The company, at the firewall level, could restrict which external IP addresses and URLs can access the CRM system. That would help ensure they're only getting data from sources they can control, and not all users.
Alternately, they could skip IFD, just set up ADFS and then set up a claim for each external system, and use an ADFS proxy in their DMZ for systems with a proper claim to touch.
The postings on this site are solely my own and do not represent or constitute Hitachi Solutions' positions, views, strategies or opinions.