SAML->groups and Nobody-but-Somebody

We’re running our CE behind a firewall with a JumpCloud SSO via SAML.

We’d like to ensure that you can’t see anything via the web interface without being SAML authenticated, but it seems like if anything is public, then it can be seen without auth, even tho I set restricted visibility on public.

The SAML provider only grants auth to users of an “svn” group, but then our users don’t get automatic membership to our “Dev” group in gitlab.

1. Is there a way to prevent any kind of access outside the sign-in page to anyone who is not signed in?

2. Is there a way to mark a GitLab group as a default group so that SAML users are automatically added? Or a way to map a saml group <-> gitlab group?

I’ve combed over the documentation (again) since posting, and the gitlab.rb file, and the closest I can find is “saml_group” but there are setup instructions but they don’t really explain what or why (like visibility restrictions), and my installation doesn’t recognize it anyway (so I suspect it’s an EE feature I’ll have to circle back to later in the decision process)