The 1.27 upgrade notes claim:

Note: a similar change is being made for SAML2; in this case the old URI [synapse public baseurl]/_matrix/saml2 is being deprecated, but will continue to work, so no immediate changes are required for existing installations.

In fact, as part of the SAML2 request, the expected callback URI is sent to the SAML2 IdP, which will check that it matches what is expected and fail if not.

Hence, upgrading to Synapse 1.27 will break login for anyone using SAML :/.