You certainly can use SAML 2.0. The only thing to bear in mind is that you may still want to write a cookie - as you are doing. The examples I have aren't using quite the same code, but we've done SAML in several cases... personally speaking, I found this component easier than the WsFederation stuff (although I have got both working):

http://www.componentspace.com/Products/SAMLv20.aspx

I'm not endorsing it, but just saying that there are easy ways to get where you want to go!

<p>There is also this:&nbsp;<a href="https://github.com/KentorIT/authservices">https://github.com/KentorIT/authservices</a></p> <p>I only looked into it briefly but it looks alright and can't see why it shouldn't work inside an Epi app.</p> <p>An alternative is to use another IDP infront of your application that understands SAML and then have that by WS-Fed connection to Epi.</p>

Probably best shot is like the above answers with Dan, use a separate component that helps you authenticate vs SAML idp. 
Azure ACS will hopefullly have support for this in the future but not yet. Using a separate intermediary IDP feels like one too many so I would go with Dans suggestion above too. It's possible to write that code yourself but SSO and SAML gets tricky pretty fast and not very easy to debug so a tested third party component will save some money and curses. If it's likely in the future to add more IDPs then it gets more interesting to have an intermediary IDP that handles that part.

We have used http://www.e-identitet.se/ for some similar solutions before. 

Don't forget single sign out :)

It's probably worth saying that since I wrote my original reply, Episerver has improved their support and documentation for WS-Federation. If you are going directly to a SAML 2 IDP then maybe you still want to go with the direct approach I originally suggested, but if you can go via WS-Federation it's very clean and it does abstract the implementation... allowing integration to multiple IDP's, for example. You can read more about Episerver's WS-Federation integration here:

http://world.episerver.com/documentation/Items/Developers-Guide/Episerver-CMS/9/Security/federated-security/

I also gave a talk on this at Episerver Ascend at the end of last year, and the lab is available below. As far as I'm aware the Azure ACS server I set up is still active :)

https://t.co/LOI6X7PURC (PDF)

https://t.co/TGpGVJfVSY (ZIP)

There's no right or wrong with this, the clean approach will be the one that suits your needs best!

To update the issue. The idp demanded Saml at first, and we looked at KentorIt but ended up using another service.

One problem the idp hoster stated is that saml logout requests are NOT to be trusted. Only way to be sure is to have the logout functionality redirect to local idp site and have the manually logout there.

Also at Dan, as I wrote we have done ws-federation authentication before and have not had any problems.

But to make it more intresting we have switched to OpenId AND made the actual login form hosted in our enviroment with support for multiple idp providers dependent on which site you are currently at.

Was quite tricky to get to work.

Single Sign On is not Simple Sign On...looks easy to set up. Rarely is...

I found this thread while investigating and this whole area is such a jungle.

About ACS I found this where ACS features will move into Azure AD: https://blogs.technet.microsoft.com/ad/2015/02/12/the-future-of-azure-acs-is-azure-active-directory/
Trying to follow that one up didn't lead me anywhere and when trying ACS the web UI for it seem a bit outdated so I guess it hasn't come along yet.

Also as everywhere XML is "sunset"... JWT (Json Web Token) should be more future proof than SAML.

For now Auth0 gives us all the coverage needed including role handling. Very little code and just one auth connection in the Epi site makes me happy.

EDIT: Then again reading on JWT and SAML are not fully comparable... Bah.