Fi think your first question @stebenz can answer
Fat the moment there is no possiblity to turn off the ability to change the username, but we are currently working on user schemas, which will allow to define what is editabled by whom in the future
SHI @snowping to answer your question, we use the username generally as it is the most used attribute for NameID for now, technically it would be possible to add an option that you can configure your NameID, for that please create an issue on github. If you have the capability like other IDPs to use an attribute instead of a custom attribute is dependent on Entra, there I would have to read up on the configuration possibilities. If you want to add custom attributes to your SAML Response, there is an action which provides you with that, have a look here https://zitadel.com/docs/apis/actions/customize-samlresponse.
S@snowping seems reasonable, can you please open up an issue on github, maybe with a reference to this discussion?
SAh perfect, thank you