Dang. So an IdP + SCIM? From an IAM team perspective I rather dislike having IdPs being the source of truth for authz, because you're embedding a lot of application specific logic in a second location. It can't be worse than Shibboleth. I think there's a niche out there for a better IDM but it's a very unsexy space.