Thanks for your input I will have a look at implementing that see if it will serve the purpose. (nothing ventured nothing gained...)
I am just using the claims-based authentication within kentico (Settings - Security & Membership - Authentication - Claims-based Authentication (standard, no changes) without inheriting settings but using the same identity provider. I have done the same with other sites, however external users get assigned a site (default and only site).
The site I am working on has 2 sites within 1 kentico environment, 2 different domain suffixes and with roles defining if you allowed cross site access. (its a training website with 2 different products(sites))
I understand the issues with triggers and peoples reluctance to use them but used correctly they can and do work without problems (lots of if statements and rollbacks)
One slight problem I have is this site will not build within VS and throws up many errors. (had some custom code built for a kentico V5.5r2 shoe-horned into the build) so I may have some problems getting some global events to work etc.
The token that come from the ADFS will not show domain as we are using forms authentication not windows authentication, so there is limited information I can gather to check. We can set up custom claims rule but then the whole thing gets more complex when all I want is when someone gets authenticated, they get allocated a site or two. I would have thought Kentico out of the box could handle such a simple thing - they do it with 1 site, why not 2!
I will update this when I have progressed further.