diff -ruN /tmp/guacamole-client.original/extensions/guacamole-auth-sso/modules/guacamole-auth-sso-saml/src/main/java/org/apache/guacamole/auth/saml/user/SAMLAuthenticatedUser.java /tmp/guacamole-client/extensions/guacamole-auth-sso/modules/guacamole-auth-sso-saml/src/main/java/org/apache/guacamole/auth/saml/user/SAMLAuthenticatedUser.java
--- /tmp/guacamole-client.original/extensions/guacamole-auth-sso/modules/guacamole-auth-sso-saml/src/main/java/org/apache/guacamole/auth/saml/user/SAMLAuthenticatedUser.java	2021-12-29 07:23:58.000000000 +0100
+++ /tmp/guacamole-client/extensions/guacamole-auth-sso/modules/guacamole-auth-sso-saml/src/main/java/org/apache/guacamole/auth/saml/user/SAMLAuthenticatedUser.java	2022-04-14 16:58:30.151567809 +0200
@@ -27,6 +27,7 @@
 import java.util.Set;
 import java.util.stream.Collectors;
 import org.apache.guacamole.GuacamoleException;
+import org.apache.guacamole.GuacamoleSecurityException;
 import org.apache.guacamole.auth.saml.acs.AssertedIdentity;
 import org.apache.guacamole.auth.saml.conf.ConfigurationService;
 import org.apache.guacamole.auth.sso.user.SSOAuthenticatedUser;
@@ -98,7 +99,14 @@
 
         List<String> samlGroups = identity.getAttributes().get(confService.getGroupAttribute());
         if (samlGroups == null || samlGroups.isEmpty())
-            return Collections.emptySet();
+            throw new GuacamoleSecurityException("SAML response did not "
+                    + "include the required group information.");
+            // return Collections.emptySet();
+
+	List<String> filter = samlGroups.stream().filter(x -> x.contains("MY_REQUIRED_GROUP")).collect(Collectors.toList());
+        if (filter == null || filter.isEmpty())
+            throw new GuacamoleSecurityException("SAML response does not "
+                    + "contain the required group for this user.");
 
         return Collections.unmodifiableSet(new HashSet<>(samlGroups));