haproxy cluster can't handle saml2 on CLI

After figuring out that when running keystone on a single instance I can get saml2 to work on the CLI I have found the follow two problems but the first is the easiest to fix.

Haproxy session cookies: saml mellon with haproxy need session cookie to connect back to the same keystone it first made contact with with out this you get double saml2 requests

```
reply: 'HTTP/1.1 200 OK\r\n'
header: Date: Mon, 13 Dec 2021 16:41:45 GMT
header: Server: Apache/2.4.29 (Ubuntu)
header: Cache-Control: private, max-age=0, must-revalidate
header: Content-Length: 3260
header: Keep-Alive: timeout=5, max=100
header: Connection: Keep-Alive
header: Content-Type: application/vnd.paos+xml
https://keystone.api.domain.cloud:5000 "GET /v3/OS-FEDERATION/identity_providers/keycloak/protocols/mapped/auth HTTP/1.1" 200 3260
RESP: [200] Cache-Control: private, max-age=0, must-revalidate Connection: Keep-Alive Content-Length: 3260 Content-Type: application/vnd.paos+xml Date: Mon, 13 Dec 2021 16:41:45 GMT Keep-Alive: timeout=5, max=100 Server: Apache/2.4.29 (Ubuntu)
RESP BODY: Omitted, Content-Type is set to application/vnd.paos+xml. Only application/json responses have their bodies logged.
```
The response is in XML and it's a signature response and not JSOn which openstack client is looking for.

to resolve this if I change the haproxy.cfg to the following

```
backend public-port_10.221.32.13
    #balance leastconn
    balance source

```
the connection has a persistent session not a great work but it proves the problem.

As the SSL/TLS is handled by apache and not via Haproxy I can on ask to look at adding a config option to adjust the balance field in the haproxy template.

This would allow saml2 to work in a cluster setup.