Summary

When configuring Azure to use the user.mail as the Unique User Identifier (Name ID), the IDP initiated log in will not work, giving the following error:

And on the URL there will be more details:

https://id.atlassian.com/error?client_id=<redacted>&connection=<redacted>&lang=en-US%2Cen%3Bq%3D0.9%2Cpt%3Bq%3D0.8&error=access_denied&error_description=verify-saml-domains%3Amalformed-email-address&tracking=<redacted>

How to reproduce

1. When integrating with Azure, the recommended set up is to use the Unique User Identifier (or Name ID) as user.mail.
2. Add the Relay State as your instance's URL

Expected behaviour

You are able to launch your Atlassian Cloud application on myapps.microsoft.com (IDP initaited log in)

Actual result

This set up will cause a malfunction from Azure when sending the Name ID on the SAML response, it's an unidentifiable string instead of the user's email address.

Additional notes

This problem is not reproducible if you use user.userprincipalname as the Name ID, but this will not always serve as a workaround as the information on this field may not be the same as for the user.mail field, a validation of the Name ID sent on the SAML Response is needed before using it as workaround on your configuration.