Allow access to Audiences in DecodeUnverifiedBaseResponse()

[F21]

The current implementation of DecodeUnverifiedBaseResponse() allows access to the Issuer to identify the IdP when multiple IdPs use the same ACS URL.

The Issuer or IdP entity ID is chosen and selected by the IdP, so there is a chance that the value might not be globally unique resulting in the SP not being able to identify the IdP.

It would be great if the UnverifiedBaseResponse returned by DecodeUnverifiedBaseResponse() can also include the audiences in Conditions.AudienceRestrictions. The audience should match the SP entity ID, which is created and set by the SP. Having access to this value would allow the SP to identify the IdP without any ambiguity. A SAMLServiceProvider object can then be constructed from this information to verify the assertion information.