Would you mind elaborating a bit why you don’t think SAML-over-OAuth is a fits-all solution? To me it sounds like eating your cake (SAML) and having it too (not having to use SAML)