And if there is really literally absolutely no way to change the AuthnRequest, one dirty workaround would be to use an IdP-initiated login, presuming they support it.