Seriously, I hadn’t seen it yet, but I think the point about working with a knowledgeable counterpart in each of the other domains you’re federating with is an important deployment consideration, both initially and in an ongoing fashion — as certificates expire, for example. (However, I don’t think this is the top barrier to federation.)

Where everybody could probably do a much better job is in planning for the long term in such a relationship, so that there’s an understanding of regular maintenance and hygiene rather than dealing with fire drills all the time. This problem isn’t unique to identity federation, but there’s no doubt a special list of tasks that would be involved compared to other IT activities.