Use the below script to make the UPN updatable.
This was handy incase of Site minder configuration for SharePoint where in there was no profile sync in place and a profile was provisioned as and when the user logs in for the first time.

Without UPN Sp2013 workflows and App will not work, we wrote a module to capture the first time login and updated the UPN with the identity claim under the same user's session.


$siteurl = "http://SPWebAPP:PortNo"
if ((Get-PSSnapin -Name Microsoft.SharePoint.PowerShell -ErrorAction SilentlyContinue) -eq $null )
{
Add-PsSnapin Microsoft.SharePoint.PowerShell
}
[System.Reflection.Assembly]::LoadWithPartialName("Microsoft.SharePoint")
[System.Reflection.Assembly]::LoadWithPartialName("microsoft.sharepoint.portal")
[System.Reflection.Assembly]::LoadWithPartialName("Microsoft.Office.Server")
[System.Reflection.Assembly]::LoadWithPartialName("System.Web")
[System.Reflection.Assembly]::LoadWithPartialName("Microsoft.SharePoint.Taxonomy.dll")
$site = Get-SPSite -Identity $siteurl -ErrorAction Stop
$ctx = [Microsoft.Office.Server.ServerContext]::GetContext($site)
$upm = New-Object Microsoft.Office.Server.UserProfiles.UserProfileManager($ctx)
$upcm = New-Object Microsoft.Office.Server.UserProfiles.UserProfileConfigManager($ctx)
foreach($property in $upm.Properties)
{
if($property.Name -eq "SPS-UserPrincipalName")
{
Write-Host $property.IsUserEditable
$property.IsUserEditable = $true;
$property.IsVisibleOnEditor = $false;
$property.IsVisibleOnViewer = $false;
$property.Commit();
}
}