After configuring Okta for two-factor authentication (2FA) in vCenter Server 8, users are unable to log in. The login attempt fails with an error message referencing "Workspace One," even though Workspace One is not integrated into the infrastructure.

The following error is observed during the login attempt:

Access denied. Unable to authenticate the user.

• Symptom: Login fails immediately after configuration.
• Error: References Workspace One or displays access denied messages.
• Configuration: Okta configured without System for Cross-domain Identity Management (SCIM).

VMware vCenter Server 8.x

This issue occurs because the required System for Cross-domain Identity Management (SCIM) configuration is missing.

For vCenter Server 8, using SCIM is a documented requirement when configuring vCenter to use Okta as a federated authentication source. As stated in the product documentation: "Okta must also be able to connect with vCenter Server to send user and group data for the SCIM provisioning."

To resolve this issue, you must configure SCIM provisioning. Alternatively, you may upgrade to a version that supports other provisioning methods.

Option 1: Configure SCIM Provisioning (Recommended for vCenter 8)

1. Update your Okta configuration to enable SCIM provisioning.
2. Ensure Okta can connect to vCenter Server to send user and group data.
3. Follow the detailed steps in the product documentation: Configure vCenter Server Identity Provider Federation for Okta Authentication.

Option 2: Upgrade to vCenter Server 9

If SCIM is not preferred, upgrade to vCenter Server 9 (VCF 9.0 and later). This version supports Just-In-Time Provisioning (JIT) or Active Directory/Lightweight Directory Access Protocol (AD/LDAP) as the local user store for both SAML and OIDC.

1. Upgrade your environment to vCenter Server 9.
2. In the User/Group Provisioning Method screen during configuration, select your preferred mode (JIT or AD/LDAP).
3. For configuration details, see Configure Okta as an Identity Provider.