From da7039167739a9d2c952be6b1fdaa8b11925ecc6 Mon Sep 17 00:00:00 2001
From: Dane Barentine <dane.barentine@software.dell.com>
Date: Mon, 13 Apr 2015 12:47:40 -0700
Subject: [PATCH] KEYCLOAK-1202 Set AudienceRestriction to the issuer from the
 original request.

---
 .../keycloak/protocol/saml/SAML2LoginResponseBuilder.java  | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/saml/saml-protocol/src/main/java/org/keycloak/protocol/saml/SAML2LoginResponseBuilder.java b/saml/saml-protocol/src/main/java/org/keycloak/protocol/saml/SAML2LoginResponseBuilder.java
index bc0bb2638f..0b7dfb4f22 100755
--- a/saml/saml-protocol/src/main/java/org/keycloak/protocol/saml/SAML2LoginResponseBuilder.java
+++ b/saml/saml-protocol/src/main/java/org/keycloak/protocol/saml/SAML2LoginResponseBuilder.java
@@ -17,8 +17,10 @@ import org.keycloak.dom.saml.v2.assertion.AssertionType;
 import org.keycloak.dom.saml.v2.assertion.AuthnStatementType;
 import org.keycloak.dom.saml.v2.assertion.ConditionsType;
 import org.keycloak.dom.saml.v2.assertion.SubjectConfirmationDataType;
+import org.keycloak.dom.saml.v2.assertion.AudienceRestrictionType;
 import org.keycloak.dom.saml.v2.protocol.ResponseType;
 import org.w3c.dom.Document;
+import java.net.URI;
 
 import static org.keycloak.saml.common.util.StringUtil.isNotNull;
 
@@ -156,6 +158,11 @@ public class SAML2LoginResponseBuilder {
 
         AssertionType assertion = responseType.getAssertions().get(0).getAssertion();
 
+        //Add request issuer as the audience restriction
+        AudienceRestrictionType audience = new AudienceRestrictionType();
+        audience.addAudience(URI.create(requestIssuer));
+        assertion.getConditions().addCondition(audience);
+
         //Update Conditions NotOnOrAfter
         if(assertionExpiration > 0) {
             ConditionsType conditions = assertion.getConditions();