Encountering a 403 Forbidden response when testing the SAML assertion from our existing Zendesk Identity Provider against the Genesys Cloud SSO endpoint. The error log specifically states: “Invalid Assertion: Issuer mismatch or expired token.” The certificate chain appears valid, and the clock skew is within the 5-minute tolerance window.
In the Zendesk ecosystem, we managed SSO by simply uploading the IdP metadata XML and mapping the user email attribute directly to the external ID. The migration guide for Genesys Cloud suggests a similar approach under Admin > Security > SSO, but the attribute mapping for NameID seems stricter. We are using the default SAML 2.0 profile provided by Zendesk, which worked flawlessly for our support agents previously.
Is there a specific claim transformation required in Genesys Cloud that differs from the standard Zendesk setup? The documentation mentions enabling “Just-in-Time Provisioning” but does not clarify if the email claim must be the primary key. We are currently stuck on the validation step before rolling this out to our Paris team. Any insights on the exact attribute schema expected by the GC SAML consumer would be appreciated.