Why does the Genesys Cloud Identity API returns a 401 Unauthorized response when validating tokens issued by a Zendesk SAML IdP during a migration batch process? We are currently migrating user authentication flows from Zendesk Support to Genesys Cloud (EU1 region) using the Genesys Cloud Python SDK v2.5.0. The specific endpoint causing the issue is /api/v2/identity/authorize. In our Zendesk environment, we had a straightforward SAML assertion flow that mapped user attributes directly to the ticketing system. We attempted to replicate this by configuring a Genesys Cloud External Identity Provider with the same SAML metadata, assuming the token structure would be compatible for initial user provisioning. However, when the migration script sends the SAML assertion from a test Zendesk user to the GC identity endpoint, the response consistently contains the error message Invalid token: Audience restriction mismatch. We have verified that the aud claim in the SAML response matches the Genesys Cloud client ID exactly, and the certificate fingerprints align. The Zendesk workflow allowed for a more lenient audience validation, whereas Genesys Cloud seems to enforce a strict match that includes the specific tenant domain. Is there a known limitation in how Genesys Cloud handles SAML assertions from third-party IdPs like Zendesk during bulk user creation, or do we need to implement a custom token exchange microservice to bridge the gap between Zendesk’s SAML output and Genesys Cloud’s expected JWT format? We are trying to avoid building a full custom auth layer if a configuration tweak in the Admin > Security > Identity Providers section can resolve this audience validation strictness.