Hi,
This is an important subject, I won't be able to participate, I would like to share a bit of my experience.
Scale up SSO is not really supported for enterprise as the synchronization is not available.
1. CRITICAL: when a user is disabled in the IDP it should be disabled immediately in Gerrit, all user activity should be rejected (including the git channel).
2. REQUIRED: group synchronization between IDP and Gerrit.
In the past I could implement (2) using LDAP integration and also hack (1) by returning no groups, however, IDPs no longer provide LDAP interface.
Synchronization of data during login is too late and not truly supported by any protocol, and mainly does not handle the user disable requirement that is required to be applied immediately.
SAML plugin is good for the SSO authentication phase, it should be compatible with most implementations out there.
The missing bit is SCIM[1] implementation to allow creation and sync users and groups.
Regards,
Alon