The current recommended org.forgerock.openam.federation.plugin.rooturl.RootUrlProvider implementation, set via the following property in the FederationConfig.properties file
returns a URI value based on the current request details. The internal SAML logic compares this URI to the value in the SP metadata and if these don't match, the process is halted with an error.
The FedletRootUrlProvider implementation works when used with the documented examples but if a route combines the processing of the SAML requests (using the SamlFederationHandler) along with all other requests, and sets a baseURI decorator in the top-level of the route, then this can lead to error messages around invalid ACL values:
This is because by the time the request is processed within the FedletRootUrlProvider, the request has been altered by the baseURI decorator and will no longer be a match.
The workaround is to move the baseURI decorator to a part of the route that deals with all the other requests so that the request that is processed by the FedletRootUrlProvider is unchanged.
An alternative to using the request value would be to make use of the originalUri value returned from the UriRouterContext in a new implementation of the RootUrlProvider.