As a service provider; is SCIM a good replacement for ADFS using SAML

Question 1

Chose to go with SimpleSAMLphp - we will accept the provisioning via the API Claims process. We already have group policies in place which makes the task easier.

Question 2

You don't need an ADFS server on your side. Although you could use it, it has a few disadvantages: relatively complex deployment, complex automation, limited protocols support, etc. You will likely spend quite a bit of time tweaking it into doing what you need. Of course this is my own experience with it.

Conceptually, you are right. You need an intermediary (typically called an "Federation Provider" that brokers authentication transactions between your app and any system that knows about users like your customer's ADFS).

You might want to check an alternative that is lighter weight, cloud ready, and easier to extend. Fortunately you have many options:

1- You can use IdentityServer, an open source product that you could deploy next to your service. It's an open source product that you can extend and customize as you see fit; and gives you tons of flexibility. Since it is OSS you can "own" the stack and do whatever you want.

2- You can use Azure AD which is a hosted Federation Provider by Microsoft. It'll work with ADFS and other common providers; but has some limitations. (For example: it won't allow you to easily keep your own user database, it will not normalize user profiles, among some common things you are likely to need).

3- You can use Auth0 which is optimized for scenarios like yours. (Full disclosure: this is the product I work on).

In any case, you can read more about the architecture of scenarios like this here.