How to handle SAML login when UPN != Email (UPN vs Email vs "Holds" field settings)

We are having a lot of trouble getting things configured so that windows users whose email does not match their upn can login to Cherwell successfully (browser portal, browser client and rich client).

We are on 8.1.2 using SAML (yes, we know there is a security issue - we will be upgrading to 9.1 in the next 30 days)

Anyway, 2 questions:

1. How do we set up the LDAP mapping and configure things so that users with EMail = UPN and users with Email != UPN can login using SAML?

NOTE: We cannot emit Email as the primary authentication, we must use UPN.

2. How does the "Holds" value work, specifically with regard to E-mail address, and does it impact validating a user when they login?

Help! We just can't seem to get this right. We can get users with UPN = Email in just fine.