Why does this setting block the Zendesk SSO redirect in Genesys Cloud?
We are migrating our authentication flow from Zendesk to Genesys Cloud. The goal is to maintain a seamless login experience. In Zendesk, the SAML assertion triggers an immediate redirect. In Genesys Cloud, the user lands on the login screen and is asked for credentials again. This breaks the single sign-on promise we had with Zendesk.
The error in the browser console is a 403 Forbidden on the /api/v2/oauth/token endpoint. The error_description says “invalid_scope”. We have mapped the Zendesk groups to Genesys Cloud roles. The SAML certificate is valid. The clock skew is within limits.
Here is the current SAML configuration in Genesys Cloud:
saml_config:
issuer: "https://accounts.zendesk.com"
assertion_consumer_service_url: "https://genesys.cloud.com/oauth/saml"
name_id_format: "urn:oasis:names:tc:saml:1.1:nameid-format:emailAddress"
scopes:
- "openid"
- "profile"
- "email"
- "phone"
The Zendesk side sends the email as the NameID. Genesys Cloud should recognize this. Is there a specific setting in the Genesys Cloud security profile that needs to be enabled? We are following the migration guide, but the SSO still fails. Any help would be appreciated.