In a perfect world, all of your applications would run on one OS, built by one vendor and speak to each other seamlessly. Every user of every application would have the correct level of access and sign on easily with a single set of secure credentials. Of course, this perfect world doesn't exist and will never exist.
So, for identity management in a complex world of multiple OS's, vendors and programming languages, you need to go with the hub and spoke model of a metadirectory. The metadirectory inventories all of the various identity stores, detects changes and based on your rules, provisions new accounts, updates attributes and changes roles and permissions. With a well-designed metadirectory and capable connectors, you can have multiple "sources of truth" and manage identities in any system or application.
It's those connectors that can get tricky. Cloud applications all use their proprietary APIs (hey SaaS vendors, think about SCIM), LDAP isn't even always LDAP, and then you get into craziness like BAPI for SAP. You probably have legacy applications on AS/400, Mainframes, Windows, and various versions of *NIX. There just isn't a one size fits all perfect world connector.
Because of this, EmpowerID employs a connector framework that allows connectors to be built more easily for those that we don't have out of the box. The most common connectors (Active Directory, Google Apps, SalesForce, UltiPro, etc) are available off the shelf. For the rest, the connector frameworks allows us to match our IAM workflow actions to either APIs or web services or AIF or XML. The framework makes it incredibly flexible.
EmpowerID also can communicate to all of the legacy platforms such as AS/400 or Mainframes or the various flavors of UNIX and LINUX. We partner with Identity Forge to present all of these systems to EmpowerID in a consistent format for our connectors to communicate. This lessens the deployment time and effort to get to that perfect world of communicating identity information to all platforms.
A well designed metadirectory does a lot to bring you to that perfect world. If it is the basis of an integrated IAM platform like EmpowerID, you can easily CReate/Update/Delete user accounts in any application on any platform. Well thought out connectors allow you to project roles into those applications. Proper application of SSO (whether it be federated or Web Access Management) and two factor authentication gets your users authenticated to the applications from any device.
None of us have the luxury of a perfect world with an entire IT infrastructure built on greenfield. What you can have is an IAM platform that communicates like it's the perfect world.