What we're building at Warrant (https://warrant.dev/) might work for a lot of what you mentioned including APIs to build and manage multi-tenancy, groups, users, orgs/tenants.

Note - Warrant is an authz engine so it doesn't handle authn/identity/SSO but can plug-in with any authn system.