[keycloak-user] how to restrict saml authentication by group (or role)

[Michael Meier]

hi all

In my configuration users are members of groups like, "nextcloud",
"xmpp", "mail", which specifies what services they are allowed to use.
That works pretty well, when using LDAP, since it seems that all ldap
authentication clients to provide a filter string, so I can filter by
string.
Unfortunately it seems, like not all saml authentication clients
(service providers) do support to filter by groups. So I'd like in
keycloak to restrict which users are allowed to authenticate over what
client.
So I want for example, that only users which are members of the group
nextcloud are able to authenticate over the nextcloud saml client in
keycloak. So keycloak will just negate an authenticate request for a
user which is not member of a certain group for certain clients.
But I can't find a way to do that, neither over groups nor rolls.
Can somebody point me into the right direction?

thanks a lot
Michael