I'm not sure what do you mean by "validity check", but as long as oxTrust can use this url to contact the web server and get the document it points to, it's fine. I really doubt oxTrust does any checks of the url itself.
1. Make sure that name resolution works **inside container**; try to `ping` for the `saml.example.cloud` from in there, and if `ping` can't resolve the name, then oxTrust most surely won't be able too
2. If 1) isn't the issue, make sure that certificate the target server uses for SSL is a universally trusted one; if it's self-signed, oxTrust will most likely reject it and won't be able to download the document; in such case you'll need to add the certificate to Java's truststore inside container and restart "identity" service