Problem with SSO

I had the same problem. I am using Active Directory, but my solution below may have some generality to other IdP as well.

It seems that the AD user must have an email address set in the AD profile (on the Windows side). That email address is mapped (by the default mapping as can be seen pre-populated in AWS Console) to AWS SSO's user profile (as the Primary email field) and is used to compose the Federated Username in an AWS login session, e.g., AWSReservedSSO_ViewOnlyAccess_ee422b93fe9f787c/alice2@example.com.

Now for a real production AD configuration, in all likelihood every user's profile already has the email field populated. But that's not a mandatory field from AD's point of view. So, when you create a demo user, you might have neglected to populate that field. That's what happened to me.

So, populate that field in AD, and wait (for a non-deterministic amount of time -- why can't we have a "sync now" button?!) for AWS SSO to sync from AD. Here you'd encounter the next quirk... AWS SSO either doesn't seem to override the AWS-side previously-sync'ed email address or maybe I ran out of patience waiting for (again, a non-deterministic amount of time :) the next sync cycle. My hack is to delete the SSO User on the AWS side and wait (you guessed it, for a non-deterministic amount of time :):) for SSO to re-create that user during the next sync cycle.

Anyway, look into the SSO user profile (on the AWS side) to ensure that the Primary email field (not to be confused with the SSO Username field which is typically but coincidentally also in the format of an email address) has been populated (by the sync process.)