Hi @Ryan Campbell , I believe there's a minimum level of internet access required so that the network can reach the SAML authentication services. I believe the firewall needs to be open to everything in category 56: https://learn.microsoft.com/en-ca/microsoft-365/enterprise/urls-and-ip-address-ranges?view=o365-worldwide#microsoft-365-common-and-office-online
Please let me know if you have any questions!
If this answer helped you please mark it as "Verified" so other users can reference it.
Thank you,
James