Prevents access to group resources when user hasn't signed in with SAML
and SSO enforcement is turned on.

Uses the session to track which SAML group the user has signed in with.
This works using global GitLab::Session from the policy via SsoState.