Ha! Indeed I had missed it since I have not a Samsung phone. I tested the SSLLabs on Libreho.st and changed the server configuration to add ssl_ecdh_curve prime256v1;
… No change, but…
I finally solved the mystery! It was a matter of TLS + SNI (and indeed @Falco’s tip was useful).
Edit: I also had to bump proxy_buffer_size
on the frontend to make SAML login work with the mobile. Hackety hackety hack!