If you’re using Azure EntraID as your IdP (identity provider) and you want to get the e-mail address claim of a user from the SAML assertion, user.userprincipalname is commonly used as it is more stable because it’s the UPN (user principal name), which is usually e-mail shaped. Verify that it’s in that shape. The alternative user.email is usually blank initially unless it’s directly populated.