<iframe src="https://www.googletagmanager.com/ns.html?id=GTM-M74D8PB" height="0" width="0" style="display:none;visibility:hidden">
Loading
Skip to NavigationSkip to Main Content
System Status
Announcements
Announcements
Search
Search
Select Language
Knowledge Base
Knowledge Articles
Support Videos ↗
Documentation
Product Documentation ↗
Developer Documentation ↗
Product Release Notes ↗
Community
Events & Webinars
Okta Ideas ↗
Resources
Product Hub
Customer Success Hub
Product Release Update
Learning
Okta Learning ↗
Get Support
Open a Case
HomeKnowledge Base
Resolving Okta SCIM Provisioning Error "Unauthorized" With OneTrust
Jun 3, 2026
Okta Classic Engine
Okta Identity Engine
Okta Integration Network
Overview

When attempting to configure, update, or test the SCIM connection for the OneTrust application in Okta, the connection fails. Okta displays a red error dialog stating:

 

Error authenticating: Unauthorized. The connector configuration could not be tested. Make sure that the URL, Authentication Parameters are correct and that there is an implementation available at the URL provided.

 

Consequently, automated user provisioning, profile updates, and group synchronizations fail to push to OneTrust.

Applies To
  • Okta Integration Network
  • Okta Classic Engine
  • Okta Identity Engine (OIE)
  • System for Cross-domain Identity Management (SCIM)
  • User Provisioning (SCIM)
  • OneTrust Integration
  • API Integration and Authentication
Cause

This error occurs because the credentials in the Okta SCIM configuration do not have the required scopes to authenticate against OneTrust's identity management endpoints.

Standard OneTrust API keys or keys generated without explicit application-level permissions are automatically rejected with a 401 Unauthorized status. To securely handle user identity management, OneTrust requires an OAuth 2.0 API Key explicitly created with the SCIM scope enabled.

Solution

To restore the connection, generate a dedicated SCIM-scoped token in OneTrust and update Okta with the new credential. Follow these steps:

  1. Generate a SCIM-Scoped API Key in OneTrust:
    1. Log in to the OneTrust Admin Console with administrator privileges.
    2. Navigate to Global Settings > Access Management > Client Credentials.
    3. Select the API Keys tab and click Add.
    4. Configure the new credential as an OAuth 2.0 API Key.
    5. In the scope selection, explicitly check the SCIM scope box.
    6. Click Save and copy the API key immediately. Store it securely, as it will not be displayed again.
  2. Update the SCIM Configuration in Okta:
    1. Log in to the Okta Admin Console and open the OneTrust application instance.
    2. Navigate to the Provisioning tab and click on the Integration section in the left menu.
    3. Locate the HTTP Header/Authorization section.
    4. Clear the existing masked characters from the token input field.
    5. Paste the newly generated OneTrust API key directly into the field.
      • NOTE: Because the Okta UI features a separate, grayed-out "Bearer" prefix box next to the input field, paste only the raw alphanumeric token string. Do not manually type the word "Bearer" into the text field.
    6. Click Test Connector Configuration to verify that the authentication error is resolved.
    7. Click Save.

Recommended content

Still looking for help?
Loading
Resolving Okta SCIM Provisioning Error "Unauthorized" With OneTrust