We have a number of support partners that are in direct competition which each other, and would be very concerned about exposing even email addresses to each other (usernames in SaaS apps are very rarely hidden from standard users, as they are used to communicate who was the last person to update an asset, for example).

I would like the ability to abstract this from them somehow. For example:

My domain is acme.com

Partner 1 is using the domain "shakenservices.com"
Partner 2 is using the domain "stirredservices.com"

When I provision to an application, I would currently have to use a username / email similar to "bob@shakenservices.com" and "rob@stirredservices.com" as the username (or the UPN, which contains the email address anyway and some SaaS apps will not accept it, because the email address must match the UPN).

Instead, I'd like the username (or an attribute) use the subdomain "ext.acme.com", which is enough to mask the source user domain (at least when provisioning into SaaS apps), but still make it clear that it does not belong to an ACME staff member.

I'd probably have to write some code to reliably make this unique, as the email prefix on its own is unlikely to remain unique.