• VCF Operations Identity Source is configured with Okta, and OIDC as the authentication method.  
  
  
• Login to vCenter an Okta account fails with the error: "Access denied. Unable to authenticate the user".
  
  
• The federation service logs on the Identity Broker appliance indicates that OIDC authentication succeeds, but the backend directory mapping fails with a USER_NOT_FOUND error
  
  /vidb-bundle/services-logs/vidb-external/idb-appliance/vidb-service/federation-service/file.log:

yyyy-mm-ddThh:mm:ss INFO  vidb-service-####:federation (federation-business-pool-0)  com.vmware.vidm.federation.utils.MetricsPublisherUtil - OIDC authentication successful 
yyyy-mm-ddThh:mm:ss INFO  vidb-service-####:federation (federation-business-pool-0)  com.vmware.vidm.federation.login.processor.AuthResponseUserResolver - Fetching user for jit login context: 898f3c9c-8385-4cd1-8e65-55469e40d480 on attribute [email protected], domains: [labs.domain.com] 
yyyy-mm-ddThh:mm:ss WARN  vidb-service-####:federation (ForkJoinPool-2-worker-20874) com.vmware.vidm.federation.login.processor.AuthResponseUserResolver - User fetching exception with nameId [email protected], nameIdFormat userName, and domains [labs.domain.com], user not found 
yyyy-mm-ddThh:mm:ss INFO  vidb-service-####:federation (federation-business-pool-0)  com.vmware.vidm.federation.login.LoginEventServiceAspect - Failing login. contextUuid: 898f3c9c-8385-4cd1-8e65-55469e40d480, exception: com.vmware.vidm.federation.login.AccessDeniedException: Access denied with reason code: USER_NOT_FOUND, isAuthenticationForced: false 
yyyy-mm-ddThh:mm:ss INFO  vidb-service-####:federation (federation-business-pool-0)  com.vmware.vidm.federation.utils.MetricsPublisherUtil - Login failed due to reason: USER_NOT_FOUND 
yyyy-mm-ddThh:mm:ss INFO  vidb-service-####:federation (federation-business-pool-0)  com.vmware.vidm.federation.idp.IdentityProviderService - active Idps are being fetched from DB since they are not present in cache 
yyyy-mm-ddThh:mm:ss INFO  vidb-service-####:federation (federation-business-pool-0)  com.vmware.vidm.federation.exception.handler.LoginExceptionHandler - Access denied for login context: 898f3c9c-8385-4cd1-8e65-55469e40d480  

VMware Cloud Foundation 9.x
VMware vCenter Server 9.x
Okta OIDC Identity Provider

The issue occurs due to an OIDC token claim mismatch where Okta sends the claim with a domain suffix that does not match the active directory mapped format. Because the vCenter Identity Broker receives the full email suffix, it fails to find the exact string match for the username prefix in the configured backend directory.

Test your authorization server configuration - https://help.okta.com/oie/en-us/content/topics/security/api-config-test.htm 

To resolve this issue, perform one of the following two options to align the token payload with the directory structure:

Option 1: Modify the Okta Application Configuration (Recommended)

1. Log into your Okta Admin Console.

2. Modify the claim mapped to the "Unique Identifier in OIDC Identity Provider" (e.g., preferred_username).

3. Configure the Okta application so that the claim sends only the username prefix without the domain suffix. 
   (e.g., VMware.user) without the @domain.com suffix. This will allow it to match the username format stored in the Identity provider directory configured on VCF.

4. Save the configuration and retry the vCenter login.

Option 2: Modify the VCF Identity Broker Configuration

1. Log into the vSphere Client or VCF Operations UI.

2. Navigate to Administration > Identity Providers.

3. Edit the Okta Identity Provider configuration.

4. Change the "Unique Identifier in VCF Identity broker" setting from userName to match against the user's email address.

5. Save the configuration and retry the vCenter login.

Configure VCF SSO with modern identity provider for authentication and AD/LDAP for user-group provisioning - https://knowledge.broadcom.com/external/article?articleId=386870