I am setting up Cognito to use SAML for SSO auth with multiple providers (e.g. Okta, Azure). The process is flawless for the first login. However, the issue arises when my users try to authenticate for a second time and I know what the issue is - the email field is required and immutable so when the SAML request comes in, it tries to update that field and fails.
I have tried deleting the user in a PreAuthentication lambda trigger but then it throws an error "user doesn't exist after lambda execution" in the attempt to force the SAML request to recreate the user (as it does on first time login) so I assume it's some kind of a pipe and it's already too late in the process to take that approach. I am looking for any solution which does not involve recreating the userpool, unless it will be 100% transparent for my production users which I believe is totally not possible.
Thanks in advance