validateAndGetRestriction method in LdapSPValidator searches for the matching agent profile based on agentRootURL and populates this into the DNOrIPAddressListTokenRestriction.
This has two problems:
1) If you have the agentRootURL defined in the profile rather than the group you cannot have multiple agent profiles in a load balanced environment and have the restricted token validate successfully across the different agents. The agent profile DNs will be different and the restriction will fail.
2) Currently since all agentRootURLs have to be in the group or in a shared agent profile then this can lead to management issues if there are a large number of agentRootURLs.
The fix is to update LdapSPValidator so that it is group aware. The searchAgents method should be able to determine the DNs of all agent profiles within the group and populate the token restriction with all DNs. The token restriction would then be valid if it was presented to any of the agent profiles within the group