When running a Policy Server for Federation journey, and having 3 partnerships for the same flow, in the third flow the Policy Server sends the Entity ID of this third Partnership as Audience Restriction, instead of the Entity ID of the first Partnership.
Modify such assertion to fit the business needs by coding a Custom Assertion Generator as mentioned here in the documentation (1)(2).
The SiteMinder SDK package provides some samples:
sdk/samples/assertiongeneratorplugin:
AssertionSample.java
SAML2AppAttrPlugin.java
SAML2AssertionSample.java
SAML2AuthnRequestSample.java
WSFedAppAttrPlugin.java
The SAML2AssertionSample.java gives that custom function to modify the NameID for an email, that can give you an idea how you can apply it to the AudienceRestriction tag.
Find all the cumulative patches for all other SiteMinder components (3).
Download the latest SDK (4). As per best practices, use the same SDK version as the Policy Server version to have all the function in sync with the Policy Server version.