Hi Julien,
With the SODataOfflineStore and SODataOnlineStores, the user identity is not implicitly utilized for data creation when calling the <SODataStoreAsync> methods--user identity is only required for establishing a valid network session. So, this means that in the OfflineStore case, the user is allowed to read/write from the local database by making OData requests, if the database can be unlocked.
The lock/unlock passcode is considered to be known by the user who was authenticated at the time of registration with the SMP server. But there is no network verification component of that lock/unlock passcode--it is local encryption. The SAML2 authentication is only required in order to establish a network session in order to enable HTTP requests, or to sync the database using the Mobilink protocol.
Creation & Deletion of entities can be one against the local database using the OData requests, even when the device has no network access. The local changes can later be synced to the back-end, using the flush: and refresh: methods with the underlying Mobilink protocol on the SODataOfflineStore.