Once a user successfully authenticates with Duo SSO our services starts to generate a SAMLResponse to send back to Palo Alto. The NameID value is a value that always gets returned in that response that shows who the user is.
By default Duo SSO for named applications uses something called Bridge Attributes. You can see what values we are automatically trying to map for your identity provider for Palo Alto here. You can follow the instructions on that docs page to change the “Email” section to use a different attribute.
The way that attributes mapping works in Duo SSO is that whatever is listed under “Custom Attributes” gets looked up by Duo SSO during authentication. We either do this “just in time” against Active Directory or use the list of attributes that were sent to us in the SAMLResponse from a SAML IdP.