Authenticated-only or auto-join auth'd users to a group?

Self-hosted gitlab CE omnibus configured with SSO.

Goal: “public” only accessible with auth (sso or requisite passwords/tokens)

Couldn’t seem to fully achieve this(*1) and putting everything into an Internal group means I have to wait for each user to log in once so I can invite them to the group.

a- Is there a way to restrict all users to the SSO page until they … SSO?
b- Is there a way to automatically associate accounts with a specific group in CE once they authenticate?

(*1 they could either view group lists, project lists, fetch artifacts, or something, I want “Please login” to be the only thing they can view)