I know this one is quite old, but its one of the threads you stumble across when looking for this problem. There is a better option than the proposed one! The proposed option changes the role_list for every Client within the Realm. It is better to override the setting on client level to make sure it only impacts the Nextcloud client.
For this. edit your client, go to Client Scopes and remove role_list from the Assigned Default Client Scopes.
Next, create a new Mapper to actually map the Role List:
- Name: anything you like
- Mapper Type: Role List
- Role Attribute name: Role
- Friendly Name: Anything you like
- SAML Attribute Name Format: Basic
- Single Role Attribute: ON
Hope this helps someone.