<iframe src="https://www.googletagmanager.com/ns.html?id=GTM-M74D8PB" height="0" width="0" style="display:none;visibility:hidden">
Loading
Skip to NavigationSkip to Main Content
System Status
Announcements
Announcements
Search
Search
Select Language
Knowledge Base
Knowledge Articles
Support Videos ↗
Documentation
Product Documentation ↗
Developer Documentation ↗
Product Release Notes ↗
Community
Events & Webinars
Okta Ideas ↗
Resources
Product Hub
Customer Success Hub
Product Release Update
Learning
Okta Learning ↗
Get Support
Open a Case
HomeKnowledge Base
SCIM Connector Configuration Error "Connect timed out" During Test Connection in Okta
Apr 15, 2026
Okta Classic Engine
Okta Identity Engine
API Access Management
Overview

When configuring a System for Cross-domain Identity Management (SCIM) integration and clicking Test Connector Configuration, the following error message is displayed:

 

Error authenticating: Connect to <domain>:443 [<domain.com>/<IP Address>] failed: Connect timed out

 

Error

Applies To
  • System for Cross-domain Identity Management (SCIM) 2.0 Integrations
  • Provisioning
  • Custom API Connectors
  • Network Security / Firewalls
  • Okta Classic Engine
  • Okta Identity Engine (OIE)
Cause

A Connect timed out error specifically means that Okta’s servers were unable to establish a TCP handshake with the target server within the required time limit. This error is commonly caused by:

  • Incorrect Base URL: The SCIM endpoint URL provided is incorrect or inaccessible from the public internet.
  • Firewall Blocking: The target server or network gateway is dropping requests from Okta's IP addresses.
  • Service Downtime: The SCIM implementation on the target server is not running or is unresponsive.
  • Routing Issues: DNS resolution for the domain (for example, <domain>.com) is pointing to an internal-only IP address that Okta cannot reach.
Solution

To resolve the timeout and successfully validate the SCIM configuration, follow these steps:

 

  1. Verify External Reachability.

Test the SCIM endpoint from a network outside of the internal environment to ensure it is publicly accessible. Use the following curl command to verify if the endpoint responds

curl -X GET "https://<domain>.com/identities/scim/v2/Users" \
     -H "Authorization: Bearer YOUR_ACCESS_TOKEN" \
     -H "Accept: application/scim+json"








  1. 

    • 

      If this command also times out, the issue is with the server availability or a network-level block.
      

    • 

      If this command returns a 200 OK or 401 Unauthorized, the service is reachable. Proceed to Step 2.
      

    

  2. 

    Allowlist Okta IP Addresses.
    



 Ensure that the firewall, Load Balancer, or Web Application Firewall (WAF) is configured to allow inbound traffic from Okta.


  1. 

    1. 

      Navigate to Settings > Downloads in the Okta Admin Console to find the "Okta IP Address ranges" or refer to the Allow access to Okta IP addresses documentation.
      

    2. 

      Ensure port 443 is open for these ranges.
      

    



  1. Confirm SCIM Base URL.


 In the Okta Provisioning tab under Integration, ensure the SCIM connector base URL does not include the /Users or /Groups suffix unless specifically required by the implementation. Usually, it should end at the base API level (for example, https://<domain>.com/identities/scim/v2).


  1. 

    Check for SSL/TLS Interception.
    



 Ensure there is no proxy or SSL interceptor between Okta and the SCIM server that might drop the connection without a proper response.




Related References


Recommended content
Still looking for help?
Loading
SCIM Connector Configuration Error "Connect timed out" During Test Connection in Okta