I just ran into this yesterday with another customer, and filed https://mattermost.atlassian.net/browse/MM-10595 to fix the xmlsec1 STDERR logging.
If you had the ability to extract the SAML exchange, you might be able to run the xmlsec1 command manually in a bid to see the raw STDERR output. I’ve had some good success with Burp Suite (Community Edition) to intercept requests, but I’ve only used the tool lightly.