The problem essentially boils down to "how can two applications deployed in a trusted network securely communicate with each other in order to exchange security information about a user". It's the same problem SAML solves for applications communicating over untrusted network and it's made easier by the fact that both the authentication point (SP) and the application are under control of the same entity = it's e.g. easier to use symetric cryptography. The SP can in principle communicate with the app using either front-end channel (= through web browser), or back-end channel (= directly between each other over network).

There are different ways to perform the communication (using one, the other, or both channels), most can be implemented using some of the available security products. Here are some ideas:

Both SP and application are sharing the same domain (= user's web browser accesses them on a URL which shares cookies)

• you can configure your SP to store a cookie - a piece of information including e.g. UID and expiration of the authenticated user, the cookie can be encrypted using a shared secret known to both SP and the application. This is approach used e.g. by OpenAM, or Wildfly with shared domain encrypted cookie.
• an alternative of this approach is to send the information about the authenticated user from SP to the application e.g. as an encrypted HTTP POST parameter - similar approach which SAML does, just much more basic.
• same approach could be enhanced by using another secure shared storage - e.g. a database and sending just a reference to a record (e.g. a unique secret session ID)

SP can be used as HTTP proxy for the application

• in this case you can pass the authentication information as an HTTP header to the application, you must ensure that going through SP is the only way the application can be accessed. This is only practical when the SP is part of e.g. a load balancer (e.g. Apache / Nginx plugin).

SP and application could use a standard authentication mechanism to communicate the authentication data

• you could use e.g. Kerberos (which is anyway based on shared-secret encryption) or OAuth

Each of the option might have different attack vectors and possible vulnerabilities.

My opinion is that adding SAML functionality directly into the application, using the HTTP proxy with SAML support, or a standard product which handles the last mile authentication between SP and the application (e.g. OpenAM) is the best way to go. Implementing custom security mechanism might seem easy, but there's a lot of room for making a mistake which leaves the whole solution vulnerable.