Allow additional Audiences to be specified (#1345)

0cbc6203 · Tim van Dijen · GitHub · caeb8d04 · 0cbc6203 · 0cbc6203
Unverified Commit 0cbc6203 authored 4 years ago by Tim van Dijen Committed by GitHub 4 years ago
--- a/docs/simplesamlphp-reference-sp-remote.md
+++ b/docs/simplesamlphp-reference-sp-remote.md
@@ -160,6 +160,9 @@ The following options can be set:

 :   (This option was previously named `AttributeNameFormat`.)

+`audience`
+:   An array of additional entities to be added to the AudienceRestriction. By default the only audience is the SP's entityID. 
+
 `certData`
 :   The base64 encoded certificate for this SP. This is an alternative to storing the certificate in a file on disk and specifying the filename in the `certificate`-option.


--- a/modules/saml/lib/IdP/SAML2.php
+++ b/modules/saml/lib/IdP/SAML2.php
@@ -1126,7 +1126,9 @@ class SAML2
        $issuer->setValue($idpMetadata->getString('entityid'));
        $issuer->setFormat(Constants::NAMEID_ENTITY);
        $a->setIssuer($issuer);
-        $a->setValidAudiences([$spMetadata->getString('entityid')]);
+
+        $audience = array_merge([$spMetadata->getString('entityid')], $spMetadata->getArray('audience', []));
+        $a->setValidAudiences($audience);

        $a->setNotBefore($now - 30);