When configuring SAML for any user with Aqua, the following error message may be observed:


In this case, the SAML IdP is not properly sending the correct attribute in the response. The attribute that is configured to send the user's email address must be set to the following identity claim:

http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddresss


There are three 's' at the end of the "emailaddresss" component in the above URL. 


Different SAML providers name the attribute fields differently, but the important thing to note is that the attribute name must be set to the above string and its value must be configured to pass the user's email address.



Attribute NameAttribute Value
Correct:http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddresss
User.Email
Incorrect:emailUser.Email
Incorrect:User.EmailUser.Email