I know how to authorize devices or web services using OAuth2 with access_token, but is it possible to do this using SAML2? Can’t find any info on Google, which leads me to think it’s not really possible, or not really something we do in general.
OAuth2 is an authorization based protocol. SAML2 is an authentication based protocol.
The closest you can come to what it sounds like you are trying to achieve is to provide assertion attributes that indicate a user’s access (i.e. Security Groups). It is then up to the Service Provider to decide what to do with those attributes (but authorization, itself is completely outside of the SAML flows).