SAML Attribute Mapping for Aws Cognito - Signup or Signin works but not both

Question

I have setup my GSuite account as a SAML iDP for Cognito User Pools (not identity pools).

If i provide no attribute mappings a new user trying to signup via GSuite login gets the following error.

Error in SAML response processing: Invalid user attributes: email: Attribute is required.

However if I add an email mapping, the user can signup. But can't ever sign in again as they get this error (strange as email is writable by this app client)

Error in SAML response processing: Invalid user attributes: email: Attribute cannot be updated.

Ideas as to whats going on?

In browser, using Hosted UI.

Answer 1

It turns out I had made the email address immutable during CloudFormation setup. Even though the email is not being modified, it needs to be mutable.

You can determine the mutability of email via the following command.

 aws --output table cognito-idp describe-user-pool --user-pool-id <user pool id>  | grep -B6 -A7 "  |  email  "

Answer 2

For anyone who is facing this issue when using SAML and AD as the identity provider, you have to configure Attribute Mapping.

Go to Attribute Mapping under Federation, Enter http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress for SAML attribute and Select Email fro User pool attribute