Nextcloud + single sign on

ucs: 4.4-3 errata438, nextcloud: 17.0.2-0

configured as described here
Result of check ucr get saml/idp/entityID stored in Nextcloud installations options
Running url with “https://ucs-sso.domain.com/simplesamlphp/saml2/idp/metadata.php” in browser shows correct metadata.

Access:
starting from ucs portal --> app nextcloud --> SSO & SAML Anmeldung --> ucs-sso login screen --> access denied error
All users & admin marked for access nextcloud in user options.

How could I fix this issue ?

the url after login in the ucs-sso login screen contain

https://ucs-sso.domain.com/simplesamlphp/module.php/authorize/authorize_403.php?StateId=_55bedf1162a9f22192579e7708293f0c4a1b97dcf5%3Ahttps%3A%2F%2Fucs-sso.domain.com%2Fsimplesamlphp%2Fsaml2%2Fidp%2FSSOService.php%3Fspentityid%3Dhttps%3A%2F%2Fucs-memberserver.domain.com%2Fnextcloud%2Fapps%2Fuser_saml%2Fsaml%2Fmetadata%26cookieTime%3D1581333636%26RelayState%3Dhttp%3A%2F%2Fucs-memberserver.domain.com%2Fnextcloud%2Fapps%2Fuser_saml%2Fsaml%2Flogin