From 4fde1b736520232847de99b75f554031cc6174e0 Mon Sep 17 00:00:00 2001
From: Jens Langhammer <jens.langhammer@beryju.org>
Date: Wed, 30 Dec 2020 22:15:28 +0100
Subject: [PATCH] providers/saml: allow audience to be empty

---
 authentik/providers/saml/forms.py             |  8 +++----
 .../migrations/0010_auto_20201230_2112.py     | 22 +++++++++++++++++++
 authentik/providers/saml/models.py            |  8 ++++++-
 .../providers/saml/processors/assertion.py    | 13 ++++++-----
 swagger.yaml                                  |  4 ++--
 5 files changed, 43 insertions(+), 12 deletions(-)
 create mode 100644 authentik/providers/saml/migrations/0010_auto_20201230_2112.py

diff --git a/authentik/providers/saml/forms.py b/authentik/providers/saml/forms.py
index a5373ce46..9518f6494 100644
--- a/authentik/providers/saml/forms.py
+++ b/authentik/providers/saml/forms.py
@@ -36,17 +36,17 @@ class SAMLProviderForm(forms.ModelForm):
             "name",
             "authorization_flow",
             "acs_url",
-            "audience",
             "issuer",
             "sp_binding",
+            "audience",
+            "signing_kp",
+            "verification_kp",
+            "property_mappings",
             "assertion_valid_not_before",
             "assertion_valid_not_on_or_after",
             "session_valid_not_on_or_after",
             "digest_algorithm",
             "signature_algorithm",
-            "signing_kp",
-            "verification_kp",
-            "property_mappings",
         ]
         widgets = {
             "name": forms.TextInput(),
diff --git a/authentik/providers/saml/migrations/0010_auto_20201230_2112.py b/authentik/providers/saml/migrations/0010_auto_20201230_2112.py
new file mode 100644
index 000000000..353bb0798
--- /dev/null
+++ b/authentik/providers/saml/migrations/0010_auto_20201230_2112.py
@@ -0,0 +1,22 @@
+# Generated by Django 3.1.4 on 2020-12-30 21:12
+
+from django.db import migrations, models
+
+
+class Migration(migrations.Migration):
+
+    dependencies = [
+        ("authentik_providers_saml", "0009_auto_20201112_2016"),
+    ]
+
+    operations = [
+        migrations.AlterField(
+            model_name="samlprovider",
+            name="audience",
+            field=models.TextField(
+                blank=True,
+                default="",
+                help_text="Value of the audience restriction field of the asseration. When left empty, no audience restriction will be added.",
+            ),
+        ),
+    ]
diff --git a/authentik/providers/saml/models.py b/authentik/providers/saml/models.py
index 5fe37d055..fedf183de 100644
--- a/authentik/providers/saml/models.py
+++ b/authentik/providers/saml/models.py
@@ -42,7 +42,13 @@ class SAMLProvider(Provider):
     acs_url = models.URLField(verbose_name=_("ACS URL"))
     audience = models.TextField(
         default="",
-        help_text=_("Value of the audience restriction field of the asseration."),
+        blank=True,
+        help_text=_(
+            (
+                "Value of the audience restriction field of the asseration. When left empty, "
+                "no audience restriction will be added."
+            )
+        ),
     )
     issuer = models.TextField(
         help_text=_("Also known as EntityID"), default="authentik"
diff --git a/authentik/providers/saml/processors/assertion.py b/authentik/providers/saml/processors/assertion.py
index 6cba0b283..0540f18d1 100644
--- a/authentik/providers/saml/processors/assertion.py
+++ b/authentik/providers/saml/processors/assertion.py
@@ -127,11 +127,14 @@ class AssertionProcessor:
         conditions = Element(f"{{{NS_SAML_ASSERTION}}}Conditions")
         conditions.attrib["NotBefore"] = self._valid_not_before
         conditions.attrib["NotOnOrAfter"] = self._valid_not_on_or_after
-        audience_restriction = SubElement(
-            conditions, f"{{{NS_SAML_ASSERTION}}}AudienceRestriction"
-        )
-        audience = SubElement(audience_restriction, f"{{{NS_SAML_ASSERTION}}}Audience")
-        audience.text = self.provider.audience
+        if self.provider.audience != "":
+            audience_restriction = SubElement(
+                conditions, f"{{{NS_SAML_ASSERTION}}}AudienceRestriction"
+            )
+            audience = SubElement(
+                audience_restriction, f"{{{NS_SAML_ASSERTION}}}Audience"
+            )
+            audience.text = self.provider.audience
         return conditions
 
     def get_name_id(self) -> Element:
diff --git a/swagger.yaml b/swagger.yaml
index a577d2f9a..adbc2e5a2 100755
--- a/swagger.yaml
+++ b/swagger.yaml
@@ -8004,9 +8004,9 @@ definitions:
         minLength: 1
       audience:
         title: Audience
-        description: Value of the audience restriction field of the asseration.
+        description: Value of the audience restriction field of the asseration. When
+          left empty, no audience restriction will be added.
         type: string
-        minLength: 1
       issuer:
         title: Issuer
         description: Also known as EntityID