In Apache httpd, using the Shib SP, you can certainly `require`
anything that you feed to the SP via SAML attributes.
And specifying `require group foo` with a groups file (as per the
httpd docs) is just a different way of saying
`require user alice bob mary john`.
The XML Access Control plugin is just an example, but it's handy
sometimes (when you want to combine several rules, but some of which
are to be AND'ed, while others are to be OR'ed).
The alternative on Apache is using htaccess support, which is built-in and
doesn't require any special configuration. Within htaccess, the SP supports
"require group" in the usual fashion that mod_auth_* does.
I'm not sure that in practice it makes much difference, since either method
is just a file with a list of names. Using attributes that represent groups
maintained externally is normally the more scalable model.