As long as user's login names (samaccountname) are unique, you don't need to specify a suffix.
What I've seen are two types of strategies:
a) Map to the emai suffix (this eliminates confusion between AD UPNs and email suffixes).
b) Map to a generic suffix. E.g. user@company.sso (note that there's no need to conform to DNS's RFC1035 naming).
E.g. in some of my demo environments I use .demo (e.g.
R.P