Permit User only SAML Auth


i am using the AD-comp Domain Controller and the SAML IdP in UCS. By creating a new user, this has per default permissions to authenticate on all windows systems in the domain. How can I create/configure Users, that are only allowed to authenticate with an SAML Application?

Is this possible by adding the user to a specific group?

Thanks in advance