Restrict SAML App via Groups

Hello KeyCloak Community,

We would like to restrict public SaaS application connected via SAML based on the role / group. I have been reading lots of documentation [1-3] on the web, but it seems there is no consensus when it comes to the best solution. Help would be much appreciated (we want to avoid custom script as much as possible)

[1] SAML based Client- group Based Authentication
[2] single sign on - How can I restrict client access to only one group of users in keycloak? - Stack Overflow (last thread)
[3] keycloak-extension-playground/auth-require-group-extension at master · thomasdarimont/keycloak-extension-playground · GitHub