One step further: if I turn on verbose loggin for DiscourseConnect, I do get an error in the logs:
Verbose SSO log: Signature parse error Bad signature for payload sso: bm9uY2U9YklKeEU1WWw2OFhjSkJydGlwSU15UTRZeVlMeWd6ZzQyUU9mOFo0SWF5QSZyZXR1cm5fc3NvX3VybD1odHRwczovL2VtYmVldGxlLmNvbS8jYWNjb3VudA=
One notable point is that the payload mentioned in the log is not URL-encoded (note the ‘=’ at the end) and is missing the second ‘=’ of the URL-encoded data (note the repeated %3D
at the end of the original payload).