In one of our registration flows, we have an OAuth flow from FA into our Application and a (SP initiated) SAML IdP connected for a specific Tenant using that Application. Our customer with the IdP does not want any interaction required with FA itself, only on their IdP—should be completely seamless from login/register button on the Application, registration fillout form and email-verification on their IdP, to the redirect back into the Application as a logged in user.
We do need to populate both email and username in our Application via IdP metadata coming through FA.
The IdP is configured with a SAML v2 Reconcile Lambda which parses the SAML metadata, links on email, but stores the property we use for our Application and FusionAuth username on a property of user.data.
We need the FA username to be correct, matching that SAML metadata value stored on user.data, before completion of third party auth in our Application; otherwise, we end up with the FA user id as the username in our app, which we can't have.
Because FA does not allow you to set both an email and username after IdP linkage (why again?), I'm then calling a Webhook out to a cloud function, which then calls back to PATCH the user via FA API to set the FA username with that user.data property's value 
. This mostly works but some API calls are failing with a 404 as if the User doesn't exist yet in FA, which makes no sense to me. I've even added retry with backoff when encountering a 404 but doesn't seem to help.
I've tried calling this webhook on both user.registrationcreate and user.createcomplete with the same result for both events.
How can I go about ensuring the FA username is set to my SAML property before completing the rest of the flow into the Application? Is there a different event I can use for my Webhook that will work every time?
Is there a way to do this without resorting to a Webhook call? (I tried to call the FA API right from that SAML v2 Reconcile Lambda but always got a cryptic -1 response error)
thanks much
Bryan