Hi Jiri,
even with SAML2, you have to have a user in the system that matches the credentials provided by the SAML2 IdP, you just do not need to provide the username and password to the end user. So when you access a gateway system with authentication set to SAML2 via a SAPUI5 application, some user needs to be known to the gateway system.
You can customize, what information is provided by the IdP to determine the SAP user, this can be the email address of the user (which then would be the identifier contained in the SAML assertion). If you have a one to one relationship via user on the IdP and SAP user, you might be able to just revert this mapping via the info in the SAML2 mapping tables. In other cases, I do not know of any reliable method to determine the SAML assertion which lead to the creation of a session.
The gateway system can forward the info on the current user either in payload or via identity propagation (preferred based on your use case) to the backend system.
If you want to restrict access to data per user, I would recommend to use authorizations. In this case the recommendation would be to provision the users to the backend system as well and use identity propagation. Please keep in mind, the users not necessarily will be able to access the backend system, as long as you permit them to log in only via SSO and control the access via the SSO mechanisms.
The reason for using SAML2 is to achieve SSO between systems, also it allows the creation of users on demand, so you do not have to provision the users first but the user will be created when he authenticates via SAML2. For more information on SAML2, please see the SAML2 overview in the docs.