We're an ISV developing multiple applications for delivery through the AppExchange, each as a distinct managed package.  Each team member has a dev org per application.  Because of the global uniqueness of user IDs, this means that each team member has to "name mangle" their user IDs in the various orgs to be, for example, <username>-<appname>@<domain> or <username>@<appname>.<domain>.

I had hoped that the platform's inherent support for SAML as both an IdP and an SP would help alleviate this.  I created a shared dev org for all of Product Engineering, registered a domain for it and my own dev orgs, and following these instructions to set up SSO across multiple organizations:

http://wiki.developerforce.com/page/Implementing_Single_Sign-On_Across_Multiple_Organizations

Unfortunately the all-important Step 7 in that documentation isn't clear about whether user IDs must still be unique across orgs joined through this type of SSO.  It's VERY clear that the Federation IDs must match for the respective users in the two orgs, but the following is ambiguous about whether this lightens the username uniqueness constraint:

1. Create a test user in your Identity Provider Org, and set their Federation ID to a unique value. Make sure you assign the user a Profile which was granted access to your Service Provider in step 6.
2. Create a test user in your Service Provider Org, and set their Federation ID to the same value as your test user in the Identity Provider. This will effectively bind the two accounts together.

Interestingly the VERY first time I tried to implement this, for some reason it did let me create the same user with the same ID in both orgs, but I suspect that's because I'd just updated the username for an existing user and, during that lull between making the change and the change becoming effective, I created the same user in the other org.  Needless to say, this left me in a pretty bad state for a bit, but I've recovered from that now!

So, as far as I can tell, this feature allows us to log into one org as a valid user in that org, then access any others orgs in which there are users (with usernames that are all distinct from one another) which are federated together with the user from the first org, but it doesn't allow us to do what I really want, namely to have a centralized user repository for all of our dev orgs.  I'm assuming I'll need to switch to delegated authentication to get that, and that means I'll need to implement the SOAP callout for delegated authentication in our shared org.  I'm about to start down that path, but I figured I'd post here for feedback as I'm doing so in the hopes that someone will respond with, "Hey, actually that will work if you just do this, this, and this!!!"

Thanks in advance for any help here!