Note the SSO URL, Entity ID, and Certificate for later.
Application name: Nextcloud
ACS URL: https://HOSTNAME/index.php/apps/user_saml/saml/acs
Entity ID: https://HOSTNAME/index.php/apps/user_saml/saml/metadata
Name ID: Basic Information - Primary Email
Name ID Format: EMAIL
Add New Mapping
mail (attribute mapping) -> Basic Information - Primary Email
mail (this goes in the unnamed text entry field. Needs to match above attribute name)
Check boxes, they're self explainatory
Service Provider Data can be left empty.
Identity Provider Data
https://accounts.google.com/o/saml2?idpid=IDHERE (SSO URL)
https://accounts.google.com/o/saml2/idp?idpid=IDHERE (Entity ID)
URL Location of the IdP where SP will send the SLO request -> Empty
Enter the Certificate provided in the next text entry box.
You can leave security settings alone.
Let me know if this works. I'm copying settings verbatim out of both Google and Nextcloud, but it's been 3 months since my initial attempt, so I may be missing something.
EDIT: Also know that this will cause the user's email address to be their username. If you weren't using that format before, users will be recreated @domain.com. I'm sure database changes to the user table are possible along with renaming user folders to move the pre-existing users over, but 100% not tested by me.
Users can either be autoprovisioned or not, depending on the state of the "Only allow authentication if an account is existent on some other backend. (e.g. LDAP)" checkbox.