SAML Enforcement for EE (Self-hosted)

I see gitlab.com cloud has ability to enforce SAML, but can’t see how to do this with self-hosted.
My use case is, once a user is offboarded from AzureAD, want to be sure they can’t also access the org’s Gitlab.