> Removing the user from your application immediately and not when their session eventually expires.

This is orthogonal to OIDC, unless you're using it to transfer groups in the token (don't).

> Querying that data at will to produce reports.

How the heck is this OIDC/SAML functionality?

> Removing the user from your application immediately and not when their session eventually expires.

OIDC allows the same workflow. The app just needs to be able to validate the session from the `sid` claim.

> And then you only need an opaque userid from me and not a fat OIDC token that knows everything about my internal structure.

OIDC tokens are opaque.