Yup, although calling it black magic isn't far off from the truth. It's why I stick with oauth and let my coworker handle SAML. (They do SAML both directions, which is how we added it to AAD and Windows). It's a bit of a rough implementation though, so we can't do everything we'd like.