I'm currently using AWS Cognito and Google Workspace as an IdP. Although I can't seem to get my grant/token once I authenticate with Google. I also couldn't find any instructions specific to Google Workspace so I just used these values from other IdP documentations from AWS.

ACS URL: https://XXX.auth.us-east-1.amazoncognito.com/saml2/idpresponse

URN/Entity ID: urn:amazon:cognito:sp:us-east-1_1GWXXXXX

Error Code: Error+in+SAML+response+processing%3A+Invalid+user+attributes%3A+email%3A+The+attribute+is+required+&error=server_error

This is my SAML Mapping and Name ID settings from Google Workspace.

Then this is my AWS Attribute Mapping

Is there something I'm missing?

I was running into the same issue (with Azure AD). I had no access to Azure AD / Application setup. By recording the SAML Response between IdP and Cognito I found out the E-Mail was mapped to a different attribute name. I expected the official http://schemas.microsoft.com/identity/claims/email (which is also listed in the metadata.xml) but the SAML response contained only UserPrincipalName and Mail. Hope this helps.

Chrome Extension for recording SAML messages: https://chrome.google.com/webstore/detail/saml-message-decoder/mpabchoaimgbdbbjjieoaeiibojelbhm?hl=en