Okta pushes the SAML assertion but Genesys drops the session at the identity endpoint, returning a 400 on POST /api/v2/identity/saml/assertion with SAML_ASSERTION_INVALID and Attribute mapping failed for 'email'. This isn’t a metadata issue; certificate rotation completed Tuesday and the IdP config is valid. The raw assertion clearly shows the EmailAddress attribute sitting in the AttributeStatement block, while JIT provisioning rules map email to email and displayName to name. The v2.10.4 SDK handles the redirect fine, but the token exchange fails downstream during attribute validation. Should I be checking the attribute mapping schema in a different namespace, or is there a specific claim format Genesys expects for JIT provisioning? Clarification on the expected attribute namespace would be helpful.
<saml:AttributeStatement>
<saml:Attribute Name="EmailAddress">
<saml:AttributeValue>agent@tokyo-dev.jp</saml:AttributeValue>
</saml:Attribute>
</saml:AttributeStatement>
curl -X PATCH "https://api.mypurecloud.com/api/v2/identity/jit" \
-H "Authorization: Bearer $TOKEN" \
-H "Content-Type: application/json" \
-d '{"attributeMapping": {"email": "EmailAddress"}}'
- Fix your JIT configuration payload. Okta sends
EmailAddress, not email.
- Patch the mapping with that snippet. The resolver cache likely retains the old schema. Clear it manually.
You’ll hit a stale response if you skip the cache bust. Verify your OAuth scope covers jit:manage.
That patch fixed the 400. We had the same mapping error on our chat bot provisioning after cert rotation. The resolver cache refresh mentioned in the thread solved it.
Cause: The resolver cache locks onto the legacy schema after a cert rotation. Okta pushes EmailAddress in the attribute statement, but the JIT endpoint expects the mapped field name. The 400 error fires because the validator drops unmapped attributes before the session token generates.
Solution: Patch the JIT config to align the internal field with the IdP claim. The cache won’t clear until you push a fresh mapping object.
{
"attributeMapping": {
"email": "EmailAddress",
"routingEmail": "EmailAddress"
}
}
Ran this patch on our side and it cleared the 400s immediately. The bot flow provisioning starts routing correctly once the cache syncs. The suggestion above handles the mapping, but it’s worth noting the resolver cache doesn’t actually clear until you push a fresh object. It’s a common mix-up to assume the IdP claim name matches the internal schema, but the API validator is strict about that. Cache usually flushes in under a minute. Takes a second. Watch the async queue if the routing stalls after the patch.