If you want to automate this process with the ArcGIS API for Python, then you might start by programmatically creating the enterprise accounts. If you have their firstname, lastname, and idpusername, then you can use gis.users.create, along the lines of:
user = gis.users.create(
username = 'pat_org', # The user's username according to your idp, combined with the shortname for your ArcGIS Online organization.
password = 'None',
firstname = 'Pat',
lastname = 'Smith',
email = 'pat@somecollege.edu',
role = 'org_publisher',
provider = 'enterprise',
idp_username = 'pat', # The user's username according to your idp.
level = '2',
user_type = 'GISProfessionalAdvUT'
)
If you're using New Member Defaults, then you should double-check that the account you created above is provisioned with settings you are expecting. For various versions of the ArcGIS API for Python, gis.users.create has failed to honor some of the New Member Default settings. In which case you could add some more to your script to programmatically deal with what got missed (e.g., allocate credits, enable Esri Access, assign licenses.)
Also, you can only chose from the default roles when specifying the role for gis.users.create. If you use a custom role for your users, then you could add a next step that changes the user's role to that custom role.
After you have created the new account, then you can also script changing the ownership of all of the user's items and groups from their old arcgis account to their new SAML/enterprise account.
If you have a lot of users with a lot of content/groups to move, then you probably want to schedule some downtime for your system and inform the impacted users well in advance. During that downtime, while you are running your script to create the accounts and change ownership, you might want to temporarily disable the ability of those users to login, and then re-enable it when you are all done; you don't want them accidentally changing things in the middle of the process.
