Obtain WS-Fed SAML token with OIDC Access Token (without involvement of a browser)

We have WS-Fed protected non-public systems which are not accessible through the browser and we need to authenticate with them through the backend.

It is very easy to obtain a SAML token through the client’s WS-Fed endpoint when you are making the call through the browser and already are authenticated with Auth0 session cookies.

What options do we have on the backend?
We do have access to the user’s access token.

Can we somehow exchange access token for a SAML token, or call the Auth0 SP WS-Fed endpoint with an access token without a browser session?

We have tried all sorts of combinations with custom databases and social connect app contraptions and mock WS-Fed IdPs but these all boil down to impersonation and due to audit we need a non-impersonated SAML token, one which has been issued by Auth0 without a 2nd leg IdP by using the access token as proof of identity (authentication).

To my knowledge we only support the passive requestor profile when it comes to the Auth0 service being a WS-Federation identity provider so like you said this would imply the presence of a browser (user-agent). Due to this I’m afraid what you require does not seem to be supported.

Thanks @jmangelo for the reply.
Specifically, AFAIK we need the following OAuth2 token flow: rfc7523

I’m afraid that RFC is not currently supported and I may be missing something, but that RFC would be relevant for an OAuth 2.0 outcome (as in, getting OAuth 2.0 access tokens) while the backend you mention is expecting a WS-Federation outcome so unsure if it would be a full solution even if the RFC was supported.