Currently Fediz only supports SAML with an audience restriction. However the standard only requires audience restriction validation if this value is present within the SAML token. If no audience restriction is set, this token should be valid for any service.
Especially in cases when the Login SAML token should be used to login to a webpage and the same token can be used to authenticate the user against backend services, an audience restriction could be disturbing.
Fediz Plugin should accept SAML token without audience restrictions as valid (if all other security requirements are met) and the Fediz IDP should be configurable to request SAML token from the STS without audience restrictions.