Default external users with LDAP and SSO

Our users can login via ldap and we’ve also configured SSO. Since ldap group sync isn’t supported in GitLab free (self-hosted) we would like to make all users external by default. We’ve used the option on the admin page, but it doesn’t seem to have any effect at all. As soon as people log in via SSO they are normal internal users.
I can also edit a user to be external through the admin pages, but as soon as the user logs in again, he’s not external anymore.

Is there a way to really enforce all users to be external except e.g. admins?