Problem statement
SAML user profile contains email, but when the user tries to log in with the IdP-initiated flow, the generated ID token does not contain email.
Solution
The Query String in the IdP-initiated flow (Dashboard > Authentication > Enterprise > SAML > select the specific SAML connection (tinuiti in this case) > IdP-initiated SSO tab > IdP-initiated SSO Behavior > Query String )
should include protocol-specific values, such as scope, response_type, redirect_uri, and audience. These values should match the ones the application expects when using an SP-initiated flow.
The email attribute should be present in the token if the email is included in the requested scope.
For example:
scope=openid email profile