Dan is correct. SAML is just the client side of your setup where the user-authentication is done by your IdP. For the CustomAfterSigninLogic to get triggered, in the SAML → IdP configuration, you need to set this tickmark to true:
That would be best configured on the side of your IdP.
Here’s an example with Azure AD. One of the steps involves restricting access to the application by AD group