Hi Thales,
I’ve flagged this for the PMs to consider the 2FA suggestion.
Local login and SAML use different mechanisms, so this should be feasible.
The best way to master the API (and see which URLs to block) is to perform the desired action via the UI and eavesdrop to see which calls the UI made to accomplish the action.
You may also find this guide helpful.
HTH,
Ann