When routes use the SamlFederationHandler and also apply a baseURI decorator to the whole route, requests are being rebased before they are handled by the SamlFederationHandler which can lead to a couple of different processing errors:
- Invalid Assertion Consumer Location specified
- Invalid Relay State URL specified
This is due to how the request URI is used when comparing against the SP (IG) metadata which is most often based on the request hitting IG.
Making the original URI value available as an alternative to the request URI would help resolve this issue and also fits in well with use-cases where a load-balancer is in front of IG.
A workaround to this problem is to move the baseURI decorator to the section of the route that is just dealing with making the downstream request once validation has been completed to avoid it having an impact on the SamlFederationHandler.