Yeah only the first two sentences were actually relevant. The rest was a humble brag that there is no application level security, which is a really weird thing to brag about.

When I use SAML, I still have to check that the user has some sort of attribute that indicates that access was granted to the application. If this access rule is defined outside the application, then why bring up Claude? If it isn't then Claude is responsible for implementing the access rule, which means the comment is 100% wrong.