SAML / Require authentication for ANY access

For a SAML-only, self-hosted, apt-based omnibus install, is it possible to lock down any/all port-443 access to require authentication for everything.

To make my point: if I make a group public and you obtain a direct link to the group, you can get access without authentication, and then even if the “public” level is restricted, you can see the member list.

If I make a project in the group public:


Obviously I can fix this by making the group Internal, but I don’t want anything to be accessible via 443 without the user having completed SAML auth.

Is it possible to close this down so that “public” doesn’t mean “unauthenticated”? So that if something is errantly public, you MUST saml auth to access it?

Something I need to do in my nginx config, gitlab.rb, …?