Requestable roles vs entitlements

1:1 role-to-entitlement mapping is definitely too much overhead. For the SSO group assignment challenge, an approach was shared in this thread that I think sounds very similar to your use case, SSO entitlement nested in a role with assignment criteria based on the entitlements from the app: