When running a Policy Server for Federation journey, and having 3 partnerships for the same flow, in the third flow the Policy Server sends the Entity ID of this third Partnership as Audience Restriction, instead of the Entity ID of the first Partnership.

1. The first federation is used to receive the SAML Request from the application;
2. The second federation is used to call the external authentication which provides the parameters within the SAML Response;
3. The third federation is used to send the SAML Response to the application.

Modify such assertion to fit the business needs by coding a Custom Assertion Generator as mentioned here in the documentation (1)(2).

The SiteMinder SDK package provides some samples:

  sdk/samples/assertiongeneratorplugin:
  AssertionSample.java
  SAML2AppAttrPlugin.java
  SAML2AssertionSample.java
  SAML2AuthnRequestSample.java
  WSFedAppAttrPlugin.java

The SAML2AssertionSample.java gives that custom function to modify the NameID for an email, that can give you an idea how you can apply it to the AudienceRestriction tag.

Find all the cumulative patches for all other SiteMinder components (3).

Download the latest SDK (4). As per best practices, use the same SDK version as the Policy Server version to have all the function in sync with the Policy Server version.

1. https://techdocs.broadcom.com/us/en/symantec-security-software/identity-security/siteminder/12-8/programming/sdks/programming-in-java/customize-saml-assertion-in-java.html
2. https://techdocs.broadcom.com/us/en/symantec-security-software/identity-security/siteminder/12-8/configuring/partnership-federation/assertion-configuration-at-the-asserting-party/customize-assertion-content.html
3. https://support.broadcom.com/web/ecx/support-content-notification/-/external/content/release-announcements/CA-Single-Sign-On-Hotfix-Cumulative-Release-Index/6544#smsdk2
4. https://support.broadcom.com/web/ecx/solutiondetails?aparNo=99111604&os=MULTI-PLATFORM