Could someone clarify why the SAML assertion fails with InvalidSignature when migrating users from Zendesk to Genesys Cloud via the Admin API? The IdP metadata seems correct, but the login redirect breaks.
Using the latest Node.js SDK for the migration script. Any ideas on the signature mismatch?
Make sure you validate the SAML assertion signature against the IdP’s public certificate using the xml-crypto library in Node.js before sending it to Genesys Cloud. The InvalidSignature error usually stems from a mismatch between the certificate used to sign the assertion and the one registered in the Genesys Admin portal.
When running load tests against the SSO endpoint, signature verification failures often get buried in general timeout logs. It helps to isolate the signing step in your JMeter script or Node.js migration logic. Check if the certificate has expired or if the algorithm (RSA-SHA256 vs RSA-SHA1) matches the IdP configuration. Genesys Cloud is strict about this during high-concurrency migrations. Also, verify the ACS URL in the IdP metadata points to the correct region-specific endpoint, not the global one. A common fix is explicitly setting the signature algorithm in the SAML library configuration.