There needs to be an option that allows some accounts to bypass MFA without needing to be assigned an AuthPoint license. I know this has been done for LogonApp, but it needs to be done for SAML applications too.
The issue with trying to do this is that the SAML application will push the user to AuthPoint regardless of them being licensed or not. This creates a larger burden on the authentication servers which now must handle authentication for that user even if they're not using MFA.
The solution for this to avoid that situation is for the application to determine where to send the users per user, or by group. Unfortunately, most systems do it as an all or nothing setting.
WatchGuard Customer Support