Spring Security Saml2WebSsoAuthenticationRequestFilter should not use OpenSamlAuthenticationRequestFactory by default

If Saml2WebSsoAuthenticationRequestFilter uses OpenSamlAuthenticationRequestFactory by default, then Spring Security is dependent on OpenSAML even if the application implements their own Saml2AuthenticationRequestFactory and AuthenticationProvider.

Instead, the constructor should require a Saml2AuthenticationRequestFactory.

Note that this behavior can be verified by creating a project that uses spring-security-saml2-service-provider, excludes the OpenSAML dependencies, and simply constructs a Saml2WebSsoAuthenticationRequestFilter in the main method:

public static void main(String[] args) {
    RelyingPartyRegistrationRepository repository = id -> null;
    Saml2AuthenticationRequestFactory factory = request -> null;
    Saml2WebSsoAuthenticationRequestFilter filter = 
        new Saml2WebSsoAuthenticationRequestFilter(repository); // throws ClassNotFoundException
    filter.setAuthenticationRequestFactory(factory);
}