Dan is correct. SAML is just the client side of your setup where the user-authentication is done by your IdP. For the CustomAfterSigninLogic to get triggered, in the SAML → IdP configuration, you need to set this tickmark to true:
That would be best configured on the side of your IdP.
Here’s an example with Azure AD. One of the steps involves restricting access to the application by AD group
https://medium.com/mendix/azure-ad-sso-integration-with-mendix-app-b7bddd1429f6