The official terminology for this is "provisioning" and "deprovisioning" or overall "lifecycle management" and is a pain for lots of companies in lots of different contexts.

For example, when I left [then startup, now publicly traded] in Nov 2013, it took them 15+ months until they turned off my Github access.. in the meantime, I had access to all the private repositories. (Yes, I notified them multiple times.)

SAML is pretty widely supported but yes, it's a pain. SCIM[0] is less painful approach for the provisioning side and maps to the API mindset better. Unfortunately, it hasn't seen mass adoption so far but I think we'll get there as more people understand it and/or realize that companies will pay for it. But you'll still need SAML or OIDC for the SSO piece.

I do think there's a business need for this which is why I joined Okta in 2016, which does exactly this. I'll refrain from a sales pitch but you can explore it on your own[1].

0 - https://en.wikipedia.org/wiki/System_for_Cross-domain_Identi...

1 - https://developer.okta.com/signup/

edit: clarified SAML vs SCIM

I think you're trying to solve two problems:

1. Single-Sign On (SSO) - Log in once for access to many services. SaaS with SAML and OpenID Connect support are ideal in this space, but services without support can be used with a browser plugin

2. User/Lifecycle Mgmt - CRUD operations for users. SCIM support is ideal in this space, but many companies offer services beyond simple CRUD using bespoke APIs. Without support for either, it's very difficult to integrate a service. The bespoke APIs mean that you'll see varying depths of integration across services. For example, one service may allow you to control whether a user is in a group in Dropbox, while another won't.

There are several companies in this space (known as IDaaS), so I'll leave the Googling to you. Of those, some do User Mgmt. I'm not aware of any companies that do User Mgmt without SSO

In a past life as a solutions engineer at a SaaS company, I'll address a couple points specific to a unified solution.

Problem 1: Not every SaaS platform has a company with an API to manage user accounts. Even then, I would be skeptical of a company that offered it and didn't offer it via oauth tokens.

Problem 2: Automating the task within the browser also fails when it comes to uniformity. Any company that lacks an API endpoint for user management means you need to interact with a browser or some other hacky nonsense. With that solution comes the problem of understanding the site structure, login forms, and action menus.

Problem 3: Even if you did the above 2, you now have additional points of failure within your offboarding. If a failure occurs in the automation process, is it silent? What if the API changes (not that it should) or the UI?

The best solution is to look for companies that offer the API option or that support SAML.

From experience: after company grew to more than .. 200-300 people and user management/termination became a big burden we hired a person that would write tools to automate user management, and if something wasn't supporting SAML we did manage users via its API. If API was not available then we reverted to "Termination checklist" aka manual work.

Clarification: it wasn't that persons only responsibility, just one of many assignments to help automate Ops in the company.

This is a common problem with more and more companies relying on SAML federation. A part of this problem is solved by using SCIM provided your IDP and service supports it. Ironically even though SCIM is a protocol, the implementations vary across different IDP,s.

A second common issue is ability of changing the email addresses in AD, this breaks the mapping cause most of the times email is primary identifier.

The only way I could see you doing this is by automatically scanning an employee's email archive and producing a list of services.

I do not see how introducing yet another standard solves the problem. SAML and similar standards already solve this problem; just many SaaS do not support SAML.

It sounds like something like Okta is what you're looking for to help with provisioning, authentication and deprovisioning

BetterCloud does something like this.