- Error:
401 Unauthorized-SAML Assertion Invalid: Issuer mismatchon Genesys Cloudv2024-10(EU-West). - Context: Migrating 500+ agents from Zendesk Support to Genesys Cloud CX. Zendesk uses Okta for SSO. We are replicating this flow in GC.
- Issue: The Zendesk integration worked perfectly because Okta trusted the Zendesk domain. In Genesys Cloud, we configured the SAML settings via the Admin portal, but the login flow fails immediately after redirect from Okta.
- Details:
- Okta SAML Response Issuer:
https://idp.okta.com. - GC Expected Issuer:
https://idp.okta.com(verified in Admin > Security > SAML). - GC Entity ID:
https://login.euw1.genesis.com. - Comparison: In Zendesk, the mapping was straightforward: User Email → Zendesk Email. Here, we are trying to map Okta
emailattribute to GCemail. The logs show the assertion arrives, but GC rejects it. - Question: Is there a specific claim mapping difference between Zendesk and GC that causes this issuer mismatch, even when the values look identical? We are following the standard GC SSO guide, but it lacks details on Okta-specific quirks.
Check the NameID format in your Okta app settings. Genesys Cloud expects emailAddress, but Zendesk often defaults to persistent. If the issuer mismatch persists, ensure the ACS URL matches exactly: https://login.euw1.genesys.cloud/saml/acs/{org_id}.
Warning: Verify the certificate thumbprint hasn’t rotated in Okta recently.