVU25VUlkxUkZISFhLZGdkUlRaJiMxMzsKeVFUcVluRCtPTktIQXB2MHdoN1FBNXdZeStIbkY0bFJWUjg4U1VvZUVQUVp3dlFTQytjcTY4bkVUMU1QT1JIdEljYXd3NytWWTgxdiYjMTM7CldNZGovK2d4WTJZaWhCYTh0dDE0ZGRLT1h6Q3ZlYXg4bllQWk9VL2J0TG94cWNJajVLc0JCVHY2R0FKbXUyTi9yN0NHVC9lUitkQTkmIzEzOwpsRGRRTXhxRldSSnhTdHRuMHFyQkRtdkV3THVrK0RUanZTaVViZUthZ1hFS0l0M0F2bm50VzVsVXdzK0RpMlpoS1VMeG96Qk5jY052JiMxMzsKSWVYaTJVUWVJRFQ5bm5ac2FCK2dydzY3czBGdmwwV2h1Y0M3S2c9PQo8L2RzOlNpZ25hdHVyZVZhbHVlPgo8L2RzOlNpZ25hdHVyZT48c2FtbDI6QXNzZXJ0aW9uIHhtbG5zOnNhbWwyPSJ1cm46b2FzaXM6bmFtZXM6dGM6U0FNTDoyLjA6YXNzZXJ0aW9uIiBJRD0iQTJhMjM0Y2M0LTY4ZmUtNGI5MC04OTc4LTY1OTQxMzEwZWI3YSIgSXNzdWVJbnN0YW50PSIyMDIzLTA3LTEwVDIzOjQzOjIzLjMwNloiIFZlcnNpb249IjIuMCI+PHNhbWwyOklzc3Vlcj5hcC1lbnRpdHktaWQ8L3NhbWwyOklzc3Vlcj48c2FtbDI6U3ViamVjdD48c2FtbDI6TmFtZUlEPnRlc3RAc2FtbC51c2VyPC9zYW1sMjpOYW1lSUQ+PHNhbWwyOlN1YmplY3RDb25maXJtYXRpb24gTWV0aG9kPSJ1cm46b2FzaXM6bmFtZXM6dGM6U0FNTDoyLjA6Y206YmVhcmVyIj48c2FtbDI6U3ViamVjdENvbmZpcm1hdGlvbkRhdGEgUmVjaXBpZW50PSJodHRwczovL3JwLmV4YW1wbGUub3JnL2FjcyIvPjwvc2FtbDI6U3ViamVjdENvbmZpcm1hdGlvbj48L3NhbWwyOlN1YmplY3Q+PHNhbWwyOkNvbmRpdGlvbnMvPjxzYW1sMjpBdXRoblN0YXRlbWVudCBTZXNzaW9uSW5kZXg9InNlc3Npb24taW5kZXgiLz48L3NhbWwyOkFzc2VydGlvbj48L3NhbWwycDpSZXNwb25zZT4=";
+	static {
+		OpenSamlInitializationService.initialize();
+	}
+
+	private static final RelyingPartyRegistration registration = TestRelyingPartyRegistrations.noCredentials()
+			.signingX509Credentials((c) -> c.add(TestSaml2X509Credentials.assertingPartySigningCredential()))
+			.assertingPartyDetails((party) -> party.verificationX509Credentials(
+					(c) -> c.add(TestSaml2X509Credentials.relyingPartyVerifyingCredential())))
+			.build();
+
+	private static String SIGNED_RESPONSE;
 
 	private static final AuthenticationConverter AUTHENTICATION_CONVERTER = mock(AuthenticationConverter.class);
 
@@ -138,6 +158,23 @@ public class Saml2LoginConfigurerTests {
 
 	private MockFilterChain filterChain;
 
+	@BeforeAll
+	static void createResponse() throws Exception {
+		String destination = registration.getAssertionConsumerServiceLocation();
+		String assertingPartyEntityId = registration.getAssertingPartyDetails().getEntityId();
+		String relyingPartyEntityId = registration.getEntityId();
+		Response response = TestOpenSamlObjects.response(destination, assertingPartyEntityId);
+		Assertion assertion = TestOpenSamlObjects.assertion("test@saml.user", assertingPartyEntityId,
+				relyingPartyEntityId, destination);
+		response.getAssertions().add(assertion);
+		Response signed = TestOpenSamlObjects.signed(response,
+				registration.getSigningX509Credentials().iterator().next(), relyingPartyEntityId);
+		Marshaller marshaller = XMLObjectProviderRegistrySupport.getMarshallerFactory().getMarshaller(signed);
+		Element element = marshaller.marshall(signed);
+		String serialized = SerializeSupport.nodeToString(element);
+		SIGNED_RESPONSE = Saml2Utils.samlEncode(serialized.getBytes(StandardCharsets.UTF_8));
+	}
+
 	@BeforeEach
 	public void setup() {
 		this.request = new MockHttpServletRequest("POST", "");
@@ -672,11 +709,6 @@ public class Saml2LoginConfigurerTests {
 
 		@Bean
 		RelyingPartyRegistrationRepository relyingPartyRegistrationRepository() {
-			RelyingPartyRegistration registration = TestRelyingPartyRegistrations.noCredentials()
-					.signingX509Credentials((c) -> c.add(TestSaml2X509Credentials.relyingPartySigningCredential()))
-					.assertingPartyDetails((party) -> party.verificationX509Credentials(
-							(c) -> c.add(TestSaml2X509Credentials.relyingPartyVerifyingCredential())))
-					.build();
 			return spy(new InMemoryRelyingPartyRegistrationRepository(registration));
 		}
 
diff --git a/config/src/test/java/org/springframework/security/config/http/Saml2LoginBeanDefinitionParserTests.java b/config/src/test/java/org/springframework/security/config/http/Saml2LoginBeanDefinitionParserTests.java
index 5c24828c1b..6be43450be 100644
--- a/config/src/test/java/org/springframework/security/config/http/Saml2LoginBeanDefinitionParserTests.java
+++ b/config/src/test/java/org/springframework/security/config/http/Saml2LoginBeanDefinitionParserTests.java
@@ -16,11 +16,20 @@
 
 package org.springframework.security.config.http;
 
+import java.nio.charset.StandardCharsets;
+
 import jakarta.servlet.http.HttpServletRequest;
 import jakarta.servlet.http.HttpServletResponse;
+import net.shibboleth.utilities.java.support.xml.SerializeSupport;
+import org.junit.jupiter.api.BeforeAll;
 import org.junit.jupiter.api.Test;
 import org.junit.jupiter.api.extension.ExtendWith;
 import org.mockito.ArgumentCaptor;
+import org.opensaml.core.xml.config.XMLObjectProviderRegistrySupport;
+import org.opensaml.core.xml.io.Marshaller;
+import org.opensaml.saml.saml2.core.Assertion;
+import org.opensaml.saml.saml2.core.Response;
+import org.w3c.dom.Element;
 
 import org.springframework.beans.factory.annotation.Autowired;
 import org.springframework.beans.factory.parsing.BeanDefinitionParsingException;
@@ -33,6 +42,7 @@ import org.springframework.security.config.test.SpringTestContextExtension;
 import org.springframework.security.core.Authentication;
 import org.springframework.security.core.AuthenticationException;
 import org.springframework.security.core.context.SecurityContextHolderStrategy;
+import org.springframework.security.saml2.core.OpenSamlInitializationService;
 import org.springframework.security.saml2.core.Saml2ParameterNames;
 import org.springframework.security.saml2.core.Saml2Utils;
 import org.springframework.security.saml2.core.TestSaml2X509Credentials;
@@ -41,6 +51,7 @@ import org.springframework.security.saml2.provider.service.authentication.Saml2A
 import org.springframework.security.saml2.provider.service.authentication.Saml2AuthenticationException;
 import org.springframework.security.saml2.provider.service.authentication.Saml2AuthenticationToken;
 import org.springframework.security.saml2.provider.service.authentication.Saml2RedirectAuthenticationRequest;
+import org.springframework.security.saml2.provider.service.authentication.TestOpenSamlObjects;
 import org.springframework.security.saml2.provider.service.registration.RelyingPartyRegistration;
 import org.springframework.security.saml2.provider.service.registration.RelyingPartyRegistrationRepository;
 import org.springframework.security.saml2.provider.service.registration.TestRelyingPartyRegistrations;
@@ -79,9 +90,19 @@ import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.
 @SecurityTestExecutionListeners
 public class Saml2LoginBeanDefinitionParserTests {
 
+	static {
+		OpenSamlInitializationService.initialize();
+	}
+
 	private static final String CONFIG_LOCATION_PREFIX = "classpath:org/springframework/security/config/http/Saml2LoginBeanDefinitionParserTests";
 
-	private static final String SIGNED_RESPONSE = "PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48c2FtbDJwOlJlc3BvbnNlIHhtbG5zOnNhbWwycD0idXJuOm9hc2lzOm5hbWVzOnRjOlNBTUw6Mi4wOnByb3RvY29sIiBEZXN0aW5hdGlvbj0iaHR0cHM6Ly9ycC5leGFtcGxlLm9yZy9hY3MiIElEPSJfZGE1MGNkNzUtMGRjNy00YTRmLWE0ZDktY2UzNmQ0N2E4Mzc2IiBJc3N1ZUluc3RhbnQ9IjIwMjMtMDctMTBUMjM6NDM6MjMuMjAxWiIgVmVyc2lvbj0iMi4wIj48c2FtbDI6SXNzdWVyIHhtbG5zOnNhbWwyPSJ1cm46b2FzaXM6bmFtZXM6dGM6U0FNTDoyLjA6YXNzZXJ0aW9uIj5hcC1lbnRpdHktaWQ8L3NhbWwyOklzc3Vlcj48ZHM6U2lnbmF0dXJlIHhtbG5zOmRzPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwLzA5L3htbGRzaWcjIj4KPGRzOlNpZ25lZEluZm8+CjxkczpDYW5vbmljYWxpemF0aW9uTWV0aG9kIEFsZ29yaXRobT0iaHR0cDovL3d3dy53My5vcmcvMjAwMS8xMC94bWwtZXhjLWMxNG4jIi8+CjxkczpTaWduYXR1cmVNZXRob2QgQWxnb3JpdGhtPSJodHRwOi8vd3d3LnczLm9yZy8yMDAxLzA0L3htbGRzaWctbW9yZSNyc2Etc2hhMjU2Ii8+CjxkczpSZWZlcmVuY2UgVVJJPSIjX2RhNTBjZDc1LTBkYzctNGE0Zi1hNGQ5LWNlMzZkNDdhODM3NiI+CjxkczpUcmFuc2Zvcm1zPgo8ZHM6VHJhbnNmb3JtIEFsZ29yaXRobT0iaHR0cDovL3d3dy53My5vcmcvMjAwMC8wOS94bWxkc2lnI2VudmVsb3BlZC1zaWduYXR1cmUiLz4KPGRzOlRyYW5zZm9ybSBBbGdvcml0aG09Imh0dHA6Ly93d3cudzMub3JnLzIwMDEvMTAveG1sLWV4Yy1jMTRuIyIvPgo8L2RzOlRyYW5zZm9ybXM+CjxkczpEaWdlc3RNZXRob2QgQWxnb3JpdGhtPSJodHRwOi8vd3d3LnczLm9yZy8yMDAxLzA0L3htbGVuYyNzaGEyNTYiLz4KPGRzOkRpZ2VzdFZhbHVlPmYzV2trallleHlBc1l0VDBaNHp0SWZyQlFacjE5UXFQMzhEQmkzb21ZMzQ9PC9kczpEaWdlc3RWYWx1ZT4KPC9kczpSZWZlcmVuY2U+CjwvZHM6U2lnbmVkSW5mbz4KPGRzOlNpZ25hdHVyZVZhbHVlPgpsNHFndVFZNUhCdE1LcVBDeTFGWVpYQ0piNDVMSVc1NExTb1NVREVPZmpFSXpvSkN3Ymw3bHhRSDJVU25VUlkxUkZISFhLZGdkUlRaJiMxMzsKeVFUcVluRCtPTktIQXB2MHdoN1FBNXdZeStIbkY0bFJWUjg4U1VvZUVQUVp3dlFTQytjcTY4bkVUMU1QT1JIdEljYXd3NytWWTgxdiYjMTM7CldNZGovK2d4WTJZaWhCYTh0dDE0ZGRLT1h6Q3ZlYXg4bllQWk9VL2J0TG94cWNJajVLc0JCVHY2R0FKbXUyTi9yN0NHVC9lUitkQTkmIzEzOwpsRGRRTXhxRldSSnhTdHRuMHFyQkRtdkV3THVrK0RUanZTaVViZUthZ1hFS0l0M0F2bm50VzVsVXdzK0RpMlpoS1VMeG96Qk5jY052JiMxMzsKSWVYaTJVUWVJRFQ5bm5ac2FCK2dydzY3czBGdmwwV2h1Y0M3S2c9PQo8L2RzOlNpZ25hdHVyZVZhbHVlPgo8L2RzOlNpZ25hdHVyZT48c2FtbDI6QXNzZXJ0aW9uIHhtbG5zOnNhbWwyPSJ1cm46b2FzaXM6bmFtZXM6dGM6U0FNTDoyLjA6YXNzZXJ0aW9uIiBJRD0iQTJhMjM0Y2M0LTY4ZmUtNGI5MC04OTc4LTY1OTQxMzEwZWI3YSIgSXNzdWVJbnN0YW50PSIyMDIzLTA3LTEwVDIzOjQzOjIzLjMwNloiIFZlcnNpb249IjIuMCI+PHNhbWwyOklzc3Vlcj5hcC1lbnRpdHktaWQ8L3NhbWwyOklzc3Vlcj48c2FtbDI6U3ViamVjdD48c2FtbDI6TmFtZUlEPnRlc3RAc2FtbC51c2VyPC9zYW1sMjpOYW1lSUQ+PHNhbWwyOlN1YmplY3RDb25maXJtYXRpb24gTWV0aG9kPSJ1cm46b2FzaXM6bmFtZXM6dGM6U0FNTDoyLjA6Y206YmVhcmVyIj48c2FtbDI6U3ViamVjdENvbmZpcm1hdGlvbkRhdGEgUmVjaXBpZW50PSJodHRwczovL3JwLmV4YW1wbGUub3JnL2FjcyIvPjwvc2FtbDI6U3ViamVjdENvbmZpcm1hdGlvbj48L3NhbWwyOlN1YmplY3Q+PHNhbWwyOkNvbmRpdGlvbnMvPjxzYW1sMjpBdXRoblN0YXRlbWVudCBTZXNzaW9uSW5kZXg9InNlc3Npb24taW5kZXgiLz48L3NhbWwyOkFzc2VydGlvbj48L3NhbWwycDpSZXNwb25zZT4=";
+	private static final RelyingPartyRegistration registration = TestRelyingPartyRegistrations.noCredentials()
+			.signingX509Credentials((c) -> c.add(TestSaml2X509Credentials.assertingPartySigningCredential()))
+			.assertingPartyDetails((party) -> party.verificationX509Credentials(
+					(c) -> c.add(TestSaml2X509Credentials.relyingPartyVerifyingCredential())))
+			.build();
+
+	private static String SIGNED_RESPONSE;
 
 	private static final String IDP_SSO_URL = "https://sso-url.example.com/IDP/SSO";
 
@@ -117,6 +138,23 @@ public class Saml2LoginBeanDefinitionParserTests {
 	@Autowired
 	private MockMvc mvc;
 
+	@BeforeAll
+	static void createResponse() throws Exception {
+		String destination = registration.getAssertionConsumerServiceLocation();
+		String assertingPartyEntityId = registration.getAssertingPartyDetails().getEntityId();
+		String relyingPartyEntityId = registration.getEntityId();
+		Response response = TestOpenSamlObjects.response(destination, assertingPartyEntityId);
+		Assertion assertion = TestOpenSamlObjects.assertion("test@saml.user", assertingPartyEntityId,
+				relyingPartyEntityId, destination);
+		response.getAssertions().add(assertion);
+		Response signed = TestOpenSamlObjects.signed(response,
+				registration.getSigningX509Credentials().iterator().next(), relyingPartyEntityId);
+		Marshaller marshaller = XMLObjectProviderRegistrySupport.getMarshallerFactory().getMarshaller(signed);
+		Element element = marshaller.marshall(signed);
+		String serialized = SerializeSupport.nodeToString(element);
+		SIGNED_RESPONSE = Saml2Utils.samlEncode(serialized.getBytes(StandardCharsets.UTF_8));
+	}
+
 	@Test
 	public void requestWhenSingleRelyingPartyRegistrationThenAutoRedirect() throws Exception {
 		this.spring.configLocations(this.xml("SingleRelyingPartyRegistration")).autowire();
@@ -296,13 +334,9 @@ public class Saml2LoginBeanDefinitionParserTests {
 			throws Exception {
 		this.spring.configLocations(this.xml("WithCustomLoginProcessingUrl-WithCustomAuthenticationConverter"))
 				.autowire();
-		RelyingPartyRegistration relyingPartyRegistration = TestRelyingPartyRegistrations.noCredentials()
-				.assertingPartyDetails((party) -> party.verificationX509Credentials(
-						(c) -> c.add(TestSaml2X509Credentials.relyingPartyVerifyingCredential())))
-				.build();
 		String response = new String(Saml2Utils.samlDecode(SIGNED_RESPONSE));
 		given(this.authenticationConverter.convert(any(HttpServletRequest.class)))
-				.willReturn(new Saml2AuthenticationToken(relyingPartyRegistration, response));
+				.willReturn(new Saml2AuthenticationToken(registration, response));
 		// @formatter:off
 		MockHttpServletRequestBuilder request = post("/my/custom/url").param("SAMLResponse", SIGNED_RESPONSE);
 		// @formatter:on
@@ -311,12 +345,8 @@ public class Saml2LoginBeanDefinitionParserTests {
 	}
 
 	private RelyingPartyRegistration relyingPartyRegistrationWithVerifyingCredential() {
-		RelyingPartyRegistration relyingPartyRegistration = TestRelyingPartyRegistrations.noCredentials()
-				.assertingPartyDetails((party) -> party.verificationX509Credentials(
-						(c) -> c.add(TestSaml2X509Credentials.relyingPartyVerifyingCredential())))
-				.build();
-		given(this.repository.findByRegistrationId(anyString())).willReturn(relyingPartyRegistration);
-		return relyingPartyRegistration;
+		given(this.repository.findByRegistrationId(anyString())).willReturn(registration);
+		return registration;
 	}
 
 	private String xml(String configName) {
diff --git a/saml2/saml2-service-provider/src/test/java/org/springframework/security/saml2/provider/service/authentication/TestOpenSamlObjects.java b/saml2/saml2-service-provider/src/test/java/org/springframework/security/saml2/provider/service/authentication/TestOpenSamlObjects.java
index 5555ac6fd1..dc73b583ff 100644
--- a/saml2/saml2-service-provider/src/test/java/org/springframework/security/saml2/provider/service/authentication/TestOpenSamlObjects.java
+++ b/saml2/saml2-service-provider/src/test/java/org/springframework/security/saml2/provider/service/authentication/TestOpenSamlObjects.java
@@ -118,7 +118,7 @@ public final class TestOpenSamlObjects {
 		return response(DESTINATION, ASSERTING_PARTY_ENTITY_ID);
 	}
 
-	static Response response(String destination, String issuerEntityId) {
+	public static Response response(String destination, String issuerEntityId) {
 		Response response = build(Response.DEFAULT_ELEMENT_NAME);
 		response.setID("R" + UUID.randomUUID().toString());
 		response.setVersion(SAMLVersion.VERSION_20);
@@ -144,7 +144,8 @@ public final class TestOpenSamlObjects {
 		return assertion(USERNAME, ASSERTING_PARTY_ENTITY_ID, RELYING_PARTY_ENTITY_ID, DESTINATION);
 	}
 
-	static Assertion assertion(String username, String issuerEntityId, String recipientEntityId, String recipientUri) {
+	public static Assertion assertion(String username, String issuerEntityId, String recipientEntityId,
+			String recipientUri) {
 		Assertion assertion = build(Assertion.DEFAULT_ELEMENT_NAME);
 		assertion.setID("A" + UUID.randomUUID().toString());
 		assertion.setVersion(SAMLVersion.VERSION_20);