Improve invalid audience error message

Make the error message for invalid audience more descriptive by
including the request's audience and the expected value.

Author: quantus

src/onelogin/saml2/response.py

@@ -167,7 +167,7 @@ def is_valid(self, request_data, request_id=None, raise_exceptions=False):
                 # Checks audience
                 valid_audiences = self.get_audiences()
                 if valid_audiences and sp_entity_id not in valid_audiences:
-                    raise OneLogin_Saml2_ValidationError("%s is not a valid audience for this Response" % sp_entity_id, OneLogin_Saml2_ValidationError.WRONG_AUDIENCE)
+                    raise OneLogin_Saml2_ValidationError('Response audience "%s" does not contain SP entityId "%s"' % (", ".join(valid_audiences), sp_entity_id), OneLogin_Saml2_ValidationError.WRONG_AUDIENCE)
 
                 # Checks the issuers
                 issuers = self.get_issuers()

tests/src/OneLogin/saml2_tests/response_test.py

@@ -1143,7 +1143,7 @@ def testIsInValidAudience(self):
         response_2 = OneLogin_Saml2_Response(settings, message)
 
         self.assertFalse(response_2.is_valid(request_data))
-        self.assertIn("is not a valid audience for this Response", response_2.get_error())
+        self.assertIn('Response audience "http://invalid.audience.com" does not contain SP entityId "http://stuff.com/endpoints/metadata.php"', response_2.get_error())
 
     def testIsInValidAuthenticationContext(self):
         """