Troubleshooting Guide: "Email not specified" Error in SageMaker Unified Studio SAML Login

Overview

When configuring SAML authentication for Amazon SageMaker Unified Studio (SMUS), you may encounter an "Email not specified" error during login. This error typically indicates that the required email attribute is not being properly passed or processed in the SAML assertion. This guide will help you diagnose and resolve this issue.

Note: This troubleshooting guide applies to all SAML-based Identity Providers (IdPs). While the diagnostic steps are universal, the configuration steps may vary depending on your IdP. Here are detailed configuration guides for the following IdPs:

• Sagemaker Unified Studio Keycloak SAML Configuration Guide
• AWS SageMaker Unified Studio Microsoft Entra ID SAML SSO Integration Guide

Troubleshooting Steps

Step 1: Capture the SAML Response

1.1 Open Browser Developer Tools

Before attempting to log in, open your browser's Developer Tools:

• Chrome/Edge: Press F12 or Ctrl+Shift+I (Windows/Linux) / Cmd+Option+I (Mac)
• Firefox: Press F12 or Ctrl+Shift+I (Windows/Linux) / Cmd+Option+I (Mac)

1.2 Configure Network Monitoring

Navigate to the Network tab in Developer Tools and enable the following settings:

• ✅ Enable Persist Logs (this prevents the log from clearing during redirects)
• ✅ Keep Developer Tools open during the entire login process

1.3 Initiate SAML Login

Attempt to log in to SageMaker Unified Studio through your SAML SSO flow. Continue until you see the "Email not specified" error message.

Step 2: Extract the SAML Response

2.1 Locate the SAML Request

In the Network tab, use the filter or search functionality to find requests to the signin.aws.amazon.com domain.

2.2 Identify the SAML Endpoint

Look for a request where:

• The File or Path column shows saml
• The request method is typically POST

2.3 Copy the SAML Response

1. Click on the identified SAML request
2. Navigate to the Request or Payload tab (depending on your browser)
3. Locate the field named SAMLResponse
4. Copy the entire string value (this will be a Base64-encoded string)

Step 3: Verify the Email Attribute

3.1 Decode and Search for Email Attribute

Open a terminal or command prompt and run the following command:

echo "<paste the SAMLResponse string here>" | base64 -d | grep PrincipalTag:Email

Example:

echo "PHNhbWxwOlJlc3BvbnNlIHhtbG5zOnNhbWxwPSJ1cm46..." | base64 -d | grep PrincipalTag:Email

3.2 Interpret the Results

Case 1: XML Tag is Returned

Output example:

<saml:Attribute Name="https://aws.amazon.com/SAML/Attributes/PrincipalTag:Email"> <saml:AttributeValue>user@example.com</saml:AttributeValue>
</saml:Attribute>

Analysis:

• The PrincipalTag:Email attribute is present in the SAML Response
• Your IdP is correctly configured to send the email attribute
• The issue is likely on the AWS/SMUS side in processing the SAML assertion

Resolution: Open an AWS Support case with a HAR file from the login flow and the decoded SAML response showing the PrincipalTag:Email attribute for investigation.

⚠️ Important: Remove any sensitive information (passwords, tokens, personal data) from the HAR file before sharing.

Case 2: No Output Returned ❌

Analysis:

• The PrincipalTag:Email attribute is missing from the SAML Response
• Your IdP is not configured to send the required email attribute
• This is a configuration issue on the IdP side

Resolution:

1. Review your IdP configuration:

   • Verify the email attribute is mapped to: https://aws.amazon.com/SAML/Attributes/PrincipalTag:Email
   • Confirm the user's email address exists in the IdP user profile

2. Check IdP Client/Application settings:

   • Navigate to your IdP's admin console and locate the SMUS client configuration
   • Verify attribute mapping:
     • Source Attribute: email
     • SAML Attribute Name: https://aws.amazon.com/SAML/Attributes/PrincipalTag:Email
     • SAML Attribute NameFormat: URI Reference

Conclusion

The "Email not specified" error occurs when the required PrincipalTag:Email attribute is either missing from the SAML response or not being processed correctly by SMUS. By following this guide to decode and inspect the SAML response, you can determine whether the issue lies with your IdP configuration or requires AWS support intervention.