"Invalid email from identity provider" | SSO Troubleshooting

The “Invalid email from identity provider” error occurs when Otter cannot validate the email address received from your identity provider (IdP) during sign-in. This is typically caused by an incorrect attribute mapping. Verify that the email attribute is correctly named and formatted in your IdP configuration.

Email attribute format

Otter requires the email attribute to follow a specific format. Ensure your IdP configuration matches the format shown below. For additional guidance, see the SSO SAML setup documentation.

email: User’s email address (required)

<saml2:Attribute Name="email" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified">    
    <saml2:AttributeValue xsi:type="xs:string">        
        email_value    
    </saml2:AttributeValue>
</saml2:Attribute>

or

<saml2:Attribute Name="urn:oid:0.9.2342.19200300.100.1.3" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">    
    <saml2:AttributeValue xsi:type="xs:string">        
        email_value    
    </saml2:AttributeValue>
</saml2:Attribute>

or

<saml2:Attribute Name="urn:oid:1.2.840.113549.1.9.1" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">    
    <saml2:AttributeValue xsi:type="xs:string">        
        email_value    
    </saml2:AttributeValue>
</saml2:Attribute>

Example of a mismatched email attribute

Using Microsoft Entra as an example, the email claim was configured with the name user_email, which results in the error “Invalid email from the identity provider.” Otter expects the email attribute to be named email.

• ✅ To resolve this issue, update the claim name to email.

In your IdP, verify that the email attribute is correctly named and formatted before testing SSO or signing in again.