keycloak-uncached

Merge pull request #1136 from dbarentine/master KEYCLOAK-1202 …

4/13/2015 9:15:49 PM

Set AudienceRestriction to the issuer from the original re...

Bill Burke

Commit: d4f138c

Tree: e82ff00

Parents: 06ac706
da70391

Changes

saml/saml-protocol/src/main/java/org/keycloak/protocol/saml/SAML2LoginResponseBuilder.java 7(+7 -0)

Details

saml/saml-protocol/src/main/java/org/keycloak/protocol/saml/SAML2LoginResponseBuilder.java 7(+7 -0)

diff --git a/saml/saml-protocol/src/main/java/org/keycloak/protocol/saml/SAML2LoginResponseBuilder.java b/saml/saml-protocol/src/main/java/org/keycloak/protocol/saml/SAML2LoginResponseBuilder.java
index bc0bb26..0b7dfb4 100755
--- a/saml/saml-protocol/src/main/java/org/keycloak/protocol/saml/SAML2LoginResponseBuilder.java
+++ b/saml/saml-protocol/src/main/java/org/keycloak/protocol/saml/SAML2LoginResponseBuilder.java
@@ -17,8 +17,10 @@ import org.keycloak.dom.saml.v2.assertion.AssertionType;
 import org.keycloak.dom.saml.v2.assertion.AuthnStatementType;
 import org.keycloak.dom.saml.v2.assertion.ConditionsType;
 import org.keycloak.dom.saml.v2.assertion.SubjectConfirmationDataType;
+import org.keycloak.dom.saml.v2.assertion.AudienceRestrictionType;
 import org.keycloak.dom.saml.v2.protocol.ResponseType;
 import org.w3c.dom.Document;
+import java.net.URI;
 
 import static org.keycloak.saml.common.util.StringUtil.isNotNull;
 
@@ -156,6 +158,11 @@ public class SAML2LoginResponseBuilder {
 
         AssertionType assertion = responseType.getAssertions().get(0).getAssertion();
 
+        //Add request issuer as the audience restriction
+        AudienceRestrictionType audience = new AudienceRestrictionType();
+        audience.addAudience(URI.create(requestIssuer));
+        assertion.getConditions().addCondition(audience);
+
         //Update Conditions NotOnOrAfter
         if(assertionExpiration > 0) {
             ConditionsType conditions = assertion.getConditions();