I've trawled the archives and the last time I could see significant discussion of how we handle authentication of external people who don't have a home IdP and who we don't want to give a standard institutional account to was back in December 2011 (https://www.jiscmail.ac.uk/cgi-bin/webadmin?A2=JISC-SHIBBOLETH;d0b7395d.1112).
There were various suggestions mooted at the time (OpenID-Shibboleth bridge, separate "friends of" IdP, https://openidp.feide.no/).
Did any of these come to fruition and/or get adopted as the standard way to deal with this?
What are institutions doing to handle this now?
Infrastructure Systems Group, IT Service, Newcastle University