[keycloak-user] how to restrict saml authentication by group (or role)

hi all In my configuration users are members of groups like, "nextcloud", "xmpp", "mail", which specifies what services they are allowed to use. That works pretty well, when using LDAP, since it seems that all ldap authentication clients to provide a filter string, so I can filter by string. Unfortunately it seems, like not all saml authentication clients (service providers) do support to filter by groups. So I'd like in keycloak to restrict which users are allowed to authenticate over what client. So I want for example, that only users which are members of the group nextcloud are able to authenticate over the nextcloud saml client in keycloak. So keycloak will just negate an authenticate request for a user which is not member of a certain group for certain clients. But I can't find a way to do that, neither over groups nor rolls. Can somebody point me into the right direction? thanks a lot Michael