Is it possible to exchange an OAuth2 access token (or OpenID Connect id_token) for a WS-* SAML token?

Here is our specific scenario that we would like to accomplish:

1. A user has been authenticated using an OpenID Connect endpoint and issued an id_token.
2. The same user has been authorized using an OAuth 2 endpoint and issued an access token.
3. A single-page application (SPA) requests data from a secured ASP.NET Web API and it sends the id_token and access token.
4. Here's the question/tricky part: We would like the ASP.NET Web API to fetch data from a WCF service that is secured using WS-*, so the WCF service requires a signed SAML token.

Is it possible to exchange the OpenID Connect id_token and/or the OAuth 2 access token for a SAML token that conforms to WS-* specifications?

We would like to use ADFS on Windows Server 2016, but we're also open to other secure token services (STS), such as Azure ADFS, etc.

It seems that you could implement access token exchange in your OAuth server as there is nothing in the spec strictly forbidding it.

OAuth doesn't make any explicit specifications for what shape your access token or refresh tokens are in. So you could use WS-* or whatever suits your client/RP needs.

You could use any of these types of tokens:

• WS-Security tokens, especially SAML tokens

• JWT tokens

• Custom tokens

The id_token itself MUST be a JWT, however.