I've come here with a problem with AWS Cognito where I use Okta as IdP using SAML protocol.
I configured everything using this one documentation https://aws.amazon.com/premiumsupport/knowledge-center/cognito-okta-saml-identity-provider/
At Okta there is integrated AD, which from we get users.
Everything is ok, when I send a request for a Token to Cognito I've got that Access token and Id token and token type. After that in Cognito User Pool are created that "external user" with specific prefix which is name of IdP saved in Cognito.
Problem caused when I deleted every cookies and trying to send request Token one more time with same credentials like before.
After this step I've got an error everytime
Error: server_error: {"error_description":"Error+in+SAML+response+processing:+Invalid+user+attributes:+email:+Attribute+cannot+be+updated.+","error":"server_error"}
I using Postman to get token using "Authorization" tab and checked type as OAuth 2.0. Every properties are good but I don't know why I've got that error everytime after first successfull requested token (or after 1 hour when current token will expired).