i pretty much have same question, posted here Is there a way to convert saml assertion to token claims without storing them as role/group or user attribute
There is something called userSession mapper in saml/oidc identity provider mapper, and user session note mapper in client scopes… i am thinking of exploring that combination to check if it will work.
but , the time out (user session timeout), etc could be challenging… not sure if it will work.