Is your feature request related to a problem? Please describe.
The IDP we are using has many users and will just authenticate them, but not inhibit login to a SSO-Client. If a user is authenticated, it is redirected to any client it wants to. We only want some users with the correct role to be able to log in to CKAN.

Describe the solution you'd like
We want the plugin to check for a certain role in the SSO Response and only allow login if the role is present. The role should be adjustable via ckan.ini file.

Describe alternatives you've considered
It would even be better if the IDP would forbid logging into SSO-Clients that the user should not have access to, but this seems not to be possible with SAML. OpenID Connect may have such a feature, but this is SAML only.