My opinion. Mine only. I do not represent anyone but me.
Getting SAML added to SIP is going to require working closely with a LOT of people, many of whom have no incentive to support SAML. This isn’t a monolithic “connect and go” interface; we have people logging in to user interfaces (UCP) and phones logging in to SIP, PJSIP, and SCCP interfaces. At least one of those (SCCP) is going to be enormously resistant to change. We have hardware, software, and API interfaces that need secured and every one of these is going to be challenging from the start.
If I was thinking about this and being (really) old school, I’d probably start by building the SAML interface into the product and let people use it by hand. If they find it useful, they’ll want a management interface that they can then exploit. Then, and only then, would I consider adding a commercial support module.
I’m not working from a theoretical position here. When we were getting Chan-SCCP-B working with FreePBX, we got it working first (for free) and then I wrote a really horrible management module that other people have improved to manage it (once again, for free). Diedrick supports Chan-SCCP-B for a fee for people that need the support and can’t follow the instructions I wrote to install it for free. I have, in fact, done a couple of “commercial” jobs supporting the installation for the software. This “artisan” industry approach has worked very well for me and the people that like phones we can get for 80 cents a pound.
As with all my advice, feel free to ignore. Just thought I’d try to share some of my experience.