From 8b1e5edba5ca275f6b1f9c26469746753ccabad4 Mon Sep 17 00:00:00 2001
From: Tim van Dijen <tim.dijen@minbzk.nl>
Date: Mon, 17 Aug 2020 15:44:46 +0200
Subject: [PATCH] Allow additional Audiences to be specified (#1345)

---
 docs/simplesamlphp-reference-sp-remote.md | 3 +++
 modules/saml/lib/IdP/SAML2.php            | 4 +++-
 2 files changed, 6 insertions(+), 1 deletion(-)

diff --git a/docs/simplesamlphp-reference-sp-remote.md b/docs/simplesamlphp-reference-sp-remote.md
index 485d996bf..345cf4cba 100644
--- a/docs/simplesamlphp-reference-sp-remote.md
+++ b/docs/simplesamlphp-reference-sp-remote.md
@@ -168,6 +168,9 @@ The following SAML 2.0 options are available:
 
 :   (This option was previously named `AttributeNameFormat`.)
 
+`audience`
+:   An array of additional entities to be added to the AudienceRestriction. By default the only audience is the SP's entityID. 
+
 `certData`
 :   The base64 encoded certificate for this SP. This is an alternative to storing the certificate in a file on disk and specifying the filename in the `certificate`-option.
 
diff --git a/modules/saml/lib/IdP/SAML2.php b/modules/saml/lib/IdP/SAML2.php
index c07cfb4f0..37faa0d8e 100644
--- a/modules/saml/lib/IdP/SAML2.php
+++ b/modules/saml/lib/IdP/SAML2.php
@@ -1144,7 +1144,9 @@ class SAML2
         $issuer->setValue($idpMetadata->getString('entityid'));
         $issuer->setFormat(Constants::NAMEID_ENTITY);
         $a->setIssuer($issuer);
-        $a->setValidAudiences([$spMetadata->getString('entityid')]);
+
+        $audience = array_merge([$spMetadata->getString('entityid')], $spMetadata->getArray('audience', []));
+        $a->setValidAudiences($audience);
 
         $a->setNotBefore($now - 30);
 
-- 
GitLab