I've been using SAML identity federation on my Userpool which has a hosted SignIn page. I configured both the Azure Active Directory and cognito userpool so I can log in with an AD user. I have added multiple SAML providers similar manner and that works without an issue. The problem occurs when I use Identifiers attribute which is used to login to the corresponding IDP by extracting the domain name from the email. I followed this documentation. This is how it looks in the AWS console.
Now when I try to login with an AD user email it gives me Login not allowed error. It worked well when I don't use this identifiers optional parameter.
Can someone help me to resolve this issue?