Problem
You've set up your Nexus instance to use a SAML IdP, but can't login to Nexus.
Symptoms
After successfully logging into the IdP, you see a message like:
Authentication failed due to a SAML error. Please contact your IT administrator.
The nexus.log shows:
2025-MM-DD 00:00:00,000+0000 ERROR [qtp...-...] *UNKNOWN org.keycloak.adapters.saml.profile.webbrowsersso.WebBrowserSsoAuthenticationHandler - Request URI 'http://you-nexus-url/saml' does not match SAML request destination 'https://you-nexus-url/saml'
Solution
If you look closely, you'll notice the two URLs in the log above differ by protocol -- http:// vs. https://. The log message means that the SAML IdP intended the SAML response for https://you-nexus-url/saml but Nexus received the response via http://you-nexus-url/saml.
This is often due to missing headers in the request proxied by a reverse proxy or load-balancer. Nexus 3 relies upon these headers to reconstruct the context of the original request. The following Sonatype Help page describes the headers necessary when SSL is terminated before the request reaches Nexus: https://help.sonatype.com/en/run-behind-a-reverse-proxy.html#example--reverse-proxy-ssl-termination-at-base-path
Compare the headers set by your load-balancer or reverse proxy with those described in the document, and adjust if necessary.