Explain the difference between OAuth2 and SAML. What are the common implementation flaws you look for in both?