All SAML/SSO logins on a TFE cluster fail by redirecting back to the login page.
This happens when the underlying TFE nodes cannot share session information, so moving between nodes through the load balancer constantly returns an unknown session, and then requests a new login.
As a test to confirm that this is indeed the problem, bring one of the nodes down by logging into the node via CLI and running the command:
replicatedctl app stop
When the stop process completes the node will be in a deactivated state. If login works after stopping a node, this confirms that the problem is with the TFE nodes sharing session information.
TFE clusters use tokens to manage sessions across nodes. If the tokens given at install time for the individual nodes do not exist, or do not match, it will result in this behavior in the SAML login.
You’ll need to reinstall the nodes making sure the that values outlined in the documentation below match: