Hi, Thomas. I'm not sure what do you mean by "validity check", but as long as oxTrust can use this url to contact the web server and get the document it points to, it's fine. I really doubt oxTrust does any checks of the url itself. 1. Make sure that name resolution works **inside container**; try to `ping` for the `saml.example.cloud` from in there, and if `ping` can't resolve the name, then oxTrust most surely won't be able too 2. If 1) isn't the issue, make sure that certificate the target server uses for SSL is a universally trusted one; if it's self-signed, oxTrust will most likely reject it and won't be able to download the document; in such case you'll need to add the certificate to Java's truststore inside container and restart "identity" service

One more thing: 3. Try to actually request the document **from inside container** - with `wget`, for example; you can substitute `ping` test with it; if `wget` can't download it for any reason, or downloads something else instead of XML document, you'll need to figure out why that happens