After an upgrade of Nexus 3 users may observe a SAML authentication error attempting to login. The nexus.log will contain the following:
error:org.keycloak.adapters.saml.profile.webbrowsersso.WebBrowserSsoAuthenticationHandler - Destination field required.
In Nexus 3.27 the Keycloak libraries used in the Nexus 3 SAML implementation were upgraded. Keycloak now requires the "Destination" field to be set, if the SAML messages (request/response) are signed. As a result, if the SAML assertions are being signed, then the Identity Provider must now set a Destination field in the response that is set to the Nexus Assertion Consumer URL (<BaseURL>/saml).
These changes are in line with the SAML specification which states the following:
If the message is signed, the Destination XML attribute in the root SAML element of the protocol message MUST contain the URL to which the sender has instructed the user agent to deliver the message. The recipient MUST then verify that the value matches the location at which the message has been received.
More information about configuring secure SAML integration is provided in our documentation: https://help.sonatype.com/repomanager3/system-configuration/user-authentication/saml#SAML-SecuringSAMLIntegration