SAML SSO enforcement breaks Terraform OAuth client creation

Could someone explain how to maintain API access after enforcing SAML SSO via Terraform?

1. Apply genesyscloud_saml_settings with auth_mode set to sso.
2. Run terraform apply to create a new genesyscloud_oauth_client.
3. Receive 401 Unauthorized because the service account login is disabled by the global SAML policy.

How do I configure the SAML settings to allow specific OAuth clients to bypass SSO or use a different auth method?