I think I might be getting somewhere. So the guide by @boospy mentiones:
univention-keycloak saml/sp create --metadata-url="https://nextcloud.domain/index.php/apps/user_saml/saml/metadata" --role-mapping-single-value
I removed my initial Client entry (which I created in the Keycloak GUI) and recreated it with this CLI line.
Then in the Keycloak GUI added:
Valid redirect URIs
- https://nextcloud.domain/index.php/apps/user_saml/saml/sls
- https://nextcloud.domain/index.php/apps/user_saml/saml/acs
In nextcloud:
The Public X.509 cert comes from Keycloak Realm Settings → Keys → RS256 → Certificate
This finally is working, although I have some other issues with authentication due to nextcloud misconfiguration at the installation 