I would like to see the SAML AssertionConsumerURL to default to the original requested URL of the application. Currently, the ASSERTION_CONSUMER_URL in config for SAML2AuthenticationHandler is required if the IDP doesn't have any metadata about the SP and its considered "anoynomous". If the ACS URL isn't defined, the SP uses the ServiceURL config param as the ACS URL. Since the ACS URL is used to send the user back to the application after successful authentication, doesn't make a lot of sense to use that in all environments because the ServiceURL is considered the entityId in the SAML request.

The AbstractSPFormAuthenticator creates a HTTPContext when generating a SAMLRequest. Since this object contains the original request, you should be able to build the original requested URL to use in SAML2AuthenticationHandler$SPAuthenticationHandler.

You cannot use the root of the application as the ACS URL either. The ACS URL needs to also point to a protected area of the application. If not, the container's authentication valve doesn't even get called and the SAML response never gets read. No matter what you use as the ACS URL (as long as it points to a protected area), the SP will redirect the URL to the originally requested URL because the "saveRestoreRequest" attribute of AbstractSPFormAuthenticator is set to true.

You could even go one step further...If the "saveRestoreRequest" attribute of AbstractSPFormAuthenticator is true, then use original requested URL as AssertionConsumerURL, if false, then take it from the config...