Authenticator Callback - Cannot invoke "javax.servlet.http.HttpSession.getId()" because "httpSession" is null

Thank you for your quick response.

Yes, 17.4.4 and 17.6.0 fresh installed both times.

It's not random. It fails reproduceable on the HTTP-Redirect (Method POST) and succeeds on a following direct call (Method GET).
A refresh in the Browser doesn't do the trick - although being also a HTTP method GET. There seems to be a difference: The URL needs to be entered/executed via the browser's address bar, e.g. in an new tab. I just figured this out by trying to add "debug=true" to the URL.
The behavior is reproducible on different platforms and browsers, so it might not be a misconfiguration on the client side . I thought of some kind of browser security thing but domain names an tls certificates are ok. The JSESSIONID cookie is set on the initial connection to xwiki and stays the same in the process.