SAML authentication against Azure AD via APIs when running Catalog under SAML does not work. Authentication can be implemented for other identity providers, such as Okta, which have publicly available APIs. Microsoft's APIs are not available.
We reviewed last week with your team an approach for dedicating a Catalog node running under the "podium" authentication exclusively for use with APIs, a similar setup to an HA configuration. Your security expert shared that he thought it was a solid approach.