Can Omnibus with SASL be configured to require auth for ALL https access?

Self-hosted, omnibus linux installation in a VPC with JumpCloud’s SASL provider for authentication.

Periodically we have to provide external contractors/vendors access, so, we would like to guarantee that any https request is required to authenticate.

Before we bring up another service to host a proxy in-front of it to enforce that, I was hoping it might be possible to achieve within the omnibus install itself?

### OmniAuth Settings
###! Docs:
gitlab_rails['omniauth_enabled'] = true
gitlab_rails['omniauth_allow_single_sign_on'] = ['saml']
gitlab_rails['omniauth_sync_email_from_provider'] = 'saml'
gitlab_rails['omniauth_sync_profile_from_provider'] = ['saml']
gitlab_rails['omniauth_sync_profile_attributes'] = ['email', 'name', 'nickname', 'location', 'memberOf']
gitlab_rails['omniauth_auto_sign_in_with_provider'] = 'saml'
gitlab_rails['omniauth_block_auto_created_users'] = false
#gitlab_rails['omniauth_auto_link_ldap_user'] = true
gitlab_rails['omniauth_auto_link_saml_user'] = true
gitlab_rails['omniauth_auto_link_user'] = ['saml']
gitlab_rails['omniauth_providers'] = [
    name: "saml",
    label: "JumpCloud SSO",
    group_attribute: 'memberOf',
    required_groups: ['svnusers'],
    args: {
      assertion_consumer_service_url: "https://<elided>/users/auth/saml/callback",
      idp_cert_fingerprint: "<elided>",
      idp_sso_target_url: "",
      name_identifier_format: "urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress",
      attribute_statements: { nickname: ['nickname'] },

Is this something that gitlab can be configured to enforce, other than by making everything Internal? Or is this something I’ll have to go off and figure how to build a proxy service for?