Single Sign On (SSO) + security group for permitted users?

Hi, I am a new user, have set up and got SSO to work as per the docs ( in an Active Directory environment.

Users logging in via SSO as their logged in Windows user are immediately able to access Gitea, and are also Admins by default.

I would like to limit access to those users in an Active Directory security group, and also default users to standard logins (not Admins), however there’s a piece of the puzzle in my understanding here how to do this?

Do I also need an LDAP authentication method configured? LDAP via BindDN is the only section I can see that references a User Filter.

Update: I have disabled SPNEGO with SSPI option and enabled LDAP via BindDN, and have a ‘Gitea_Users’ security group, and an ‘Gitea_Admins’ security group working as per the docs and this great blog post (required a few tweaks to his syntax to get it to work properly for me), but now don’t have Single-Sign-On working. It would be great to get SSO working combined with LDAP security group logins, so any hints or ideas would be great. Currently the SSO via SPNEGO with SSPI authentication overrides the LDAP security groups and just lets anyone in to Gitea for me.