Quite often AD should be handled as a read-only data store.
There are more and more cases when regardless of this requirement, a persistent NameID-Format based SAML federation needs to work, but OpenAM currently does not have a good solution for this.
I believe in certain cases when working with Outlook/Office365 there is actually a requirement from the SP side that the NameID value must contain an ImmutableID, which if I'm not mistaken translates to the actual objectGUID.
Considering that objectGUID cannot be changed in AD, it would certainly fulfill the requirements around persistent NameID format, but also since the value would actually come from an existing attribute in the LDAP entry, there would be no need to store it in custom attributes either (and hence AD could remain read-only).
Implementing this support could immensely improve our SAML interop with Microsoft products.