When configuring Okta as an external Identity Provider for vCenter Server using SCIM 2.0 provisioning, the SCIM connector test fails with “404 Resource Not Found” in Okta. As a result, administrators are unable to complete the SCIM connector setup, preventing user and group provisioning into vCenter.

The error occurs during Step 2 – Create the SCIM 2.0 Application and Push Users and Groups to vCenter Server as as described in KB How to Enable Okta for vCenter Serve .

VMware vCenter Server 8.0 U3x 

The Okta SCIM connector was configured to send provisioning requests to the base SCIM endpoint:

/usergroup/t/<TENANT>/scim/v2/

This endpoint does not accept provisioning operations and is not intended to be called directly. As a result, vCenter correctly returned HTTP 404 – Resource Not Found.

vCenter expects SCIM provisioning requests to be sent to resource-specific endpoints, such as:

• /usergroup/t/<TENANT>/scim/v2/Users

• /usergroup/t/<TENANT>/scim/v2/Groups

Because the connector was calling an unsupported endpoint, the SCIM connector test failed even though:

• The SCIM service was active

• The tenant URL was correct

• Authentication and network connectivity were functioning

Additionally, during manual testing, the SCIM payload used was not a valid SCIM user object, which prevented successful provisioning even when the correct endpoint was reached.

Observed log entries such as the following were also present but not directly related to the 404 error:

"Authorize request failed with error access_denied: User is not assigned to the client application"

Ensure that the Okta SCIM connector is configured to send provisioning requests to the correct SCIM resource endpoints instead of the base SCIM path.

Correct Endpoint Usage:

• /usergroup/t/<TENANT>/scim/v2/Users

• /usergroup/t/<TENANT>/scim/v2/Groups

Do not send provisioning requests to:

• /usergroup/t/<TENANT>/scim/v2/

Validation Steps:

1. Update the Okta SCIM connector configuration to target the correct resource endpoints.

2. Validate that the SCIM payload conforms to the SCIM 2.0 schema expected by vCenter.

3. Re-test the SCIM connector configuration in Okta.

4. Once the connector test succeeds, proceed with assigning users and groups to the SCIM application in Okta.

Manual testing using tools such as Postman against the correct endpoints should return a valid response, confirming that the SCIM service is reachable and operational.

VMware Identity Broker SCIM 2.0 API documentation (including supported endpoints and payload schemas):
https://developer.broadcom.com/xapis/vmware-identity-broker/latest/scim2/

The SCIM documentation section describes:

• Supported SCIM resource types (Users, Groups)

• Required and optional SCIM attributes

• Supported SCIM operations

The same portal also provides a full list of supported public VMware Identity Broker APIs.