Is there a way to add the ForceAuthn property to a SAML V2 request?

We have Google SAML V2 as an Identity Provider and are running into a Google issue where if a user has multiple Google accounts (personal / work) and chooses the wrong account to authenticate to, the authentication rightfully fails, but Google seems to "cache" that the user selected the wrong account and no longer gives the user the option to choose what account they can sign into.

Reading some forums online makes it seem that if you have ForceAuthn="true in the SAML v2 request, that it may give you the option to choose accounts each time an authentication request is made.

Since Lambdas are used on the SAML response, is there any mechanism that FusionAuth has to be able to append properties to the SAML request?

I am not entirely sure that this will fix the issue at hand, but a few forums seem to suggest it might remedy the issue.

When we create a user through the API (api/user POST), the lastLoginInstant is being set and is the same as the lastUpdateInstant and insertInstant. Having the lastLoginInstant being set here is a bit deceiving because the user has not actually logged in yet. I notice that in the response for this API we receive a token which is not necessary for how we are utilizing the API - is the generation of this token causing the lastLoginInstant to be set?

Is there a way that we can create a user without having any login instances being created?

We have users able to request a password reset through the hosted login screen. Is there any way of seeing if a specific user has requested a password reset? I don't see anything on the user's Source that seems to be telling of that. I also don't see anything in the logs or an option for webhooks.