SAML <> ADFS 4.0 can't use metadata url in Add-AdfsRelyingPartyTrust

Hello,

I'm trying to setup SAML authentication for our GitLab CE instance (GitLab CE 10.5.6 Omnibus installation on Ubuntu 16.04.4 LTS). When I try to add the relying party trust on the ADFS-Host (ADFS 4.0 on Windows Server 2016) with Add-AdfsRelyingPartyTrust -Name "GitLab" -MetadataUrl "https://gitlab.[redacted]/users/auth/saml/metadata" I get the error message Add-AdfsRelyingPartyTrust : The underlying connection was closed: An unexpected error occurred on a send. Full Message:

Add-AdfsRelyingPartyTrust : The underlying connection was closed: An unexpected error occurred on a send.
At line:1 char:26
+ ... sion $ENUS; Add-AdfsRelyingPartyTrust -Name "GitLab" -MetadataUrl "ht ...
+                 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : InvalidData: (:) [Add-AdfsRelyingPartyTrust], WebException
    + FullyQualifiedErrorId : The underlying connection was closed: An unexpected error occurred on a send.,Microsoft.IdentityServer.Management.Commands.AddRelyingPartyTrustCommand

PSMessageDetails      : 
Exception             : System.Net.WebException: The underlying connection was closed: An unexpected error occurred on a send. ---> System.IO.IOException: Unable to read data from the transport connection: Eine vorhandene Verbindung wurde vom Remotehost geschlossen. 
                        ---> System.Net.Sockets.SocketException: Eine vorhandene Verbindung wurde vom Remotehost geschlossen
                           bei System.Net.Sockets.Socket.Receive(Byte[] buffer, Int32 offset, Int32 size, SocketFlags socketFlags)
                           bei System.Net.Sockets.NetworkStream.Read(Byte[] buffer, Int32 offset, Int32 size)
                           --- Ende der internen Ausnahmestapelüberwachung ---
                           bei System.Net.Sockets.NetworkStream.Read(Byte[] buffer, Int32 offset, Int32 size)
                           bei System.Net.FixedSizeReader.ReadPacket(Byte[] buffer, Int32 offset, Int32 count)
                           bei System.Net.Security.SslState.StartReceiveBlob(Byte[] buffer, AsyncProtocolRequest asyncRequest)
                           bei System.Net.Security.SslState.CheckCompletionBeforeNextReceive(ProtocolToken message, AsyncProtocolRequest asyncRequest)
                           bei System.Net.Security.SslState.ForceAuthentication(Boolean receiveFirst, Byte[] buffer, AsyncProtocolRequest asyncRequest)
                           bei System.Net.Security.SslState.ProcessAuthentication(LazyAsyncResult lazyResult)
                           bei System.Threading.ExecutionContext.RunInternal(ExecutionContext executionContext, ContextCallback callback, Object state, Boolean preserveSyncCtx)
                           bei System.Threading.ExecutionContext.Run(ExecutionContext executionContext, ContextCallback callback, Object state, Boolean preserveSyncCtx)
                           bei System.Threading.ExecutionContext.Run(ExecutionContext executionContext, ContextCallback callback, Object state)
                           bei System.Net.TlsStream.ProcessAuthentication(LazyAsyncResult result)
                           bei System.Net.TlsStream.Write(Byte[] buffer, Int32 offset, Int32 size)
                           bei System.Net.ConnectStream.WriteHeaders(Boolean async)
                           --- Ende der internen Ausnahmestapelüberwachung ---
                           bei System.Net.HttpWebRequest.GetResponse()
                           bei Microsoft.IdentityServer.Protocols.WSFederation.Metadata.MetadataReaderUtilities.ReadFromMetadataUrl(Uri metadataUrl, ICollection`1 errors)
                           bei Microsoft.IdentityServer.Management.Resources.Managers.RelyingPartyTrustManager.ApplyMetadataFromUrl(RelyingPartyTrust party, Uri metadataUrl, String& warnings)
                           bei Microsoft.IdentityServer.Management.Commands.AddRelyingPartyTrustCommand.GetPropertiesFromMetadataUrl(RelyingPartyTrust party, String& warnings)
                           bei Microsoft.IdentityServer.Management.Commands.AddRelyingPartyTrustCommand.AddRelyingParty()
                           bei Microsoft.IdentityServer.Management.Commands.AddRelyingPartyTrustCommand.EndProcessingOverride()
TargetObject          : 
CategoryInfo          : InvalidData: (:) [Add-AdfsRelyingPartyTrust], WebException
FullyQualifiedErrorId : The underlying connection was closed: An unexpected error occurred on a send.,Microsoft.IdentityServer.Management.Commands.AddRelyingPartyTrustCommand
ErrorDetails          : The underlying connection was closed: An unexpected error occurred on a send.
InvocationInfo        : System.Management.Automation.InvocationInfo
ScriptStackTrace      : at <ScriptBlock>, <No file>: line 1
PipelineIterationInfo : {}

Because of the message Eine vorhandene Verbindung wurde vom Remotehost geschlossen (the english error message is An existing connection was forcibly closed by the remote host) I think that something on the GitLab-Server side is wrong but I don't really have a clue where to look. I can see the incoming connection on the GitLab host with tcpdump port 443 but nothing in /var/log/gitlab/gitlab-rails/production.log or /var/log/gitlab/unicorn/unicorn_stderr.log (which are the places I'd expect something after reading https://docs.gitlab.com/ce/administration/logs.html).

Edit: forgot to add: I can access the metadata URL (https://gitlab.[redacted]/users/auth/saml/metadata) in a browser on the ADFS host and see the metadata xml file.

What could be wrong here?