Integrates OpenSAML 4.3 with SAML authenticator

[willyborankin]

Description

In order to exclude permission org.opensearch.secure_sm.ThreadPermission "modifyArbitraryThread"; we must use the dedicated cleaners thread factory in OpenSearch. Since OpenSAML packages are sealed it it impossible to replace CleanerSupport class with our own solution. Instead we have to change configuration of how such objects should be parsed. There are only 2 classes in the library which use CleanerSupport:

• X509CertificateImpl
• X509CRLImpl

This fix uses the same solution as in OpenSAML and replaces CleanerSupport with our custom implementation CleanerFactory.

Issues Resolved

#2989

Check List

• New functionality includes testing
• New functionality has been documented
• Commits are signed per the DCO using --signoff

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.
For more information on following Developer Certificate of Origin and signing off your commits, please check here.

[DarshitChanpura]

Thank you for opening this PR @willyborankin. A general request: could you please add description to all new classes to help understand the role of each class?

Also, would you mind adding some tests for this?

[willyborankin]

@reta and @DarshitChanpura comments addressed

[stephen-crawford]

Since this is a refactor of SAML, I think the existing tests should be sufficient. This looks good to me.

[DarshitChanpura]

@reta I've resolved the conversations since you've given your approval.

[DarshitChanpura]

Thank you @willyborankin !

[DarshitChanpura]

@willyborankin Is this ready to be backported to 2.x?

[willyborankin]

@willyborankin Is this ready to be backported to 2.x?

@DarshitChanpura lets see how it will behave with other tests. If it is ok lets add the label.

[opensearch-trigger-bot]

The backport to 2.11 failed:

The process '/usr/bin/git' failed with exit code 128

To backport manually, run these commands in your terminal:

# Navigate to the root of your repository
cd $(git rev-parse --show-toplevel)
# Fetch latest updates from GitHub
git fetch
# Create a new working tree
git worktree add ../.worktrees/security/backport-2.11 2.11
# Navigate to the new working tree
pushd ../.worktrees/security/backport-2.11
# Create a new branch
git switch --create backport/backport-3651-to-2.11
# Cherry-pick the merged commit of this pull request and resolve the conflicts
git cherry-pick -x --mainline 1 44a03c5a5929357a2e936b45dd754085fd282f0f
# Push it to GitHub
git push --set-upstream origin backport/backport-3651-to-2.11
# Go back to the original working tree
popd
# Delete the working tree
git worktree remove ../.worktrees/security/backport-2.11

Then, create a pull request where the base branch is 2.11 and the compare/head branch is backport/backport-3651-to-2.11.

[opensearch-trigger-bot]

The backport to 2.x failed:

The process '/usr/bin/git' failed with exit code 128

To backport manually, run these commands in your terminal:

# Navigate to the root of your repository
cd $(git rev-parse --show-toplevel)
# Fetch latest updates from GitHub
git fetch
# Create a new working tree
git worktree add ../.worktrees/security/backport-2.x 2.x
# Navigate to the new working tree
pushd ../.worktrees/security/backport-2.x
# Create a new branch
git switch --create backport/backport-3651-to-2.x
# Cherry-pick the merged commit of this pull request and resolve the conflicts
git cherry-pick -x --mainline 1 44a03c5a5929357a2e936b45dd754085fd282f0f
# Push it to GitHub
git push --set-upstream origin backport/backport-3651-to-2.x
# Go back to the original working tree
popd
# Delete the working tree
git worktree remove ../.worktrees/security/backport-2.x

Then, create a pull request where the base branch is 2.x and the compare/head branch is backport/backport-3651-to-2.x.