...
No form of HTTP authentication can be implemented without code living in or behind the web server hosting the protected resource, except in the case noted above, reverse proxies or concentrators that act as front-ends. Usually the latter approach is only used to offload SSL processing, and still requires authentication code running on each back-end server, but not always. Reverse proxies, OTOH, tend to actually isolate the authentication solution to a single front-end, but at a cost in usability and manageability.
If you can't deploy the an SP on the relevant web servers, then you will have to deploy something else in its place. You can combine that something else with SAML by connecting that solution with the an SP and constructing a gateway to/from the additional authentication protocol. You are responsible for glueing that together and making it work. The software will neither help nor hinder you.