Add Saml2ParameterNames

Closes gh-10270

etc/checkstyle/checkstyle-suppressions.xml

@@ -29,6 +29,7 @@
 	<suppress files="OAuth2IntrospectionClaimNames\.java" checks="InterfaceIsType"/>
 	<suppress files="OAuth2TokenIntrospectionClaimNames\.java" checks="InterfaceIsType"/>
 	<suppress files="Saml2ErrorCodes\.java" checks="InterfaceIsType"/>
+	<suppress files="Saml2ParameterNames\.java" checks="InterfaceIsType"/>
 
 	<!-- Method Visibility that we can't reduce -->
 	<suppress files="AbstractAclVoterTests\.java" checks="SpringMethodVisibility"/>

saml2/saml2-service-provider/src/main/java/org/springframework/security/saml2/core/Saml2ParameterNames.java

@@ -0,0 +1,62 @@
+/*
+ * Copyright 2002-2021 the original author or authors.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      https://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.springframework.security.saml2.core;
+
+/**
+ * Standard parameter names defined in the SAML 2.0 Specification and used by the
+ * Authentication Request, Assertion Consumer Response, Logout Request, and Logout
+ * Response endpoints.
+ *
+ * @author Josh Cummings
+ * @since 5.6
+ * @see <a target="_blank" href=
+ * "https://docs.oasis-open.org/security/saml/v2.0/saml-bindings-2.0-os.pdf">SAML 2.0
+ * Bindings</a>
+ */
+public interface Saml2ParameterNames {
+
+	/**
+	 * {@code SAMLRequest} - used to request authentication or request logout
+	 */
+	String SAML_REQUEST = "SAMLRequest";
+
+	/**
+	 * {@code SAMLResponse} - used to respond to an authentication or logout request
+	 */
+	String SAML_RESPONSE = "SAMLResponse";
+
+	/**
+	 * {@code RelayState} - used to communicate shared state between the relying and
+	 * asserting party
+	 * @see <a target="_blank" href=
+	 * "https://docs.oasis-open.org/security/saml/v2.0/saml-bindings-2.0-os.pdf#page=8">3.1.1
+	 * Use of RelayState</a>
+	 */
+	String RELAY_STATE = "RelayState";
+
+	/**
+	 * {@code SigAlg} - used to communicate which signature algorithm to use to verify
+	 * signature
+	 */
+	String SIG_ALG = "SigAlg";
+
+	/**
+	 * {@code Signature} - used to supply cryptographic signature on any SAML 2.0 payload
+	 */
+	String SIGNATURE = "Signature";
+
+}

saml2/saml2-service-provider/src/main/java/org/springframework/security/saml2/provider/service/authentication/OpenSamlSigningUtils.java

@@ -51,6 +51,7 @@ import org.opensaml.xmlsec.signature.support.SignatureSupport;
 import org.w3c.dom.Element;
 
 import org.springframework.security.saml2.Saml2Exception;
+import org.springframework.security.saml2.core.Saml2ParameterNames;
 import org.springframework.security.saml2.core.Saml2X509Credential;
 import org.springframework.security.saml2.provider.service.registration.RelyingPartyRegistration;
 import org.springframework.util.Assert;
@@ -165,7 +166,7 @@ final class OpenSamlSigningUtils {
 			SignatureSigningParameters parameters = resolveSigningParameters(this.registration);
 			Credential credential = parameters.getSigningCredential();
 			String algorithmUri = parameters.getSignatureAlgorithm();
-			this.components.put("SigAlg", algorithmUri);
+			this.components.put(Saml2ParameterNames.SIG_ALG, algorithmUri);
 			UriComponentsBuilder builder = UriComponentsBuilder.newInstance();
 			for (Map.Entry<String, String> component : this.components.entrySet()) {
 				builder.queryParam(component.getKey(),
@@ -176,7 +177,7 @@ final class OpenSamlSigningUtils {
 				byte[] rawSignature = XMLSigningUtil.signWithURI(credential, algorithmUri,
 						queryString.getBytes(StandardCharsets.UTF_8));
 				String b64Signature = Saml2Utils.samlEncode(rawSignature);
-				this.components.put("Signature", b64Signature);
+				this.components.put(Saml2ParameterNames.SIGNATURE, b64Signature);
 			}
 			catch (SecurityException ex) {
 				throw new Saml2Exception(ex);

saml2/saml2-service-provider/src/main/java/org/springframework/security/saml2/provider/service/authentication/OpenSamlVerificationUtils.java

@@ -48,6 +48,7 @@ import org.opensaml.xmlsec.signature.support.impl.ExplicitKeySignatureTrustEngin
 
 import org.springframework.security.saml2.core.Saml2Error;
 import org.springframework.security.saml2.core.Saml2ErrorCodes;
+import org.springframework.security.saml2.core.Saml2ParameterNames;
 import org.springframework.security.saml2.core.Saml2ResponseValidatorResult;
 import org.springframework.security.saml2.core.Saml2X509Credential;
 import org.springframework.security.saml2.provider.service.registration.RelyingPartyRegistration;
@@ -176,34 +177,39 @@ final class OpenSamlVerificationUtils {
 			}
 
 			String getAlgorithm() {
-				return this.request.getParameter("SigAlg");
+				return this.request.getParameter(Saml2ParameterNames.SIG_ALG);
 			}
 
 			byte[] getContent() {
-				if (this.request.getParameter("RelayState") != null) {
-					return String.format("%s=%s&RelayState=%s&SigAlg=%s", this.objectParameterName,
-							UriUtils.encode(this.request.getParameter(this.objectParameterName),
-									StandardCharsets.ISO_8859_1),
-							UriUtils.encode(this.request.getParameter("RelayState"), StandardCharsets.ISO_8859_1),
-							UriUtils.encode(getAlgorithm(), StandardCharsets.ISO_8859_1))
+				if (this.request.getParameter(Saml2ParameterNames.RELAY_STATE) != null) {
+					return String
+							.format("%s=%s&%s=%s&%s=%s", this.objectParameterName,
+									UriUtils.encode(this.request.getParameter(this.objectParameterName),
+											StandardCharsets.ISO_8859_1),
+									Saml2ParameterNames.RELAY_STATE,
+									UriUtils.encode(this.request.getParameter(Saml2ParameterNames.RELAY_STATE),
+											StandardCharsets.ISO_8859_1),
+									Saml2ParameterNames.SIG_ALG,
+									UriUtils.encode(getAlgorithm(), StandardCharsets.ISO_8859_1))
 							.getBytes(StandardCharsets.UTF_8);
 				}
 				else {
 					return String
-							.format("%s=%s&SigAlg=%s", this.objectParameterName,
+							.format("%s=%s&%s=%s", this.objectParameterName,
 									UriUtils.encode(this.request.getParameter(this.objectParameterName),
 											StandardCharsets.ISO_8859_1),
+									Saml2ParameterNames.SIG_ALG,
 									UriUtils.encode(getAlgorithm(), StandardCharsets.ISO_8859_1))
 							.getBytes(StandardCharsets.UTF_8);
 				}
 			}
 
 			byte[] getSignature() {
-				return Saml2Utils.samlDecode(this.request.getParameter("Signature"));
+				return Saml2Utils.samlDecode(this.request.getParameter(Saml2ParameterNames.SIGNATURE));
 			}
 
 			boolean hasSignature() {
-				return this.request.getParameter("Signature") != null;
+				return this.request.getParameter(Saml2ParameterNames.SIGNATURE) != null;
 			}
 
 		}

saml2/saml2-service-provider/src/main/java/org/springframework/security/saml2/provider/service/authentication/logout/OpenSamlVerificationUtils.java

@@ -47,6 +47,7 @@ import org.opensaml.xmlsec.signature.support.impl.ExplicitKeySignatureTrustEngin
 
 import org.springframework.security.saml2.core.Saml2Error;
 import org.springframework.security.saml2.core.Saml2ErrorCodes;
+import org.springframework.security.saml2.core.Saml2ParameterNames;
 import org.springframework.security.saml2.core.Saml2X509Credential;
 import org.springframework.security.saml2.provider.service.registration.RelyingPartyRegistration;
 import org.springframework.web.util.UriUtils;
@@ -179,44 +180,40 @@ final class OpenSamlVerificationUtils {
 			private final byte[] content;
 
 			RedirectSignature(Saml2LogoutRequest request) {
-				this.algorithm = request.getParameter("SigAlg");
-				if (request.getParameter("Signature") != null) {
-					this.signature = Saml2Utils.samlDecode(request.getParameter("Signature"));
+				this.algorithm = request.getParameter(Saml2ParameterNames.SIG_ALG);
+				if (request.getParameter(Saml2ParameterNames.SIGNATURE) != null) {
+					this.signature = Saml2Utils.samlDecode(request.getParameter(Saml2ParameterNames.SIGNATURE));
 				}
 				else {
 					this.signature = null;
 				}
-				this.content = content(request.getSamlRequest(), "SAMLRequest", request.getRelayState(),
-						request.getParameter("SigAlg"));
+				this.content = content(request.getSamlRequest(), Saml2ParameterNames.SAML_REQUEST,
+						request.getRelayState(), request.getParameter(Saml2ParameterNames.SIG_ALG));
 			}
 
 			RedirectSignature(Saml2LogoutResponse response) {
-				this.algorithm = response.getParameter("SigAlg");
-				if (response.getParameter("Signature") != null) {
-					this.signature = Saml2Utils.samlDecode(response.getParameter("Signature"));
+				this.algorithm = response.getParameter(Saml2ParameterNames.SIG_ALG);
+				if (response.getParameter(Saml2ParameterNames.SIGNATURE) != null) {
+					this.signature = Saml2Utils.samlDecode(response.getParameter(Saml2ParameterNames.SIGNATURE));
 				}
 				else {
 					this.signature = null;
 				}
-				this.content = content(response.getSamlResponse(), "SAMLResponse", response.getRelayState(),
-						response.getParameter("SigAlg"));
+				this.content = content(response.getSamlResponse(), Saml2ParameterNames.SAML_RESPONSE,
+						response.getRelayState(), response.getParameter(Saml2ParameterNames.SIG_ALG));
 			}
 
 			static byte[] content(String samlObject, String objectParameterName, String relayState, String algorithm) {
 				if (relayState != null) {
-					return String
-							.format("%s=%s&RelayState=%s&SigAlg=%s", objectParameterName,
-									UriUtils.encode(samlObject, StandardCharsets.ISO_8859_1),
-									UriUtils.encode(relayState, StandardCharsets.ISO_8859_1),
-									UriUtils.encode(algorithm, StandardCharsets.ISO_8859_1))
-							.getBytes(StandardCharsets.UTF_8);
+					return String.format("%s=%s&%s=%s&%s=%s", objectParameterName,
+							UriUtils.encode(samlObject, StandardCharsets.ISO_8859_1), Saml2ParameterNames.RELAY_STATE,
+							UriUtils.encode(relayState, StandardCharsets.ISO_8859_1), Saml2ParameterNames.SIG_ALG,
+							UriUtils.encode(algorithm, StandardCharsets.ISO_8859_1)).getBytes(StandardCharsets.UTF_8);
 				}
 				else {
-					return String
-							.format("%s=%s&SigAlg=%s", objectParameterName,
-									UriUtils.encode(samlObject, StandardCharsets.ISO_8859_1),
-									UriUtils.encode(algorithm, StandardCharsets.ISO_8859_1))
-							.getBytes(StandardCharsets.UTF_8);
+					return String.format("%s=%s&%s=%s", objectParameterName,
+							UriUtils.encode(samlObject, StandardCharsets.ISO_8859_1), Saml2ParameterNames.SIG_ALG,
+							UriUtils.encode(algorithm, StandardCharsets.ISO_8859_1)).getBytes(StandardCharsets.UTF_8);
 				}
 			}
 

saml2/saml2-service-provider/src/main/java/org/springframework/security/saml2/provider/service/authentication/logout/Saml2LogoutRequest.java

@@ -22,6 +22,7 @@ import java.util.HashMap;
 import java.util.Map;
 import java.util.function.Consumer;
 
+import org.springframework.security.saml2.core.Saml2ParameterNames;
 import org.springframework.security.saml2.provider.service.registration.RelyingPartyRegistration;
 import org.springframework.security.saml2.provider.service.registration.Saml2MessageBinding;
 import org.springframework.security.saml2.provider.service.web.authentication.logout.Saml2LogoutRequestResolver;
@@ -84,7 +85,7 @@ public final class Saml2LogoutRequest implements Serializable {
 	 * @return the signed and serialized <saml2:LogoutRequest> payload
 	 */
 	public String getSamlRequest() {
-		return this.parameters.get("SAMLRequest");
+		return this.parameters.get(Saml2ParameterNames.SAML_REQUEST);
 	}
 
 	/**
@@ -92,7 +93,7 @@ public final class Saml2LogoutRequest implements Serializable {
 	 * @return the relay state
 	 */
 	public String getRelayState() {
-		return this.parameters.get("RelayState");
+		return this.parameters.get(Saml2ParameterNames.RELAY_STATE);
 	}
 
 	/**
@@ -170,7 +171,7 @@ public final class Saml2LogoutRequest implements Serializable {
 		 * @see Saml2LogoutRequestResolver
 		 */
 		public Builder samlRequest(String samlRequest) {
-			this.parameters.put("SAMLRequest", samlRequest);
+			this.parameters.put(Saml2ParameterNames.SAML_REQUEST, samlRequest);
 			return this;
 		}
 
@@ -207,7 +208,7 @@ public final class Saml2LogoutRequest implements Serializable {
 		 * @return the {@link Builder} for further configurations
 		 */
 		public Builder relayState(String relayState) {
-			this.parameters.put("RelayState", relayState);
+			this.parameters.put(Saml2ParameterNames.RELAY_STATE, relayState);
 			return this;
 		}
 

saml2/saml2-service-provider/src/main/java/org/springframework/security/saml2/provider/service/authentication/logout/Saml2LogoutResponse.java

@@ -21,6 +21,7 @@ import java.util.HashMap;
 import java.util.Map;
 import java.util.function.Consumer;
 
+import org.springframework.security.saml2.core.Saml2ParameterNames;
 import org.springframework.security.saml2.provider.service.registration.RelyingPartyRegistration;
 import org.springframework.security.saml2.provider.service.registration.Saml2MessageBinding;
 import org.springframework.security.saml2.provider.service.web.authentication.logout.Saml2LogoutResponseResolver;
@@ -68,7 +69,7 @@ public final class Saml2LogoutResponse {
 	 * @return the signed and serialized <saml2:LogoutResponse> payload
 	 */
 	public String getSamlResponse() {
-		return this.parameters.get("SAMLResponse");
+		return this.parameters.get(Saml2ParameterNames.SAML_RESPONSE);
 	}
 
 	/**
@@ -76,7 +77,7 @@ public final class Saml2LogoutResponse {
 	 * @return the relay state
 	 */
 	public String getRelayState() {
-		return this.parameters.get("RelayState");
+		return this.parameters.get(Saml2ParameterNames.RELAY_STATE);
 	}
 
 	/**
@@ -140,7 +141,7 @@ public final class Saml2LogoutResponse {
 		 * @see Saml2LogoutResponseResolver
 		 */
 		public Builder samlResponse(String samlResponse) {
-			this.parameters.put("SAMLResponse", samlResponse);
+			this.parameters.put(Saml2ParameterNames.SAML_RESPONSE, samlResponse);
 			return this;
 		}
 
@@ -177,7 +178,7 @@ public final class Saml2LogoutResponse {
 		 * @return the {@link Builder} for further configurations
 		 */
 		public Builder relayState(String relayState) {
-			this.parameters.put("RelayState", relayState);
+			this.parameters.put(Saml2ParameterNames.RELAY_STATE, relayState);
 			return this;
 		}
 

saml2/saml2-service-provider/src/main/java/org/springframework/security/saml2/provider/service/servlet/filter/Saml2WebSsoAuthenticationFilter.java

@@ -23,6 +23,7 @@ import org.springframework.security.core.Authentication;
 import org.springframework.security.core.AuthenticationException;
 import org.springframework.security.saml2.core.Saml2Error;
 import org.springframework.security.saml2.core.Saml2ErrorCodes;
+import org.springframework.security.saml2.core.Saml2ParameterNames;
 import org.springframework.security.saml2.provider.service.authentication.AbstractSaml2AuthenticationRequest;
 import org.springframework.security.saml2.provider.service.authentication.Saml2AuthenticationException;
 import org.springframework.security.saml2.provider.service.registration.RelyingPartyRegistrationRepository;
@@ -96,7 +97,7 @@ public class Saml2WebSsoAuthenticationFilter extends AbstractAuthenticationProce
 	@Override
 	protected boolean requiresAuthentication(HttpServletRequest request, HttpServletResponse response) {
 		return (super.requiresAuthentication(request, response)
-				&& StringUtils.hasText(request.getParameter("SAMLResponse")));
+				&& StringUtils.hasText(request.getParameter(Saml2ParameterNames.SAML_RESPONSE)));
 	}
 
 	@Override

saml2/saml2-service-provider/src/main/java/org/springframework/security/saml2/provider/service/servlet/filter/Saml2WebSsoAuthenticationRequestFilter.java

@@ -27,6 +27,7 @@ import javax.servlet.http.HttpServletResponse;
 import org.opensaml.core.Version;
 
 import org.springframework.http.MediaType;
+import org.springframework.security.saml2.core.Saml2ParameterNames;
 import org.springframework.security.saml2.provider.service.authentication.AbstractSaml2AuthenticationRequest;
 import org.springframework.security.saml2.provider.service.authentication.Saml2AuthenticationRequestContext;
 import org.springframework.security.saml2.provider.service.authentication.Saml2AuthenticationRequestFactory;
@@ -200,10 +201,10 @@ public class Saml2WebSsoAuthenticationRequestFilter extends OncePerRequestFilter
 		this.authenticationRequestRepository.saveAuthenticationRequest(authenticationRequest, request, response);
 		UriComponentsBuilder uriBuilder = UriComponentsBuilder
 				.fromUriString(authenticationRequest.getAuthenticationRequestUri());
-		addParameter("SAMLRequest", authenticationRequest.getSamlRequest(), uriBuilder);
-		addParameter("RelayState", authenticationRequest.getRelayState(), uriBuilder);
-		addParameter("SigAlg", authenticationRequest.getSigAlg(), uriBuilder);
-		addParameter("Signature", authenticationRequest.getSignature(), uriBuilder);
+		addParameter(Saml2ParameterNames.SAML_REQUEST, authenticationRequest.getSamlRequest(), uriBuilder);
+		addParameter(Saml2ParameterNames.RELAY_STATE, authenticationRequest.getRelayState(), uriBuilder);
+		addParameter(Saml2ParameterNames.SIG_ALG, authenticationRequest.getSigAlg(), uriBuilder);
+		addParameter(Saml2ParameterNames.SIGNATURE, authenticationRequest.getSignature(), uriBuilder);
 		String redirectUrl = uriBuilder.build(true).toUriString();
 		response.sendRedirect(redirectUrl);
 	}

saml2/saml2-service-provider/src/main/java/org/springframework/security/saml2/provider/service/web/DefaultSaml2AuthenticationRequestContextResolver.java

@@ -22,6 +22,7 @@ import org.apache.commons.logging.Log;
 import org.apache.commons.logging.LogFactory;
 
 import org.springframework.core.convert.converter.Converter;
+import org.springframework.security.saml2.core.Saml2ParameterNames;
 import org.springframework.security.saml2.provider.service.authentication.Saml2AuthenticationRequestContext;
 import org.springframework.security.saml2.provider.service.registration.RelyingPartyRegistration;
 import org.springframework.util.Assert;
@@ -80,7 +81,7 @@ public final class DefaultSaml2AuthenticationRequestContextResolver
 		return Saml2AuthenticationRequestContext.builder().issuer(relyingParty.getEntityId())
 				.relyingPartyRegistration(relyingParty)
 				.assertionConsumerServiceUrl(relyingParty.getAssertionConsumerServiceLocation())
-				.relayState(request.getParameter("RelayState")).build();
+				.relayState(request.getParameter(Saml2ParameterNames.RELAY_STATE)).build();
 	}
 
 }

saml2/saml2-service-provider/src/main/java/org/springframework/security/saml2/provider/service/web/Saml2AuthenticationTokenConverter.java

@@ -31,6 +31,7 @@ import org.springframework.core.convert.converter.Converter;
 import org.springframework.http.HttpMethod;
 import org.springframework.security.saml2.core.Saml2Error;
 import org.springframework.security.saml2.core.Saml2ErrorCodes;
+import org.springframework.security.saml2.core.Saml2ParameterNames;
 import org.springframework.security.saml2.provider.service.authentication.AbstractSaml2AuthenticationRequest;
 import org.springframework.security.saml2.provider.service.authentication.Saml2AuthenticationException;
 import org.springframework.security.saml2.provider.service.authentication.Saml2AuthenticationToken;
@@ -89,7 +90,7 @@ public final class Saml2AuthenticationTokenConverter implements AuthenticationCo
 		if (relyingPartyRegistration == null) {
 			return null;
 		}
-		String saml2Response = request.getParameter("SAMLResponse");
+		String saml2Response = request.getParameter(Saml2ParameterNames.SAML_RESPONSE);
 		if (saml2Response == null) {
 			return null;
 		}

saml2/saml2-service-provider/src/main/java/org/springframework/security/saml2/provider/service/web/authentication/logout/HttpSessionLogoutRequestRepository.java

@@ -23,6 +23,7 @@ import javax.servlet.http.HttpServletResponse;
 import javax.servlet.http.HttpSession;
 
 import org.springframework.security.crypto.codec.Utf8;
+import org.springframework.security.saml2.core.Saml2ParameterNames;
 import org.springframework.security.saml2.provider.service.authentication.logout.Saml2LogoutRequest;
 import org.springframework.util.Assert;
 
@@ -90,7 +91,7 @@ public final class HttpSessionLogoutRequestRepository implements Saml2LogoutRequ
 	}
 
 	private String getStateParameter(HttpServletRequest request) {
-		return request.getParameter("RelayState");
+		return request.getParameter(Saml2ParameterNames.RELAY_STATE);
 	}
 
 	private boolean stateParameterEquals(HttpServletRequest request, Saml2LogoutRequest logoutRequest) {

saml2/saml2-service-provider/src/main/java/org/springframework/security/saml2/provider/service/web/authentication/logout/OpenSamlLogoutRequestResolver.java

@@ -40,6 +40,7 @@ import org.w3c.dom.Element;
 import org.springframework.security.core.Authentication;
 import org.springframework.security.saml2.Saml2Exception;
 import org.springframework.security.saml2.core.OpenSamlInitializationService;
+import org.springframework.security.saml2.core.Saml2ParameterNames;
 import org.springframework.security.saml2.provider.service.authentication.Saml2AuthenticatedPrincipal;
 import org.springframework.security.saml2.provider.service.authentication.logout.Saml2LogoutRequest;
 import org.springframework.security.saml2.provider.service.registration.RelyingPartyRegistration;
@@ -135,7 +136,8 @@ final class OpenSamlLogoutRequestResolver {
 			String deflatedAndEncoded = Saml2Utils.samlEncode(Saml2Utils.samlDeflate(xml));
 			result.samlRequest(deflatedAndEncoded);
 			QueryParametersPartial partial = OpenSamlSigningUtils.sign(registration)
-					.param("SAMLRequest", deflatedAndEncoded).param("RelayState", relayState);
+					.param(Saml2ParameterNames.SAML_REQUEST, deflatedAndEncoded)
+					.param(Saml2ParameterNames.RELAY_STATE, relayState);
 			return result.parameters((params) -> params.putAll(partial.parameters())).build();
 		}
 	}

saml2/saml2-service-provider/src/main/java/org/springframework/security/saml2/provider/service/web/authentication/logout/OpenSamlLogoutResponseResolver.java

@@ -48,6 +48,7 @@ import org.w3c.dom.Element;
 import org.springframework.security.core.Authentication;
 import org.springframework.security.saml2.Saml2Exception;
 import org.springframework.security.saml2.core.OpenSamlInitializationService;
+import org.springframework.security.saml2.core.Saml2ParameterNames;
 import org.springframework.security.saml2.provider.service.authentication.Saml2AuthenticatedPrincipal;
 import org.springframework.security.saml2.provider.service.authentication.logout.Saml2LogoutResponse;
 import org.springframework.security.saml2.provider.service.registration.RelyingPartyRegistration;
@@ -131,7 +132,7 @@ final class OpenSamlLogoutResponseResolver {
 		if (registration == null) {
 			return null;
 		}
-		String serialized = request.getParameter("SAMLRequest");
+		String serialized = request.getParameter(Saml2ParameterNames.SAML_REQUEST);
 		byte[] b = Saml2Utils.samlDecode(serialized);
 		LogoutRequest logoutRequest = parse(inflateIfRequired(registration, b));
 		LogoutResponse logoutResponse = this.logoutResponseBuilder.buildObject();
@@ -154,8 +155,8 @@ final class OpenSamlLogoutResponseResolver {
 			String xml = serialize(OpenSamlSigningUtils.sign(logoutResponse, registration));
 			String samlResponse = Saml2Utils.samlEncode(xml.getBytes(StandardCharsets.UTF_8));
 			result.samlResponse(samlResponse);
-			if (request.getParameter("RelayState") != null) {
-				result.relayState(request.getParameter("RelayState"));
+			if (request.getParameter(Saml2ParameterNames.RELAY_STATE) != null) {
+				result.relayState(request.getParameter(Saml2ParameterNames.RELAY_STATE));
 			}
 			return result.build();
 		}
@@ -163,10 +164,10 @@ final class OpenSamlLogoutResponseResolver {
 			String xml = serialize(logoutResponse);
 			String deflatedAndEncoded = Saml2Utils.samlEncode(Saml2Utils.samlDeflate(xml));
 			result.samlResponse(deflatedAndEncoded);
-			QueryParametersPartial partial = OpenSamlSigningUtils.sign(registration).param("SAMLResponse",
-					deflatedAndEncoded);
-			if (request.getParameter("RelayState") != null) {
-				partial.param("RelayState", request.getParameter("RelayState"));
+			QueryParametersPartial partial = OpenSamlSigningUtils.sign(registration)
+					.param(Saml2ParameterNames.SAML_RESPONSE, deflatedAndEncoded);
+			if (request.getParameter(Saml2ParameterNames.RELAY_STATE) != null) {
+				partial.param(Saml2ParameterNames.RELAY_STATE, request.getParameter(Saml2ParameterNames.RELAY_STATE));
 			}
 			return result.parameters((params) -> params.putAll(partial.parameters())).build();
 		}

saml2/saml2-service-provider/src/main/java/org/springframework/security/saml2/provider/service/web/authentication/logout/OpenSamlSigningUtils.java

@@ -48,6 +48,7 @@ import org.opensaml.xmlsec.signature.support.SignatureSupport;
 import org.w3c.dom.Element;
 
 import org.springframework.security.saml2.Saml2Exception;
+import org.springframework.security.saml2.core.Saml2ParameterNames;
 import org.springframework.security.saml2.core.Saml2X509Credential;
 import org.springframework.security.saml2.provider.service.registration.RelyingPartyRegistration;
 import org.springframework.util.Assert;
@@ -145,7 +146,7 @@ final class OpenSamlSigningUtils {
 			SignatureSigningParameters parameters = resolveSigningParameters(this.registration);
 			Credential credential = parameters.getSigningCredential();
 			String algorithmUri = parameters.getSignatureAlgorithm();
-			this.components.put("SigAlg", algorithmUri);
+			this.components.put(Saml2ParameterNames.SIG_ALG, algorithmUri);
 			UriComponentsBuilder builder = UriComponentsBuilder.newInstance();
 			for (Map.Entry<String, String> component : this.components.entrySet()) {
 				builder.queryParam(component.getKey(),
@@ -156,7 +157,7 @@ final class OpenSamlSigningUtils {
 				byte[] rawSignature = XMLSigningUtil.signWithURI(credential, algorithmUri,
 						queryString.getBytes(StandardCharsets.UTF_8));
 				String b64Signature = Saml2Utils.samlEncode(rawSignature);
-				this.components.put("Signature", b64Signature);
+				this.components.put(Saml2ParameterNames.SIGNATURE, b64Signature);
 			}
 			catch (SecurityException ex) {
 				throw new Saml2Exception(ex);

saml2/saml2-service-provider/src/main/java/org/springframework/security/saml2/provider/service/web/authentication/logout/Saml2LogoutRequestFilter.java

@@ -32,6 +32,7 @@ import org.springframework.core.log.LogMessage;
 import org.springframework.http.MediaType;
 import org.springframework.security.core.Authentication;
 import org.springframework.security.core.context.SecurityContextHolder;
+import org.springframework.security.saml2.core.Saml2ParameterNames;
 import org.springframework.security.saml2.provider.service.authentication.Saml2AuthenticatedPrincipal;
 import org.springframework.security.saml2.provider.service.authentication.logout.Saml2LogoutRequest;
 import org.springframework.security.saml2.provider.service.authentication.logout.Saml2LogoutRequestValidator;
@@ -106,7 +107,7 @@ public final class Saml2LogoutRequestFilter extends OncePerRequestFilter {
 			return;
 		}
 
-		if (request.getParameter("SAMLRequest") == null) {
+		if (request.getParameter(Saml2ParameterNames.SAML_REQUEST) == null) {
 			chain.doFilter(request, response);
 			return;
 		}
@@ -126,13 +127,16 @@ public final class Saml2LogoutRequestFilter extends OncePerRequestFilter {
 			return;
 		}
 
-		String serialized = request.getParameter("SAMLRequest");
+		String serialized = request.getParameter(Saml2ParameterNames.SAML_REQUEST);
 		Saml2LogoutRequest logoutRequest = Saml2LogoutRequest.withRelyingPartyRegistration(registration)
-				.samlRequest(serialized).relayState(request.getParameter("RelayState"))
+				.samlRequest(serialized).relayState(request.getParameter(Saml2ParameterNames.RELAY_STATE))
 				.binding(registration.getSingleLogoutServiceBinding())
 				.location(registration.getSingleLogoutServiceLocation())
-				.parameters((params) -> params.put("SigAlg", request.getParameter("SigAlg")))
-				.parameters((params) -> params.put("Signature", request.getParameter("Signature"))).build();
+				.parameters((params) -> params.put(Saml2ParameterNames.SIG_ALG,
+						request.getParameter(Saml2ParameterNames.SIG_ALG)))
+				.parameters((params) -> params.put(Saml2ParameterNames.SIGNATURE,
+						request.getParameter(Saml2ParameterNames.SIGNATURE)))
+				.build();
 		Saml2LogoutRequestValidatorParameters parameters = new Saml2LogoutRequestValidatorParameters(logoutRequest,
 				registration, authentication);
 		Saml2LogoutValidatorResult result = this.logoutRequestValidator.validate(parameters);
@@ -184,10 +188,10 @@ public final class Saml2LogoutRequestFilter extends OncePerRequestFilter {
 			Saml2LogoutResponse logoutResponse) throws IOException {
 		String location = logoutResponse.getResponseLocation();
 		UriComponentsBuilder uriBuilder = UriComponentsBuilder.fromUriString(location);
-		addParameter("SAMLResponse", logoutResponse::getParameter, uriBuilder);
-		addParameter("RelayState", logoutResponse::getParameter, uriBuilder);
-		addParameter("SigAlg", logoutResponse::getParameter, uriBuilder);
-		addParameter("Signature", logoutResponse::getParameter, uriBuilder);
+		addParameter(Saml2ParameterNames.SAML_RESPONSE, logoutResponse::getParameter, uriBuilder);
+		addParameter(Saml2ParameterNames.RELAY_STATE, logoutResponse::getParameter, uriBuilder);
+		addParameter(Saml2ParameterNames.SIG_ALG, logoutResponse::getParameter, uriBuilder);
+		addParameter(Saml2ParameterNames.SIGNATURE, logoutResponse::getParameter, uriBuilder);
 		this.redirectStrategy.sendRedirect(request, response, uriBuilder.build(true).toUriString());
 	}
 

saml2/saml2-service-provider/src/main/java/org/springframework/security/saml2/provider/service/web/authentication/logout/Saml2LogoutResponseFilter.java

@@ -29,6 +29,7 @@ import org.apache.commons.logging.LogFactory;
 import org.springframework.core.log.LogMessage;
 import org.springframework.security.saml2.core.Saml2Error;
 import org.springframework.security.saml2.core.Saml2ErrorCodes;
+import org.springframework.security.saml2.core.Saml2ParameterNames;
 import org.springframework.security.saml2.provider.service.authentication.logout.Saml2LogoutRequest;
 import org.springframework.security.saml2.provider.service.authentication.logout.Saml2LogoutResponse;
 import org.springframework.security.saml2.provider.service.authentication.logout.Saml2LogoutResponseValidator;
@@ -98,7 +99,7 @@ public final class Saml2LogoutResponseFilter extends OncePerRequestFilter {
 			return;
 		}
 
-		if (request.getParameter("SAMLResponse") == null) {
+		if (request.getParameter(Saml2ParameterNames.SAML_RESPONSE) == null) {
 			chain.doFilter(request, response);
 			return;
 		}
@@ -125,13 +126,16 @@ public final class Saml2LogoutResponseFilter extends OncePerRequestFilter {
 			return;
 		}
 
-		String serialized = request.getParameter("SAMLResponse");
+		String serialized = request.getParameter(Saml2ParameterNames.SAML_RESPONSE);
 		Saml2LogoutResponse logoutResponse = Saml2LogoutResponse.withRelyingPartyRegistration(registration)
-				.samlResponse(serialized).relayState(request.getParameter("RelayState"))
+				.samlResponse(serialized).relayState(request.getParameter(Saml2ParameterNames.RELAY_STATE))
 				.binding(registration.getSingleLogoutServiceBinding())
 				.location(registration.getSingleLogoutServiceResponseLocation())
-				.parameters((params) -> params.put("SigAlg", request.getParameter("SigAlg")))
-				.parameters((params) -> params.put("Signature", request.getParameter("Signature"))).build();
+				.parameters((params) -> params.put(Saml2ParameterNames.SIG_ALG,
+						request.getParameter(Saml2ParameterNames.SIG_ALG)))
+				.parameters((params) -> params.put(Saml2ParameterNames.SIGNATURE,
+						request.getParameter(Saml2ParameterNames.SIGNATURE)))
+				.build();
 		Saml2LogoutResponseValidatorParameters parameters = new Saml2LogoutResponseValidatorParameters(logoutResponse,
 				logoutRequest, registration);
 		Saml2LogoutValidatorResult result = this.logoutResponseValidator.validate(parameters);

saml2/saml2-service-provider/src/main/java/org/springframework/security/saml2/provider/service/web/authentication/logout/Saml2RelyingPartyInitiatedLogoutSuccessHandler.java

@@ -28,6 +28,7 @@ import org.apache.commons.logging.LogFactory;
 
 import org.springframework.http.MediaType;
 import org.springframework.security.core.Authentication;
+import org.springframework.security.saml2.core.Saml2ParameterNames;
 import org.springframework.security.saml2.provider.service.authentication.logout.Saml2LogoutRequest;
 import org.springframework.security.saml2.provider.service.registration.Saml2MessageBinding;
 import org.springframework.security.web.DefaultRedirectStrategy;
@@ -105,10 +106,10 @@ public final class Saml2RelyingPartyInitiatedLogoutSuccessHandler implements Log
 			throws IOException {
 		String location = logoutRequest.getLocation();
 		UriComponentsBuilder uriBuilder = UriComponentsBuilder.fromUriString(location);
-		addParameter("SAMLRequest", logoutRequest::getParameter, uriBuilder);
-		addParameter("RelayState", logoutRequest::getParameter, uriBuilder);
-		addParameter("SigAlg", logoutRequest::getParameter, uriBuilder);
-		addParameter("Signature", logoutRequest::getParameter, uriBuilder);
+		addParameter(Saml2ParameterNames.SAML_REQUEST, logoutRequest::getParameter, uriBuilder);
+		addParameter(Saml2ParameterNames.RELAY_STATE, logoutRequest::getParameter, uriBuilder);
+		addParameter(Saml2ParameterNames.SIG_ALG, logoutRequest::getParameter, uriBuilder);
+		addParameter(Saml2ParameterNames.SIGNATURE, logoutRequest::getParameter, uriBuilder);
 		this.redirectStrategy.sendRedirect(request, response, uriBuilder.build(true).toUriString());
 	}
 

saml2/saml2-service-provider/src/opensaml3Main/java/org/springframework/security/saml2/provider/service/authentication/OpenSamlAuthenticationRequestFactory.java

@@ -33,6 +33,7 @@ import org.opensaml.saml.saml2.core.impl.IssuerBuilder;
 
 import org.springframework.core.convert.converter.Converter;
 import org.springframework.security.saml2.core.OpenSamlInitializationService;
+import org.springframework.security.saml2.core.Saml2ParameterNames;
 import org.springframework.security.saml2.provider.service.authentication.OpenSamlSigningUtils.QueryParametersPartial;
 import org.springframework.security.saml2.provider.service.registration.RelyingPartyRegistration;
 import org.springframework.security.saml2.provider.service.registration.Saml2MessageBinding;
@@ -120,13 +121,14 @@ public class OpenSamlAuthenticationRequestFactory implements Saml2Authentication
 		String deflatedAndEncoded = Saml2Utils.samlEncode(Saml2Utils.samlDeflate(xml));
 		result.samlRequest(deflatedAndEncoded).relayState(context.getRelayState());
 		if (registration.getAssertingPartyDetails().getWantAuthnRequestsSigned()) {
-			QueryParametersPartial partial = OpenSamlSigningUtils.sign(registration).param("SAMLRequest",
-					deflatedAndEncoded);
+			QueryParametersPartial partial = OpenSamlSigningUtils.sign(registration)
+					.param(Saml2ParameterNames.SAML_REQUEST, deflatedAndEncoded);
 			if (StringUtils.hasText(context.getRelayState())) {
-				partial.param("RelayState", context.getRelayState());
+				partial.param(Saml2ParameterNames.RELAY_STATE, context.getRelayState());
 			}
 			Map<String, String> parameters = partial.parameters();
-			return result.sigAlg(parameters.get("SigAlg")).signature(parameters.get("Signature")).build();
+			return result.sigAlg(parameters.get(Saml2ParameterNames.SIG_ALG))
+					.signature(parameters.get(Saml2ParameterNames.SIGNATURE)).build();
 		}
 		return result.build();
 	}

saml2/saml2-service-provider/src/opensaml3Test/java/org/springframework/security/saml2/provider/service/web/authentication/logout/OpenSaml3LogoutResponseResolverTests.java

@@ -24,6 +24,7 @@ import org.opensaml.saml.saml2.core.LogoutRequest;
 import org.springframework.mock.web.MockHttpServletRequest;
 import org.springframework.security.authentication.TestingAuthenticationToken;
 import org.springframework.security.core.Authentication;
+import org.springframework.security.saml2.core.Saml2ParameterNames;
 import org.springframework.security.saml2.provider.service.authentication.TestOpenSamlObjects;
 import org.springframework.security.saml2.provider.service.authentication.logout.Saml2LogoutResponse;
 import org.springframework.security.saml2.provider.service.registration.RelyingPartyRegistration;
@@ -55,7 +56,7 @@ public class OpenSaml3LogoutResponseResolverTests {
 		RelyingPartyRegistration registration = TestRelyingPartyRegistrations.relyingPartyRegistration().build();
 		Authentication authentication = new TestingAuthenticationToken("user", "password");
 		LogoutRequest logoutRequest = TestOpenSamlObjects.assertingPartyLogoutRequest(registration);
-		request.setParameter("SAMLRequest",
+		request.setParameter(Saml2ParameterNames.SAML_REQUEST,
 				Saml2Utils.samlEncode(OpenSamlSigningUtils.serialize(logoutRequest).getBytes()));
 		given(this.relyingPartyRegistrationResolver.resolve(any(), any())).willReturn(registration);
 		Saml2LogoutResponse logoutResponse = logoutResponseResolver.resolve(request, authentication);

saml2/saml2-service-provider/src/opensaml4Main/java/org/springframework/security/saml2/provider/service/authentication/OpenSaml4AuthenticationRequestFactory.java

@@ -32,6 +32,7 @@ import org.opensaml.saml.saml2.core.impl.IssuerBuilder;
 
 import org.springframework.core.convert.converter.Converter;
 import org.springframework.security.saml2.core.OpenSamlInitializationService;
+import org.springframework.security.saml2.core.Saml2ParameterNames;
 import org.springframework.security.saml2.provider.service.authentication.OpenSamlSigningUtils.QueryParametersPartial;
 import org.springframework.security.saml2.provider.service.registration.RelyingPartyRegistration;
 import org.springframework.security.saml2.provider.service.registration.Saml2MessageBinding;
@@ -117,13 +118,14 @@ public final class OpenSaml4AuthenticationRequestFactory implements Saml2Authent
 		String deflatedAndEncoded = Saml2Utils.samlEncode(Saml2Utils.samlDeflate(xml));
 		result.samlRequest(deflatedAndEncoded).relayState(context.getRelayState());
 		if (registration.getAssertingPartyDetails().getWantAuthnRequestsSigned()) {
-			QueryParametersPartial partial = OpenSamlSigningUtils.sign(registration).param("SAMLRequest",
-					deflatedAndEncoded);
+			QueryParametersPartial partial = OpenSamlSigningUtils.sign(registration)
+					.param(Saml2ParameterNames.SAML_REQUEST, deflatedAndEncoded);
 			if (StringUtils.hasText(context.getRelayState())) {
-				partial.param("RelayState", context.getRelayState());
+				partial.param(Saml2ParameterNames.RELAY_STATE, context.getRelayState());
 			}
 			Map<String, String> parameters = partial.parameters();
-			return result.sigAlg(parameters.get("SigAlg")).signature(parameters.get("Signature")).build();
+			return result.sigAlg(parameters.get(Saml2ParameterNames.SIG_ALG))
+					.signature(parameters.get(Saml2ParameterNames.SIGNATURE)).build();
 		}
 		return result.build();
 	}

saml2/saml2-service-provider/src/opensaml4Test/java/org/springframework/security/saml2/provider/service/web/authentication/logout/OpenSaml4LogoutResponseResolverTests.java

@@ -24,6 +24,7 @@ import org.opensaml.saml.saml2.core.LogoutRequest;
 import org.springframework.mock.web.MockHttpServletRequest;
 import org.springframework.security.authentication.TestingAuthenticationToken;
 import org.springframework.security.core.Authentication;
+import org.springframework.security.saml2.core.Saml2ParameterNames;
 import org.springframework.security.saml2.provider.service.authentication.TestOpenSamlObjects;
 import org.springframework.security.saml2.provider.service.authentication.logout.Saml2LogoutResponse;
 import org.springframework.security.saml2.provider.service.registration.RelyingPartyRegistration;
@@ -55,7 +56,7 @@ public class OpenSaml4LogoutResponseResolverTests {
 		RelyingPartyRegistration registration = TestRelyingPartyRegistrations.relyingPartyRegistration().build();
 		Authentication authentication = new TestingAuthenticationToken("user", "password");
 		LogoutRequest logoutRequest = TestOpenSamlObjects.assertingPartyLogoutRequest(registration);
-		request.setParameter("SAMLRequest",
+		request.setParameter(Saml2ParameterNames.SAML_REQUEST,
 				Saml2Utils.samlEncode(OpenSamlSigningUtils.serialize(logoutRequest).getBytes()));
 		given(this.relyingPartyRegistrationResolver.resolve(any(), any())).willReturn(registration);
 		Saml2LogoutResponse logoutResponse = logoutResponseResolver.resolve(request, authentication);

saml2/saml2-service-provider/src/test/java/org/springframework/security/saml2/provider/service/authentication/logout/OpenSamlLogoutRequestValidatorTests.java

@@ -27,6 +27,7 @@ import org.opensaml.saml.saml2.core.LogoutRequest;
 
 import org.springframework.security.core.Authentication;
 import org.springframework.security.saml2.core.Saml2ErrorCodes;
+import org.springframework.security.saml2.core.Saml2ParameterNames;
 import org.springframework.security.saml2.core.TestSaml2X509Credentials;
 import org.springframework.security.saml2.provider.service.authentication.DefaultSaml2AuthenticatedPrincipal;
 import org.springframework.security.saml2.provider.service.authentication.Saml2Authentication;
@@ -156,7 +157,7 @@ public class OpenSamlLogoutRequestValidatorTests {
 	private Saml2LogoutRequest redirect(LogoutRequest logoutRequest, RelyingPartyRegistration registration,
 			QueryParametersPartial partial) {
 		String serialized = Saml2Utils.samlEncode(Saml2Utils.samlDeflate(serialize(logoutRequest)));
-		Map<String, String> parameters = partial.param("SAMLRequest", serialized).parameters();
+		Map<String, String> parameters = partial.param(Saml2ParameterNames.SAML_REQUEST, serialized).parameters();
 		return Saml2LogoutRequest.withRelyingPartyRegistration(registration).samlRequest(serialized)
 				.parameters((params) -> params.putAll(parameters)).build();
 	}

saml2/saml2-service-provider/src/test/java/org/springframework/security/saml2/provider/service/authentication/logout/OpenSamlLogoutResponseValidatorTests.java

@@ -25,6 +25,7 @@ import org.opensaml.saml.saml2.core.LogoutResponse;
 import org.opensaml.saml.saml2.core.StatusCode;
 
 import org.springframework.security.saml2.core.Saml2ErrorCodes;
+import org.springframework.security.saml2.core.Saml2ParameterNames;
 import org.springframework.security.saml2.core.TestSaml2X509Credentials;
 import org.springframework.security.saml2.provider.service.authentication.TestOpenSamlObjects;
 import org.springframework.security.saml2.provider.service.authentication.logout.OpenSamlSigningUtils.QueryParametersPartial;
@@ -141,7 +142,7 @@ public class OpenSamlLogoutResponseValidatorTests {
 	private Saml2LogoutResponse redirect(LogoutResponse logoutResponse, RelyingPartyRegistration registration,
 			QueryParametersPartial partial) {
 		String serialized = Saml2Utils.samlEncode(Saml2Utils.samlDeflate(serialize(logoutResponse)));
-		Map<String, String> parameters = partial.param("SAMLResponse", serialized).parameters();
+		Map<String, String> parameters = partial.param(Saml2ParameterNames.SAML_RESPONSE, serialized).parameters();
 		return Saml2LogoutResponse.withRelyingPartyRegistration(registration).samlResponse(serialized)
 				.parameters((params) -> params.putAll(parameters)).build();
 	}

saml2/saml2-service-provider/src/test/java/org/springframework/security/saml2/provider/service/authentication/logout/OpenSamlSigningUtils.java

@@ -48,6 +48,7 @@ import org.opensaml.xmlsec.signature.support.SignatureSupport;
 import org.w3c.dom.Element;
 
 import org.springframework.security.saml2.Saml2Exception;
+import org.springframework.security.saml2.core.Saml2ParameterNames;
 import org.springframework.security.saml2.core.Saml2X509Credential;
 import org.springframework.security.saml2.provider.service.registration.RelyingPartyRegistration;
 import org.springframework.util.Assert;
@@ -145,7 +146,7 @@ final class OpenSamlSigningUtils {
 			SignatureSigningParameters parameters = resolveSigningParameters(this.registration);
 			Credential credential = parameters.getSigningCredential();
 			String algorithmUri = parameters.getSignatureAlgorithm();
-			this.components.put("SigAlg", algorithmUri);
+			this.components.put(Saml2ParameterNames.SIG_ALG, algorithmUri);
 			UriComponentsBuilder builder = UriComponentsBuilder.newInstance();
 			for (Map.Entry<String, String> component : this.components.entrySet()) {
 				builder.queryParam(component.getKey(),
@@ -156,7 +157,7 @@ final class OpenSamlSigningUtils {
 				byte[] rawSignature = XMLSigningUtil.signWithURI(credential, algorithmUri,
 						queryString.getBytes(StandardCharsets.UTF_8));
 				String b64Signature = Saml2Utils.samlEncode(rawSignature);
-				this.components.put("Signature", b64Signature);
+				this.components.put(Saml2ParameterNames.SIGNATURE, b64Signature);
 			}
 			catch (SecurityException ex) {
 				throw new Saml2Exception(ex);

saml2/saml2-service-provider/src/test/java/org/springframework/security/saml2/provider/service/servlet/filter/Saml2WebSsoAuthenticationFilterTests.java

@@ -28,6 +28,7 @@ import org.springframework.mock.web.MockHttpServletResponse;
 import org.springframework.security.authentication.AuthenticationManager;
 import org.springframework.security.authentication.TestingAuthenticationToken;
 import org.springframework.security.core.Authentication;
+import org.springframework.security.saml2.core.Saml2ParameterNames;
 import org.springframework.security.saml2.provider.service.authentication.AbstractSaml2AuthenticationRequest;
 import org.springframework.security.saml2.provider.service.authentication.Saml2AuthenticationException;
 import org.springframework.security.saml2.provider.service.authentication.TestSaml2AuthenticationTokens;
@@ -65,7 +66,7 @@ public class Saml2WebSsoAuthenticationFilterTests {
 	public void setup() {
 		this.filter = new Saml2WebSsoAuthenticationFilter(this.repository);
 		this.request.setPathInfo("/login/saml2/sso/idp-registration-id");
-		this.request.setParameter("SAMLResponse", "xml-data-goes-here");
+		this.request.setParameter(Saml2ParameterNames.SAML_RESPONSE, "xml-data-goes-here");
 	}
 
 	@Test
@@ -89,7 +90,7 @@ public class Saml2WebSsoAuthenticationFilterTests {
 	public void requiresAuthenticationWhenCustomProcessingUrlThenReturnsTrue() {
 		this.filter = new Saml2WebSsoAuthenticationFilter(this.repository, "/some/other/path/{registrationId}");
 		this.request.setPathInfo("/some/other/path/idp-registration-id");
-		this.request.setParameter("SAMLResponse", "xml-data-goes-here");
+		this.request.setParameter(Saml2ParameterNames.SAML_RESPONSE, "xml-data-goes-here");
 		Assertions.assertTrue(this.filter.requiresAuthentication(this.request, this.response));
 	}
 
@@ -98,7 +99,7 @@ public class Saml2WebSsoAuthenticationFilterTests {
 		given(this.repository.findByRegistrationId("non-existent-id")).willReturn(null);
 		this.filter = new Saml2WebSsoAuthenticationFilter(this.repository, "/some/other/path/{registrationId}");
 		this.request.setPathInfo("/some/other/path/non-existent-id");
-		this.request.setParameter("SAMLResponse", "response");
+		this.request.setParameter(Saml2ParameterNames.SAML_RESPONSE, "response");
 		assertThatExceptionOfType(Saml2AuthenticationException.class)
 				.isThrownBy(() -> this.filter.attemptAuthentication(this.request, this.response))
 				.withMessage("No relying party registration found");
@@ -161,7 +162,7 @@ public class Saml2WebSsoAuthenticationFilterTests {
 		this.filter = new Saml2WebSsoAuthenticationFilter(authenticationConverter, loginProcessingUrl);
 		this.filter.setAuthenticationManager(this.authenticationManager);
 		this.request.setPathInfo("/registration-id/login/saml2/sso");
-		this.request.setParameter("SAMLResponse", "response");
+		this.request.setParameter(Saml2ParameterNames.SAML_RESPONSE, "response");
 		this.filter.doFilter(this.request, this.response, new MockFilterChain());
 		verify(this.repository).findByRegistrationId("registration-id");
 	}

saml2/saml2-service-provider/src/test/java/org/springframework/security/saml2/provider/service/web/DefaultSaml2AuthenticationRequestContextResolverTests.java

@@ -20,6 +20,7 @@ import org.junit.jupiter.api.BeforeEach;
 import org.junit.jupiter.api.Test;
 
 import org.springframework.mock.web.MockHttpServletRequest;
+import org.springframework.security.saml2.core.Saml2ParameterNames;
 import org.springframework.security.saml2.credentials.TestSaml2X509Credentials;
 import org.springframework.security.saml2.provider.service.authentication.Saml2AuthenticationRequestContext;
 import org.springframework.security.saml2.provider.service.registration.RelyingPartyRegistration;
@@ -69,7 +70,7 @@ public class DefaultSaml2AuthenticationRequestContextResolverTests {
 
 	@Test
 	public void resolveWhenRequestAndRelyingPartyNotNullThenCreateSaml2AuthenticationRequestContext() {
-		this.request.addParameter("RelayState", "relay-state");
+		this.request.addParameter(Saml2ParameterNames.RELAY_STATE, "relay-state");
 		Saml2AuthenticationRequestContext context = this.authenticationRequestContextResolver.resolve(this.request);
 		assertThat(context).isNotNull();
 		assertThat(context.getAssertionConsumerServiceUrl()).isEqualTo(RELYING_PARTY_SSO_URL);

saml2/saml2-service-provider/src/test/java/org/springframework/security/saml2/provider/service/web/Saml2AuthenticationTokenConverterTests.java

@@ -30,6 +30,7 @@ import org.springframework.core.convert.converter.Converter;
 import org.springframework.core.io.ClassPathResource;
 import org.springframework.mock.web.MockHttpServletRequest;
 import org.springframework.security.saml2.core.Saml2ErrorCodes;
+import org.springframework.security.saml2.core.Saml2ParameterNames;
 import org.springframework.security.saml2.core.Saml2Utils;
 import org.springframework.security.saml2.provider.service.authentication.AbstractSaml2AuthenticationRequest;
 import org.springframework.security.saml2.provider.service.authentication.Saml2AuthenticationException;
@@ -63,7 +64,8 @@ public class Saml2AuthenticationTokenConverterTests {
 		given(this.relyingPartyRegistrationResolver.convert(any(HttpServletRequest.class)))
 				.willReturn(this.relyingPartyRegistration);
 		MockHttpServletRequest request = new MockHttpServletRequest();
-		request.setParameter("SAMLResponse", Saml2Utils.samlEncode("response".getBytes(StandardCharsets.UTF_8)));
+		request.setParameter(Saml2ParameterNames.SAML_RESPONSE,
+				Saml2Utils.samlEncode("response".getBytes(StandardCharsets.UTF_8)));
 		Saml2AuthenticationToken token = converter.convert(request);
 		assertThat(token.getSaml2Response()).isEqualTo("response");
 		assertThat(token.getRelyingPartyRegistration().getRegistrationId())
@@ -77,7 +79,7 @@ public class Saml2AuthenticationTokenConverterTests {
 		given(this.relyingPartyRegistrationResolver.convert(any(HttpServletRequest.class)))
 				.willReturn(this.relyingPartyRegistration);
 		MockHttpServletRequest request = new MockHttpServletRequest();
-		request.setParameter("SAMLResponse", "invalid");
+		request.setParameter(Saml2ParameterNames.SAML_RESPONSE, "invalid");
 		assertThatExceptionOfType(Saml2AuthenticationException.class).isThrownBy(() -> converter.convert(request))
 				.withCauseInstanceOf(IllegalArgumentException.class)
 				.satisfies((ex) -> assertThat(ex.getSaml2Error().getErrorCode())
@@ -115,7 +117,7 @@ public class Saml2AuthenticationTokenConverterTests {
 		request.setMethod("GET");
 		byte[] deflated = Saml2Utils.samlDeflate("response");
 		String encoded = Saml2Utils.samlEncode(deflated);
-		request.setParameter("SAMLResponse", encoded);
+		request.setParameter(Saml2ParameterNames.SAML_RESPONSE, encoded);
 		Saml2AuthenticationToken token = converter.convert(request);
 		assertThat(token.getSaml2Response()).isEqualTo("response");
 		assertThat(token.getRelyingPartyRegistration().getRegistrationId())
@@ -132,7 +134,7 @@ public class Saml2AuthenticationTokenConverterTests {
 		request.setMethod("GET");
 		byte[] invalidDeflated = "invalid".getBytes();
 		String encoded = Saml2Utils.samlEncode(invalidDeflated);
-		request.setParameter("SAMLResponse", encoded);
+		request.setParameter(Saml2ParameterNames.SAML_RESPONSE, encoded);
 		assertThatExceptionOfType(Saml2AuthenticationException.class).isThrownBy(() -> converter.convert(request))
 				.withCauseInstanceOf(IOException.class)
 				.satisfies((ex) -> assertThat(ex.getSaml2Error().getErrorCode())
@@ -148,7 +150,7 @@ public class Saml2AuthenticationTokenConverterTests {
 		given(this.relyingPartyRegistrationResolver.convert(any(HttpServletRequest.class)))
 				.willReturn(this.relyingPartyRegistration);
 		MockHttpServletRequest request = new MockHttpServletRequest();
-		request.setParameter("SAMLResponse", getSsoCircleEncodedXml());
+		request.setParameter(Saml2ParameterNames.SAML_RESPONSE, getSsoCircleEncodedXml());
 		Saml2AuthenticationToken token = converter.convert(request);
 		validateSsoCircleXml(token.getSaml2Response());
 	}
@@ -166,7 +168,8 @@ public class Saml2AuthenticationTokenConverterTests {
 		given(authenticationRequestRepository.loadAuthenticationRequest(any(HttpServletRequest.class)))
 				.willReturn(authenticationRequest);
 		MockHttpServletRequest request = new MockHttpServletRequest();
-		request.setParameter("SAMLResponse", Saml2Utils.samlEncode("response".getBytes(StandardCharsets.UTF_8)));
+		request.setParameter(Saml2ParameterNames.SAML_RESPONSE,
+				Saml2Utils.samlEncode("response".getBytes(StandardCharsets.UTF_8)));
 		Saml2AuthenticationToken token = converter.convert(request);
 		assertThat(token.getSaml2Response()).isEqualTo("response");
 		assertThat(token.getRelyingPartyRegistration().getRegistrationId())

saml2/saml2-service-provider/src/test/java/org/springframework/security/saml2/provider/service/web/authentication/logout/HttpSessionLogoutRequestRepositoryTests.java

@@ -24,6 +24,7 @@ import org.junit.jupiter.api.Test;
 import org.springframework.mock.web.MockHttpServletRequest;
 import org.springframework.mock.web.MockHttpServletResponse;
 import org.springframework.mock.web.MockHttpSession;
+import org.springframework.security.saml2.core.Saml2ParameterNames;
 import org.springframework.security.saml2.provider.service.authentication.logout.Saml2LogoutRequest;
 import org.springframework.security.saml2.provider.service.registration.RelyingPartyRegistration;
 import org.springframework.security.saml2.provider.service.registration.TestRelyingPartyRegistrations;
@@ -46,7 +47,7 @@ public class HttpSessionLogoutRequestRepositoryTests {
 	@Test
 	public void loadLogoutRequestWhenNotSavedThenReturnNull() {
 		MockHttpServletRequest request = new MockHttpServletRequest();
-		request.addParameter("RelayState", "state-1234");
+		request.addParameter(Saml2ParameterNames.RELAY_STATE, "state-1234");
 		Saml2LogoutRequest logoutRequest = this.logoutRequestRepository.loadLogoutRequest(request);
 		assertThat(logoutRequest).isNull();
 	}
@@ -57,7 +58,7 @@ public class HttpSessionLogoutRequestRepositoryTests {
 		MockHttpServletResponse response = new MockHttpServletResponse();
 		Saml2LogoutRequest logoutRequest = createLogoutRequest().build();
 		this.logoutRequestRepository.saveLogoutRequest(logoutRequest, request, response);
-		request.addParameter("RelayState", logoutRequest.getRelayState());
+		request.addParameter(Saml2ParameterNames.RELAY_STATE, logoutRequest.getRelayState());
 		Saml2LogoutRequest loadedLogoutRequest = this.logoutRequestRepository.loadLogoutRequest(request);
 		assertThat(loadedLogoutRequest).isEqualTo(logoutRequest);
 	}
@@ -70,9 +71,9 @@ public class HttpSessionLogoutRequestRepositoryTests {
 		this.logoutRequestRepository.saveLogoutRequest(one, request, response);
 		Saml2LogoutRequest two = createLogoutRequest().relayState("state-3344").build();
 		this.logoutRequestRepository.saveLogoutRequest(two, request, response);
-		request.setParameter("RelayState", one.getRelayState());
+		request.setParameter(Saml2ParameterNames.RELAY_STATE, one.getRelayState());
 		assertThat(this.logoutRequestRepository.loadLogoutRequest(request)).isNull();
-		request.setParameter("RelayState", two.getRelayState());
+		request.setParameter(Saml2ParameterNames.RELAY_STATE, two.getRelayState());
 		assertThat(this.logoutRequestRepository.loadLogoutRequest(request)).isEqualTo(two);
 	}
 
@@ -110,7 +111,7 @@ public class HttpSessionLogoutRequestRepositoryTests {
 		MockHttpServletRequest request = new MockHttpServletRequest();
 		Saml2LogoutRequest logoutRequest = createLogoutRequest().build();
 		this.logoutRequestRepository.saveLogoutRequest(logoutRequest, request, new MockHttpServletResponse());
-		request.addParameter("RelayState", logoutRequest.getRelayState());
+		request.addParameter(Saml2ParameterNames.RELAY_STATE, logoutRequest.getRelayState());
 		Saml2LogoutRequest loadedLogoutRequest = this.logoutRequestRepository.loadLogoutRequest(request);
 		assertThat(loadedLogoutRequest).isEqualTo(logoutRequest);
 	}
@@ -121,7 +122,7 @@ public class HttpSessionLogoutRequestRepositoryTests {
 		request.setSession(new MockDistributedHttpSession());
 		Saml2LogoutRequest logoutRequest = createLogoutRequest().build();
 		this.logoutRequestRepository.saveLogoutRequest(logoutRequest, request, new MockHttpServletResponse());
-		request.addParameter("RelayState", logoutRequest.getRelayState());
+		request.addParameter(Saml2ParameterNames.RELAY_STATE, logoutRequest.getRelayState());
 		Saml2LogoutRequest loadedLogoutRequest = this.logoutRequestRepository.loadLogoutRequest(request);
 		assertThat(loadedLogoutRequest).isEqualTo(logoutRequest);
 	}
@@ -134,7 +135,7 @@ public class HttpSessionLogoutRequestRepositoryTests {
 		this.logoutRequestRepository.saveLogoutRequest(logoutRequest1, request, new MockHttpServletResponse());
 		Saml2LogoutRequest logoutRequest2 = createLogoutRequest().build();
 		this.logoutRequestRepository.saveLogoutRequest(logoutRequest2, request, new MockHttpServletResponse());
-		request.addParameter("RelayState", logoutRequest2.getRelayState());
+		request.addParameter(Saml2ParameterNames.RELAY_STATE, logoutRequest2.getRelayState());
 		Saml2LogoutRequest loadedLogoutRequest = this.logoutRequestRepository.loadLogoutRequest(request);
 		assertThat(loadedLogoutRequest).isEqualTo(logoutRequest2);
 	}
@@ -145,7 +146,7 @@ public class HttpSessionLogoutRequestRepositoryTests {
 		MockHttpServletResponse response = new MockHttpServletResponse();
 		Saml2LogoutRequest logoutRequest = createLogoutRequest().build();
 		this.logoutRequestRepository.saveLogoutRequest(logoutRequest, request, response);
-		request.addParameter("RelayState", logoutRequest.getRelayState());
+		request.addParameter(Saml2ParameterNames.RELAY_STATE, logoutRequest.getRelayState());
 		this.logoutRequestRepository.saveLogoutRequest(null, request, response);
 		Saml2LogoutRequest loadedLogoutRequest = this.logoutRequestRepository.loadLogoutRequest(request);
 		assertThat(loadedLogoutRequest).isNull();
@@ -169,7 +170,7 @@ public class HttpSessionLogoutRequestRepositoryTests {
 		MockHttpServletResponse response = new MockHttpServletResponse();
 		Saml2LogoutRequest logoutRequest = createLogoutRequest().build();
 		this.logoutRequestRepository.saveLogoutRequest(logoutRequest, request, response);
-		request.addParameter("RelayState", logoutRequest.getRelayState());
+		request.addParameter(Saml2ParameterNames.RELAY_STATE, logoutRequest.getRelayState());
 		Saml2LogoutRequest removedLogoutRequest = this.logoutRequestRepository.removeLogoutRequest(request, response);
 		Saml2LogoutRequest loadedLogoutRequest = this.logoutRequestRepository.loadLogoutRequest(request);
 		assertThat(removedLogoutRequest).isNotNull();
@@ -183,7 +184,7 @@ public class HttpSessionLogoutRequestRepositoryTests {
 		MockHttpServletResponse response = new MockHttpServletResponse();
 		Saml2LogoutRequest logoutRequest = createLogoutRequest().build();
 		this.logoutRequestRepository.saveLogoutRequest(logoutRequest, request, response);
-		request.addParameter("RelayState", logoutRequest.getRelayState());
+		request.addParameter(Saml2ParameterNames.RELAY_STATE, logoutRequest.getRelayState());
 		Saml2LogoutRequest removedLogoutRequest = this.logoutRequestRepository.removeLogoutRequest(request, response);
 		String sessionAttributeName = HttpSessionLogoutRequestRepository.class.getName() + ".AUTHORIZATION_REQUEST";
 		assertThat(removedLogoutRequest).isNotNull();
@@ -193,7 +194,7 @@ public class HttpSessionLogoutRequestRepositoryTests {
 	@Test
 	public void removeLogoutRequestWhenNotSavedThenNotRemoved() {
 		MockHttpServletRequest request = new MockHttpServletRequest();
-		request.addParameter("RelayState", "state-1234");
+		request.addParameter(Saml2ParameterNames.RELAY_STATE, "state-1234");
 		MockHttpServletResponse response = new MockHttpServletResponse();
 		Saml2LogoutRequest removedLogoutRequest = this.logoutRequestRepository.removeLogoutRequest(request, response);
 		assertThat(removedLogoutRequest).isNull();
@@ -202,7 +203,7 @@ public class HttpSessionLogoutRequestRepositoryTests {
 	private Saml2LogoutRequest.Builder createLogoutRequest() {
 		RelyingPartyRegistration registration = TestRelyingPartyRegistrations.full().build();
 		return Saml2LogoutRequest.withRelyingPartyRegistration(registration).samlRequest("request").id("id")
-				.parameters((params) -> params.put("RelayState", "state-1234"));
+				.parameters((params) -> params.put(Saml2ParameterNames.RELAY_STATE, "state-1234"));
 	}
 
 	static class MockDistributedHttpSession extends MockHttpSession {

saml2/saml2-service-provider/src/test/java/org/springframework/security/saml2/provider/service/web/authentication/logout/OpenSamlLogoutRequestResolverTests.java

@@ -31,6 +31,7 @@ import org.w3c.dom.Element;
 
 import org.springframework.mock.web.MockHttpServletRequest;
 import org.springframework.security.saml2.Saml2Exception;
+import org.springframework.security.saml2.core.Saml2ParameterNames;
 import org.springframework.security.saml2.provider.service.authentication.DefaultSaml2AuthenticatedPrincipal;
 import org.springframework.security.saml2.provider.service.authentication.Saml2Authentication;
 import org.springframework.security.saml2.provider.service.authentication.logout.Saml2LogoutRequest;
@@ -63,9 +64,9 @@ public class OpenSamlLogoutRequestResolverTests {
 		HttpServletRequest request = new MockHttpServletRequest();
 		given(this.relyingPartyRegistrationResolver.resolve(any(), any())).willReturn(registration);
 		Saml2LogoutRequest saml2LogoutRequest = this.logoutRequestResolver.resolve(request, authentication);
-		assertThat(saml2LogoutRequest.getParameter("SigAlg")).isNotNull();
-		assertThat(saml2LogoutRequest.getParameter("Signature")).isNotNull();
-		assertThat(saml2LogoutRequest.getParameter("RelayState")).isNotNull();
+		assertThat(saml2LogoutRequest.getParameter(Saml2ParameterNames.SIG_ALG)).isNotNull();
+		assertThat(saml2LogoutRequest.getParameter(Saml2ParameterNames.SIGNATURE)).isNotNull();
+		assertThat(saml2LogoutRequest.getParameter(Saml2ParameterNames.RELAY_STATE)).isNotNull();
 		Saml2MessageBinding binding = registration.getAssertingPartyDetails().getSingleLogoutServiceBinding();
 		LogoutRequest logoutRequest = getLogoutRequest(saml2LogoutRequest.getSamlRequest(), binding);
 		assertThat(logoutRequest.getNameID().getValue()).isEqualTo(authentication.getName());
@@ -79,9 +80,9 @@ public class OpenSamlLogoutRequestResolverTests {
 		HttpServletRequest request = new MockHttpServletRequest();
 		given(this.relyingPartyRegistrationResolver.resolve(any(), any())).willReturn(registration);
 		Saml2LogoutRequest saml2LogoutRequest = this.logoutRequestResolver.resolve(request, authentication);
-		assertThat(saml2LogoutRequest.getParameter("SigAlg")).isNull();
-		assertThat(saml2LogoutRequest.getParameter("Signature")).isNull();
-		assertThat(saml2LogoutRequest.getParameter("RelayState")).isNotNull();
+		assertThat(saml2LogoutRequest.getParameter(Saml2ParameterNames.SIG_ALG)).isNull();
+		assertThat(saml2LogoutRequest.getParameter(Saml2ParameterNames.SIGNATURE)).isNull();
+		assertThat(saml2LogoutRequest.getParameter(Saml2ParameterNames.RELAY_STATE)).isNotNull();
 		Saml2MessageBinding binding = registration.getAssertingPartyDetails().getSingleLogoutServiceBinding();
 		LogoutRequest logoutRequest = getLogoutRequest(saml2LogoutRequest.getSamlRequest(), binding);
 		assertThat(logoutRequest.getNameID().getValue()).isEqualTo(authentication.getName());

saml2/saml2-service-provider/src/test/java/org/springframework/security/saml2/provider/service/web/authentication/logout/OpenSamlLogoutResponseResolverTests.java

@@ -32,6 +32,7 @@ import org.w3c.dom.Element;
 import org.springframework.mock.web.MockHttpServletRequest;
 import org.springframework.security.core.Authentication;
 import org.springframework.security.saml2.Saml2Exception;
+import org.springframework.security.saml2.core.Saml2ParameterNames;
 import org.springframework.security.saml2.provider.service.authentication.DefaultSaml2AuthenticatedPrincipal;
 import org.springframework.security.saml2.provider.service.authentication.Saml2Authentication;
 import org.springframework.security.saml2.provider.service.authentication.TestOpenSamlObjects;
@@ -63,15 +64,15 @@ public class OpenSamlLogoutResponseResolverTests {
 		RelyingPartyRegistration registration = TestRelyingPartyRegistrations.full().build();
 		MockHttpServletRequest request = new MockHttpServletRequest();
 		LogoutRequest logoutRequest = TestOpenSamlObjects.assertingPartyLogoutRequest(registration);
-		request.setParameter("SAMLRequest",
+		request.setParameter(Saml2ParameterNames.SAML_REQUEST,
 				Saml2Utils.samlEncode(OpenSamlSigningUtils.serialize(logoutRequest).getBytes()));
-		request.setParameter("RelayState", "abcd");
+		request.setParameter(Saml2ParameterNames.RELAY_STATE, "abcd");
 		Authentication authentication = authentication(registration);
 		given(this.relyingPartyRegistrationResolver.resolve(any(), any())).willReturn(registration);
 		Saml2LogoutResponse saml2LogoutResponse = this.logoutResponseResolver.resolve(request, authentication);
-		assertThat(saml2LogoutResponse.getParameter("SigAlg")).isNotNull();
-		assertThat(saml2LogoutResponse.getParameter("Signature")).isNotNull();
-		assertThat(saml2LogoutResponse.getParameter("RelayState")).isSameAs("abcd");
+		assertThat(saml2LogoutResponse.getParameter(Saml2ParameterNames.SIG_ALG)).isNotNull();
+		assertThat(saml2LogoutResponse.getParameter(Saml2ParameterNames.SIGNATURE)).isNotNull();
+		assertThat(saml2LogoutResponse.getParameter(Saml2ParameterNames.RELAY_STATE)).isSameAs("abcd");
 		Saml2MessageBinding binding = registration.getAssertingPartyDetails().getSingleLogoutServiceBinding();
 		LogoutResponse logoutResponse = getLogoutResponse(saml2LogoutResponse.getSamlResponse(), binding);
 		assertThat(logoutResponse.getStatus().getStatusCode().getValue()).isEqualTo(StatusCode.SUCCESS);
@@ -83,15 +84,15 @@ public class OpenSamlLogoutResponseResolverTests {
 				.assertingPartyDetails((party) -> party.singleLogoutServiceBinding(Saml2MessageBinding.POST)).build();
 		MockHttpServletRequest request = new MockHttpServletRequest();
 		LogoutRequest logoutRequest = TestOpenSamlObjects.assertingPartyLogoutRequest(registration);
-		request.setParameter("SAMLRequest",
+		request.setParameter(Saml2ParameterNames.SAML_REQUEST,
 				Saml2Utils.samlEncode(OpenSamlSigningUtils.serialize(logoutRequest).getBytes()));
-		request.setParameter("RelayState", "abcd");
+		request.setParameter(Saml2ParameterNames.RELAY_STATE, "abcd");
 		Authentication authentication = authentication(registration);
 		given(this.relyingPartyRegistrationResolver.resolve(any(), any())).willReturn(registration);
 		Saml2LogoutResponse saml2LogoutResponse = this.logoutResponseResolver.resolve(request, authentication);
-		assertThat(saml2LogoutResponse.getParameter("SigAlg")).isNull();
-		assertThat(saml2LogoutResponse.getParameter("Signature")).isNull();
-		assertThat(saml2LogoutResponse.getParameter("RelayState")).isSameAs("abcd");
+		assertThat(saml2LogoutResponse.getParameter(Saml2ParameterNames.SIG_ALG)).isNull();
+		assertThat(saml2LogoutResponse.getParameter(Saml2ParameterNames.SIGNATURE)).isNull();
+		assertThat(saml2LogoutResponse.getParameter(Saml2ParameterNames.RELAY_STATE)).isSameAs("abcd");
 		Saml2MessageBinding binding = registration.getAssertingPartyDetails().getSingleLogoutServiceBinding();
 		LogoutResponse logoutResponse = getLogoutResponse(saml2LogoutResponse.getSamlResponse(), binding);
 		assertThat(logoutResponse.getStatus().getStatusCode().getValue()).isEqualTo(StatusCode.SUCCESS);

saml2/saml2-service-provider/src/test/java/org/springframework/security/saml2/provider/service/web/authentication/logout/Saml2LogoutRequestFilterTests.java

@@ -26,6 +26,7 @@ import org.springframework.security.authentication.TestingAuthenticationToken;
 import org.springframework.security.core.Authentication;
 import org.springframework.security.core.context.SecurityContextHolder;
 import org.springframework.security.saml2.core.Saml2Error;
+import org.springframework.security.saml2.core.Saml2ParameterNames;
 import org.springframework.security.saml2.provider.service.authentication.logout.Saml2LogoutRequestValidator;
 import org.springframework.security.saml2.provider.service.authentication.logout.Saml2LogoutResponse;
 import org.springframework.security.saml2.provider.service.authentication.logout.Saml2LogoutValidatorResult;
@@ -71,7 +72,7 @@ public class Saml2LogoutRequestFilterTests {
 		SecurityContextHolder.getContext().setAuthentication(authentication);
 		MockHttpServletRequest request = new MockHttpServletRequest("POST", "/logout/saml2/slo");
 		request.setServletPath("/logout/saml2/slo");
-		request.setParameter("SAMLRequest", "request");
+		request.setParameter(Saml2ParameterNames.SAML_REQUEST, "request");
 		MockHttpServletResponse response = new MockHttpServletResponse();
 		given(this.relyingPartyRegistrationResolver.resolve(any(), any())).willReturn(registration);
 		given(this.logoutRequestValidator.validate(any())).willReturn(Saml2LogoutValidatorResult.success());
@@ -83,7 +84,7 @@ public class Saml2LogoutRequestFilterTests {
 		verify(this.logoutHandler).logout(any(), any(), any());
 		verify(this.logoutResponseResolver).resolve(any(), any());
 		String content = response.getHeader("Location");
-		assertThat(content).contains("SAMLResponse");
+		assertThat(content).contains(Saml2ParameterNames.SAML_RESPONSE);
 		assertThat(content)
 				.startsWith(registration.getAssertingPartyDetails().getSingleLogoutServiceResponseLocation());
 	}
@@ -96,7 +97,7 @@ public class Saml2LogoutRequestFilterTests {
 		SecurityContextHolder.getContext().setAuthentication(authentication);
 		MockHttpServletRequest request = new MockHttpServletRequest("POST", "/logout/saml2/slo");
 		request.setServletPath("/logout/saml2/slo");
-		request.setParameter("SAMLRequest", "request");
+		request.setParameter(Saml2ParameterNames.SAML_REQUEST, "request");
 		MockHttpServletResponse response = new MockHttpServletResponse();
 		given(this.relyingPartyRegistrationResolver.resolve(any(), any())).willReturn(registration);
 		given(this.logoutRequestValidator.validate(any())).willReturn(Saml2LogoutValidatorResult.success());
@@ -108,7 +109,7 @@ public class Saml2LogoutRequestFilterTests {
 		verify(this.logoutHandler).logout(any(), any(), any());
 		verify(this.logoutResponseResolver).resolve(any(), any());
 		String content = response.getContentAsString();
-		assertThat(content).contains("SAMLResponse");
+		assertThat(content).contains(Saml2ParameterNames.SAML_RESPONSE);
 		assertThat(content).contains(registration.getAssertingPartyDetails().getSingleLogoutServiceResponseLocation());
 	}
 
@@ -118,7 +119,7 @@ public class Saml2LogoutRequestFilterTests {
 		SecurityContextHolder.getContext().setAuthentication(authentication);
 		MockHttpServletRequest request = new MockHttpServletRequest("POST", "/logout");
 		request.setServletPath("/logout");
-		request.setParameter("SAMLResponse", "response");
+		request.setParameter(Saml2ParameterNames.SAML_RESPONSE, "response");
 		MockHttpServletResponse response = new MockHttpServletResponse();
 		this.logoutRequestProcessingFilter.doFilterInternal(request, response, new MockFilterChain());
 		verifyNoInteractions(this.logoutRequestValidator, this.logoutHandler);
@@ -142,7 +143,7 @@ public class Saml2LogoutRequestFilterTests {
 		SecurityContextHolder.getContext().setAuthentication(authentication);
 		MockHttpServletRequest request = new MockHttpServletRequest("POST", "/logout/saml2/slo");
 		request.setServletPath("/logout/saml2/slo");
-		request.setParameter("SAMLRequest", "request");
+		request.setParameter(Saml2ParameterNames.SAML_REQUEST, "request");
 		MockHttpServletResponse response = new MockHttpServletResponse();
 		given(this.relyingPartyRegistrationResolver.resolve(request, null)).willReturn(registration);
 		given(this.logoutRequestValidator.validate(any()))

saml2/saml2-service-provider/src/test/java/org/springframework/security/saml2/provider/service/web/authentication/logout/Saml2LogoutResponseFilterTests.java

@@ -27,6 +27,7 @@ import org.springframework.security.authentication.TestingAuthenticationToken;
 import org.springframework.security.core.Authentication;
 import org.springframework.security.core.context.SecurityContextHolder;
 import org.springframework.security.saml2.core.Saml2Error;
+import org.springframework.security.saml2.core.Saml2ParameterNames;
 import org.springframework.security.saml2.provider.service.authentication.logout.Saml2LogoutRequest;
 import org.springframework.security.saml2.provider.service.authentication.logout.Saml2LogoutResponseValidator;
 import org.springframework.security.saml2.provider.service.authentication.logout.Saml2LogoutValidatorResult;
@@ -74,7 +75,7 @@ public class Saml2LogoutResponseFilterTests {
 		SecurityContextHolder.getContext().setAuthentication(authentication);
 		MockHttpServletRequest request = new MockHttpServletRequest("POST", "/logout/saml2/slo");
 		request.setServletPath("/logout/saml2/slo");
-		request.setParameter("SAMLResponse", "response");
+		request.setParameter(Saml2ParameterNames.SAML_RESPONSE, "response");
 		MockHttpServletResponse response = new MockHttpServletResponse();
 		RelyingPartyRegistration registration = TestRelyingPartyRegistrations.full().build();
 		given(this.relyingPartyRegistrationResolver.resolve(request, "registration-id")).willReturn(registration);
@@ -93,7 +94,7 @@ public class Saml2LogoutResponseFilterTests {
 		SecurityContextHolder.getContext().setAuthentication(authentication);
 		MockHttpServletRequest request = new MockHttpServletRequest("GET", "/logout/saml2/slo");
 		request.setServletPath("/logout/saml2/slo");
-		request.setParameter("SAMLResponse", "response");
+		request.setParameter(Saml2ParameterNames.SAML_RESPONSE, "response");
 		MockHttpServletResponse response = new MockHttpServletResponse();
 		RelyingPartyRegistration registration = TestRelyingPartyRegistrations.full()
 				.singleLogoutServiceBinding(Saml2MessageBinding.REDIRECT).build();
@@ -113,7 +114,7 @@ public class Saml2LogoutResponseFilterTests {
 		SecurityContextHolder.getContext().setAuthentication(authentication);
 		MockHttpServletRequest request = new MockHttpServletRequest("POST", "/logout");
 		request.setServletPath("/logout");
-		request.setParameter("SAMLRequest", "request");
+		request.setParameter(Saml2ParameterNames.SAML_REQUEST, "request");
 		MockHttpServletResponse response = new MockHttpServletResponse();
 		this.logoutResponseProcessingFilter.doFilterInternal(request, response, new MockFilterChain());
 		verifyNoInteractions(this.logoutResponseValidator, this.logoutSuccessHandler);
@@ -136,7 +137,7 @@ public class Saml2LogoutResponseFilterTests {
 		SecurityContextHolder.getContext().setAuthentication(authentication);
 		MockHttpServletRequest request = new MockHttpServletRequest("POST", "/logout/saml2/slo");
 		request.setServletPath("/logout/saml2/slo");
-		request.setParameter("SAMLResponse", "response");
+		request.setParameter(Saml2ParameterNames.SAML_RESPONSE, "response");
 		MockHttpServletResponse response = new MockHttpServletResponse();
 		RelyingPartyRegistration registration = TestRelyingPartyRegistrations.full().build();
 		given(this.relyingPartyRegistrationResolver.resolve(request, "registration-id")).willReturn(registration);

saml2/saml2-service-provider/src/test/java/org/springframework/security/saml2/provider/service/web/authentication/logout/Saml2RelyingPartyInitiatedLogoutSuccessHandlerTests.java

@@ -27,6 +27,7 @@ import org.springframework.mock.web.MockHttpServletRequest;
 import org.springframework.mock.web.MockHttpServletResponse;
 import org.springframework.security.core.Authentication;
 import org.springframework.security.core.context.SecurityContextHolder;
+import org.springframework.security.saml2.core.Saml2ParameterNames;
 import org.springframework.security.saml2.provider.service.authentication.DefaultSaml2AuthenticatedPrincipal;
 import org.springframework.security.saml2.provider.service.authentication.Saml2Authentication;
 import org.springframework.security.saml2.provider.service.authentication.logout.Saml2LogoutRequest;
@@ -76,7 +77,7 @@ public class Saml2RelyingPartyInitiatedLogoutSuccessHandlerTests {
 		given(this.logoutRequestResolver.resolve(any(), any())).willReturn(logoutRequest);
 		this.logoutRequestSuccessHandler.onLogoutSuccess(request, response, authentication);
 		String content = response.getHeader("Location");
-		assertThat(content).contains("SAMLRequest");
+		assertThat(content).contains(Saml2ParameterNames.SAML_REQUEST);
 		assertThat(content).startsWith(registration.getAssertingPartyDetails().getSingleLogoutServiceLocation());
 	}
 
@@ -94,7 +95,7 @@ public class Saml2RelyingPartyInitiatedLogoutSuccessHandlerTests {
 		given(this.logoutRequestResolver.resolve(any(), any())).willReturn(logoutRequest);
 		this.logoutRequestSuccessHandler.onLogoutSuccess(request, response, authentication);
 		String content = response.getContentAsString();
-		assertThat(content).contains("SAMLRequest");
+		assertThat(content).contains(Saml2ParameterNames.SAML_REQUEST);
 		assertThat(content).contains(registration.getAssertingPartyDetails().getSingleLogoutServiceLocation());
 	}