It would be very useful to be able to use an OAuth flow (both for regular user authorization, as well as a client-credentials flow for service principals) to obtain a SAML, rather than JWT token.

This could be achieved by either doing an OAuth flow that produces a SAML token directly, or by exposing an endpoint capable of taking a JWT token and returning a SAML token for the application (the opposite of the OAuth2 SAML bearer assertion flow, essentially).

The scenario for this is applications that need to support modern authentication in order to authenticate to external applications that use Azure AD as SSO but only support SAML (rather than OAuth).

Since Azure AD doesn't provide a WS-Trust endpoint for active authentication (which is undesirable as it doesn't support MFA), and WS-Federation passive requestor mode isn't suitable for application authentication, there's no way to implement apps that require this authentication scenario.