Don't forget IFD is for a whole deployment, not per org. So to set up one tenant like this would require a separate deployment, as far as I can see.
You could configure your ADFS to point to their ADFS (like a proxy chain), so you don't have to get directly through to their domain controllers. This is how you would set it up for cross-domain authentication (for non-trusted forests, say).
Hope this helps.
Adam Vero, Microsoft Certified Trainer | Microsoft Community Contributor 2011
UK CRM Guru Blog