If users are arriving at your endpoint with the wrong AudienceRestriction, that's an indication that the entityID in the authentication initiation process and the SP metadata as loaded by the IdP are incorrect, but the endpoints are right. In effect, users are showing up at your SP with assertions that the SP believes were not issued for it.

I don't believe adding custom relying party will help much, but looking at the logs with the inbound assertion and checking that field value and tracing where it's from should.
--
To unsubscribe from this list send an email to users-unsubscribe-***@public.gmane.org