Perhaps some other users can share their experiences, but: can you simplify things depending on what your policies need to be? Maybe your corporate rules for how authentication is handled depend only on what part of the org you're in, which might mean that you only need to map to Roles. Or maybe your rules need only depend on what kind of Salesforce access you have, which implies you could just use Profiles. Even if it's not exactly this simple it's unlikely that the maximum product of combinations will be needed.

We have had a similar issue where the number of profiles was low (System Admin, plus a few others) but there were many, many different roles due to the configuration needed in Salesforce. Okta always updated the profile and role at the same time but we had not been aware that our Salesforce admins were manually setting the role on the user. When a full import was performed in Okta, every user in Salesforce was reset back to the Okta set role causing major issues.

We are looking to perform a development in Salesforce where Salesforce will automatically revert the Role if changed via Okta. Okta will only ever send through a generic role and the code apparently will look back to see what was there before and determine if it needs to revert. This needs testing as I am concerned that it could cause some provisioning issues if the API checks the data after updating it.

One other option I am going to investigate is Okta's new Workflow solution as this potentially will allow a more granular approach for Salesforce provisioning. I have only looked briefly at this but this may be an option. It may be of benefit to you if through groups and other AD data can be used to determine how to provision the Salesforce user. I am not an expert in Workflows but there is a walk through that shows that it may be possible.

https://learn.workflows.okta.com/tutorials/template-walkthrough/