If jwts are bad, xml digsigs are "literally cthulu".
The other platforms I've used or integrated with - Tivoli, Layer 7, Ping Federate, a huge hack job written in PHP - all took weeks/months to get working.
That said I haven't tried Spring SAML recently, so maybe that is painless now. But probably not
For our usage, even that was overkill and we are using Ipsilon (https://ipsilon-project.org/), with IPA backend. It is more quirky, docs are scarce, but it works for us.
On app side, it is mod_auth_mellon.