Just a quick blog, likely one that I would want to add to over time...
When setting up a Liferay cluster for SAML, before enabling you should connect to each node and, in the SAML Config control panel, create the certificate.
Do this on all nodes before enabling SAML in the cluster.
If you don't, some nodes will work but others will generate NullPointerExceptions on org.opensaml.xml.security.keyinfo.KeyInfoGeneratorManager.getFactory() method. In fact, if you get this NPE on this class, your first check should be the SAML Config to ensure the node has a cert created.