Issue on "Use Amazon Web Services Session Tags for Role-Based Access Control"

I have been following this tutorial. I did successfully login with rule as

function(user, context, callback) {
var awsAccount = ‘myAccount’;
var rolePrefix = arn:aws:iam:: + awsAccount;
var samlIdP = rolePrefix + :saml-provider/auth0SamlProvider;

user.awsRole = rolePrefix + :role/AccessByCostCenter, + samlIdP;
user.awsRoleSession = user.email;

context.samlConfiguration.mappings = {
https://aws.amazon.com/SAML/Attributes/Role’: ‘awsRole’,
https://aws.amazon.com/SAML/Attributes/RoleSessionName’: ‘awsRoleSession’
};

callback(null, user, context);
}

but once I update it to

function(user, context, callback) {
var awsAccount = ‘myAccount’;
var rolePrefix = arn:aws:iam:: + awsAccount;
var samlIdP = rolePrefix + :saml-provider/auth0SamlProvider;

user.awsRole = rolePrefix + :role/AccessByCostCenter, + samlIdP;
user.awsRoleSession = user.email;
user.awsTagKeys = [‘CostCenter’,‘MyUserId’];
user.CostCenter = ‘client’;
user.MyUserId = user.email;

context.samlConfiguration.mappings = {
https://aws.amazon.com/SAML/Attributes/Role’: ‘awsRole’,
https://aws.amazon.com/SAML/Attributes/RoleSessionName’: ‘awsRoleSession’,
https://aws.amazon.com/SAML/Attributes/PrincipalTag:CostCenter’: ‘CostCenter’,
https://aws.amazon.com/SAML/Attributes/PrincipalTag:MyUserId’: ‘MyUserId’,
};

callback(null, user, context);
}

The login process fail with error code 403

Please let me if I need to do any cross-check on the setup.

My actual target is to allow users to only have access to resources tag with their email/user_id.