SSO tax. Many third party applications don’t support auth delegation until you are on the enterprise tier. Investigate required applications to see if and how they can act as a RP or SP to a centralized user management system before you decide to pursue the bottleneck architecture.
Another organizational challenge is ensuring developers and end users actually use the organization’s user management system. Some may want to use their old, familiar authentication solutions. Encourage everyone to work within these constraints by making adoption as easy as possible and clearly explaining the benefits. Providing examples of successful integrations can help with both of these.
Tying together the bottleneck system, the delegating applications, and the external identity providers requires effort. It can be simple; sometimes it’s just following a tutorial on a website and adding a few lines of configuration. Other times it may be more complicated and may require coordination across multiple teams.
Beware of insecure or slow auth services. No one cares about authentication and authorization, except when it doesn’t work. When was the last time you heard someone exclaim “I love that login page!”? People want to authenticate when and how they choose and have it work. They want to use the application, not sign in. Select a system that is robust, has great support, and is flexible enough to meet future needs.