question: generic SAML setup - "error": "SAML authorization failed, mandatory email attribute not found: map[]"

[HG00]

Caddy v2.9.1 downloaded from caddyserver, adding caddy-security module

Hi, I'm trying to set up very simple SAML authentication (dont care about authorization at the moment, if you can authenticate you're in). I go to /whoami, and as expected get a redirect to /login.

When I auth at the IdP (cyberark), i can see the right stuff come back using saml tracer, but I get an "unauthorized" error, with this in the log:
WARN security Authentication failed {"session_id": "ewpdEUJ4qEOBRgMVYAUDJddHjVTQQ1rQR8Mnmg5agrJ", "request_id": "0fe85434-3cff-4632-9e76-9d8a3e006230", "error": "SAML authorization failed, mandatory email attribute not found: map[]"}

I'm a bit lost at this point - I've tried to add attributes, and verify they're in the claim: email, Email, emailaddress, mail. Even with all of them, the same error persists.

The docs on SAML are a bit sparse, I just tried to edit the example config for jumpcloud - am I missing something else thats needed for a simple SAML login?

If its helpful, here's my masked Caddyfile

{
        debug
        http_port 8088

        order authenticate before respond
        #order authorize before basicauth

        security {
                saml identity provider myrealm {
                        realm myrealm
                        driver generic
                        idp_metadata_location {env.HOME}/.local/caddy/idpmetadata.xml
                        idp_sign_cert_location {env.HOME}/.local/caddy/idpcert.pem
                        idp_login_url https://blabla.my.idaptive.app/applogin/appKey/MASKEDMASKEDMASKED/customerId/ABC123
                        application_name "SAML"
                        entity_id "MASKEDMASKEDMASKED"
                        acs_url https://192.168.1.1:8443/saml/myrealm
                }

                authentication portal myportal {
                        crypto default token lifetime 3600
                        crypto key sign-verify {env.JWT_SHARED_KEY}
                        enable identity provider myrealm
                        cookie domain myrealm.com
                        ui {
                                links {
                                        "Main Site" https://192.168.1.1:8443/ icon "las la-star"
                                        "My Identity" "/whoami" icon "las la-user"
                                }
                        }
                        transform user {
                                match realm myrealm
                                action add role authp/user
                        }
                }

                authorization policy mypolicy {
                        set auth url https://192.168.1.1:8443/saml/myrealm
                        set user identity Subject
                        allow any log debug
                }
        }
}

(tls_config) {
        tls {$HOME}/.local/caddy/server.crt {$HOME}/.local/caddy/server.key
}

192.168.1.1:8443 {
        import tls_config
        authenticate with myportal
}