Not really relevant for the specific topic, but to be more precise, SSO is only the sign on part. Usually the provisioning/de-provisioning is handled by SCIM, which is related but distinct. You have some SaaS products that offer SSO but not SCIM, for example.
Sorry, I should have been more clear. When I typed SaaS products I meant more about a non-IDP product. They might support SSO but not SCIM-based account provisioning, especially if it's in-house auth (not using something like Auth0). I worked on a product that supported SSO but not SCIM for a long time and not all SCIM features were supported.
