diff --git a/ee/server/service/mdm.go b/ee/server/service/mdm.go
index df90777ec9..5fa06297af 100644
--- a/ee/server/service/mdm.go
+++ b/ee/server/service/mdm.go
@@ -15,6 +15,7 @@ import (
 	"sort"
 	"strings"
 
+	"github.com/crewjam/saml"
 	"github.com/fleetdm/fleet/v4/pkg/file"
 	"github.com/fleetdm/fleet/v4/pkg/optjson"
 	"github.com/fleetdm/fleet/v4/server/authz"
@@ -720,6 +721,8 @@ func (svc *Service) InitiateMDMAppleSSO(ctx context.Context, initiator string) (
 	if err != nil {
 		return "", 0, "", ctxerr.Wrap(ctx, err, "failed to create provider from metadata")
 	}
+	// Request the NameID as an email address instead of an unknown type
+	samlProvider.AuthnNameIDFormat = saml.EmailAddressNameIDFormat
 
 	// originalURL is unused in the Setup Experience initiated MDM flow
 	// however because we need slightly different behavior for account driven