IdP intercept bean to determine if a user has permission to an SP Despite the name, it works for any SP. Decision is based on membership in the group: (group_base)_<SP's DNS name>