Draft for discussion
Note that Identifier Assignment is currently unable to assign identifiers to Org Identities.
Create an enrollment flow plugin to create credentials before the Org Identity is selected/created. Store the credentials in LDAP, Kerberos, SQL (to sync to other sources), etc. The plugin could create a suitable Org Identity and link it into the Petition before returning control to the flow. (This might require the plugin to take control from the Discovery Service, which may imply an ability to pass a flag to the enrollment flow for the plugin to consume to know it should attempt to create an identity.)
The plugin could also provide credential management via menus, though it would need to do so for the Org Identity (not the CO Person) and only for those Org Identities that it created.
Still need an IdP (Shib, etc) that can authenticate using the credentials created.