...

If the request returning from the IDP back to /plugins/servlet/no.kantega.saml/sp/{idp-id}/login is visible in the Tomcat catalina.out log, but does not reach the application itself (Jira, Confluence, Bitbucket, Bamboo), since only Tomcat logs the request but not the host app or Kantega SSO plugin logs, then the issue is most likely another filter installed in Tomcat with configuration in web.xml file.
An example of a filter that may stop a request is CORS filter like org.apache.catalina.filters.CorsFilter
Related article on configuration of CorsFilter with Confluence can be found here:
https://jira.atlassian.com/browse/CONFSERVER-41269
Tomcat documentation:
https://tomcat.apache.org/tomcat-9.0-doc/config/filter.html#CORS_Filter

What to do if you get an AWS-related session problem?

We sometimes see that AWS load balancer, when used in front of a multi-node cluster (of Confluence, Jira et al.), has problems retaining session stickiness. It seems to improve stability of a clustered setup by enabling application stickiness in AWS load balancer configured to the cookie used in your application (by default cookie is named JSESSIONID). See more about this here: https://docs.aws.amazon.com/elasticloadbalancing/latest/application/sticky-sessions.html#application-based-stickiness.

Tycical symptoms for this problem can be:

• login loops

• login session suddenly dropping

• AWS cookie AWSALB suddenly changing causing node change for browser which again typcally causes login session to drop (user gets logged out)

API Tokens

User accounts gets locked out when API tokens gets invalidated or expires. How can I prevent this from happening?

...