If the SAML service that you are trying to connect is in your application, then can you modify the access group in the WebSSO service package to your own application level unauthenticated access group. If it works, include this service package data instance in the RAP rule that you ship with.
I'm not sure if this is an outstanding problem for the original poster, but we ran into an identical issue upon upgrading from PRPC 7.2.1 to 7.3. The root of the problem seems to be in how Pega has changed the SAML authentication processing in pySAMLWebSSOAuthenticationActivity AND made that a Final rule in the process. It appears that the intent is no longer that you use that as a starting point and make changes, but that you either accept it as-is or write a custom activity that bases off of it. Further, pyEstablishOperatorContext has likewise been made Final.
We managed to get it all working again by reverting pySAMLWebSSOAuthenticationActivity to the OOTB version, though we were forced to keep pyEstablishOperatorContext as overridden locally as the OOTB version doesn't handle situations where an invalid org/division/unit is passed in through the token. We could alternately have overridden pySAMLWebSSOAuthenticationActivity with our own name and then called a custom version of pyEstablishOperatorContext to avoid overriding the Final rule.