Yes. However the "bearer" style is not so inviable, while we can not look at it with the same security guarantee as "holder-of-key". And it is the easiest way to implemented.

"Guarantee" is the operative word here. There are likely to be organizational (if not legal) obligations to be protected from simple conspiracy attacks.

Thus we arrive at two scenarios: ACs-via-SSL-authn and SAML-via-SOAP-authn. Confidentiality and integrity provided in both cases by SSL/TLS, of course.

I think if "SAML-via-SOAP-authn" is compliant to WS-Security SAML profile, then SSL/TLS (between the client and the service to which this client sends SOAP message with protection from SAML Token) can be optional since "SAML-via-SOAP-authn" has already provided independent message-level authentication.

Yes, the peer identity obtained from the SSL handshake is [intended to be] disregarded in favor of the (perhaps multiple) identities and attributes authenticated at the SOAP level. But there seems to be strong political pressure to use transport-level (as opposed to message-level) encryption in the majority of grid usage scenarios, almost to the point where it's easier to say "we should always use it". We could consider down-grading to "client-anonymous" TLS/SSL for this "SAML-via-SOAP-authn" compliance target.

-Duane