I have a service that allows SSO via SAML2. When SAML2 is used, we delegate the entire authentication process to the Identity Provider.
We are considering adding OAuth in order to support some mobile applications. (We don't want the user to have to log in constantly.)
It's pretty obvious how it will all work together when we are using our own Username/Password authentication, since we are in control of the entire stack.
How will OAuth interact with SAML2 SSO though? For instance, what should be done to invalidate OAuth grants if the Identity Provider removes a user? What other gotchas (and hopefully standard solutions) are there?