Problem:

Receiving an empty response page with SAML SSO enabled while using (F5 or similar) load balancer or problems with SSO in general, when running a load balancer in front of your Atlassian application.

Other possible symptoms: 

  • Browser hanging up
  • Browser error message: Connection Reset

Solution:

Change the configuration of the load balancer health check, to monitor the /status URL of every node instead of the baseURL.
The /status returns the following on a healthy node:

URL

Expected Content

Expected HTTP Status

HTTP://<node_IP_address>:<port>/status
{"state":"RUNNING"}
200 OK

A little more background:

The load balancer is usually configured to frequently monitor the status of each node, and ensure that it is sending traffic to nodes operating normally.
You can find out the node's status by checking http://<node_IP_address>:<port>/status.
The node will respond with an HTTP response and a JSON payload describing the state of it.
The balancer can use either response or the JSON to determine where to send live traffic.

If that health check fails, the load balancer will declare a node bad and no longer route traffic to it.

With the SAML app disabled and monitoring the baseURL of the node, the default login page is served instead,
which will be recognized as an HTML page resulting in success instead.

With the SAML app enabled, if you monitor the baseURL of the node, the app will issue a 302 redirect to a URL belonging to it and eventually to the IdP.
This initial 302 response is by default not interpreted as success by a load-balancer. 
Failed health checks will start taking nodes out of service until no more nodes are available, resulting in an empty response.

More information about load balancer configuration options could be found in the below Atlassian documentation page:

https://confluence.atlassian.com/enterprise/load-balancer-configuration-options-935383760.html