When implementing OpenID Connect, an identity (ID) token is required. When building a SaaS service that performs its own local login/authn and also delegates to 3rd party IdPs, such as via Single Sign-On, whose ID token should the SaaS service provide to the consumer of the SaaS service, and ID token generated by the SaaS service, or the ID token provided by the upstream IdP?
Also of note, the SaaS service supports, and must continue to support, SAML.
I've looked at both approaches but haven't found a definitive answer.
A benefit of having the SaaS service provide the ID token seems to be uniformity and consistency for all users on the system, regardless of what SSO provider they chose.