Adding something here as the forum software believes this is too similar to the update I posted to the other thread. I hope this is still okay, especially as it’s quite old, but it took me some time to figure it out. The proposed solution changes the role_list for every Client within the Realm. It is better to override the setting on client level to make sure it only impacts the Nextcloud client.
For this. edit your client, go to Client Scopes and remove role_list from the Assigned Default Client Scopes.
Next, create a new Mapper to actually map the Role List:
- Name: anything you like
- Mapper Type: Role List
- Role Attribute name: Role
- Friendly Name: Anything you like
- SAML Attribute Name Format: Basic
- Single Role Attribute: ON
Hope this helps someone.