[1cvmask]

While access controls is now top of the list this year, a SAML integration to Flourish Studio is only available in the enterprise plan (for pricing contact them).

This is probably why access control is number 1.

SAML and MFA should be available for all plans. Secure access should not be gated just to the expensive plans.

Disclaimer: I was involved in the design of the MFA and SAML integration UX for saas pass.

[ramimac]

For you and anyone else in agreement, https://sso.tax/ sounds right up your alley.

[yoloClin]

Broken access control is things like direct object vulnerabilities and authorisation bypasses _as well_ as broken authentication controls.

I'm not saying you're wrong, and agree that security should never be a 'premium' product, but it's important to identify that it isn't _just_ limited to authentication.

That being said, messing with SAML/Oauth assertions is generally pretty fruitful when pentesting, and MFA is something I'd recommend in almost all public facing applications.

[bawolff]

Federated access control is really important for enterprise and a significant security benefit.

However i dont think that shows up as vulns. Even if you use saml you still have to implement it, and its an absolutely terrible protocol full of ways to shoot yourself in the foot and do it wrong.

[scrollaway]

Boy do I agree with you, although I suspect SAML is a potentially huge source of support woes for the seller.