I apologize if this is a basic question, but we’re having trouble with the automatic SAML metadata refresh in our genesyscloud.config.govcloud.com environment - version 9.0.0.GA. It seems the system isn’t correctly validating the certificate chain when it pulls updated metadata from our IdP.
Specifically, the error we see in the Genesys Cloud monitoring dashboard is a “SAML Metadata Refresh Failed - Certificate Validation Error”. The logs, accessed via the Data Security section in Admin, show a message resembling this: java.security.cert.CertPathValidatorException: Unable to find valid certification path to trusted anchor. It’s referencing the root CA certificate - which is definitely present in our trust store, or at least, we think it is.
We’ve configured the metadata URL in the Single Sign-On settings, and it’s working initially - users can authenticate. The issue happens when the IdP rotates the certificate, and the metadata is automatically refreshed, usually after approximately twelve hours.
Our IdP is Azure AD, and we’re using version 1.16.3 of the Genesys Cloud SDK for the SAML configuration. The metadata document includes the intermediate certificate, but perhaps the system isn’t building the complete chain. Is there a setting to force the inclusion of the intermediate certificate, or maybe a way to manually upload the full chain?
We’re attempting to meet PCI-DSS compliance requirements around access control, and a failed SSO flow introduces risk. The SOC2 audit is also concerned about automated process failures. It’s unclear if this is a bug, or if we are missing a step in the configuration process. The documentation mentions certificate requirements, but it’s a bit vague on the chain order. Can anyone confirm if the metadata document must be ordered root-intermediate-leaf? Or is that handled automatically by the system?
The logs aren’t showing which specific certificate is failing validation, just the generic error message. Perhaps there’s a more verbose logging option?