Allow additional Audiences to be specified (#1345)

8b1e5edb · Tim van Dijen · Tim van Dijen · 4b8092df · 8b1e5edb · 8b1e5edb
Commit 8b1e5edb authored 4 years ago by Tim van Dijen Committed by Tim van Dijen 4 years ago
--- a/docs/simplesamlphp-reference-sp-remote.md
+++ b/docs/simplesamlphp-reference-sp-remote.md
@@ -168,6 +168,9 @@ The following SAML 2.0 options are available:

 :   (This option was previously named `AttributeNameFormat`.)

+`audience`
+:   An array of additional entities to be added to the AudienceRestriction. By default the only audience is the SP's entityID. 
+
 `certData`
 :   The base64 encoded certificate for this SP. This is an alternative to storing the certificate in a file on disk and specifying the filename in the `certificate`-option.


--- a/modules/saml/lib/IdP/SAML2.php
+++ b/modules/saml/lib/IdP/SAML2.php
@@ -1144,7 +1144,9 @@ class SAML2
        $issuer->setValue($idpMetadata->getString('entityid'));
        $issuer->setFormat(Constants::NAMEID_ENTITY);
        $a->setIssuer($issuer);
-        $a->setValidAudiences([$spMetadata->getString('entityid')]);
+
+        $audience = array_merge([$spMetadata->getString('entityid')], $spMetadata->getArray('audience', []));
+        $a->setValidAudiences($audience);

        $a->setNotBefore($now - 30);