SAML is just a standard, it entirely is in your hands to implement it, you can use any way to do so. What you need to use in this case is email address of the user, instead of your application ID and a secret token. You will have a mechanism to communicate between two or more organizations based on a
self-defined handshake. In OAuth you used the application, and then asked user to authenticate the application, but here you are doing opposite — you want to create and share user information. The complete idea is explained fairly in the
Use section of
SAML[
^].
Also read,
authentication - SAML vs federated login with OAuth - Stack Overflow[
^]
Since you are talking about ASP.NET Web API, just use ASP.NET Identity, it has most of the features already introduced in it. You can also integrate it with Active Directory for organization's internal usage.