You need a phone that can be updated to a more recent Android version.
Ha! Indeed I had missed it since I have not a Samsung phone. I tested the SSLLabs on Libreho.st and changed the server configuration to add
ssl_ecdh_curve prime256v1;… No change, but…
Edit: I also had to bump
proxy_buffer_size on the frontend to make SAML login work with the mobile. Hackety hackety hack!