[keycloak-user] Securing a REST API Along Side SAML

I have a web app that makes REST calls to various servers (all of which I have control of). I have a requirement to secure my web app with SAML using keycloak (which I have been able to do). Now I want to secure my REST APIs. After doing some digging into the Keycloak docs and the mailing list it appears that I should use the SAML assertion to get an OAtuh2 token (since it appears using ECP is ill-advised). My understanding is that I cannot get a username and it's roles from Keycloak by giving it a SAML assertion. So does this mean I need to keep track of active sessions and the users and roles they correspond to? This seems like a bad idea to me because it could easily become out of sync with Keycloak. I understand I can get the username and roles from the intial login assertion, but I would think I would want my REST APIs to verify the requester is who they say they are. Please correct me if I am over looking or misunderstanding something. But if anyone has suggestions they would be appreciated. Thanks, Caleb