SCIM: Log noise when provisioning vCenter

[dminuoso]

Describe the bug
With a SCIM provider against a vCenter, the worker creates a lot of log noise about "failed to get ServiceProviderConfig".

To Reproduce

1. Configure SCIM against a vCenter and start the sync task
2. Check logs of the celery worker

Expected behavior
I expect authentik to not generate unnecessary log noise.

Screenshots

Logs

dminuoso@authentik ~ ❯ journalctl -o cat -u authentik-worker --since today|grep ServiceProvider|grep -v debug|grep vcs-test-scim|tail -n 10
{"domain_url": null, "event": "failed to get ServiceProviderConfig", "exc": "NotFoundSyncException(<Response [404]>)", "level": "warning", "logger": "authentik.lib.sync.outgoing.base", "pid": 1044367, "provider": "vcs-test-scim", "schema_name": "public", "task_id": "task-df18f266385c46a8ba58d0b81e731aa3", "timestamp": "2025-09-03T04:37:43.828325"}
{"domain_url": null, "event": "failed to get ServiceProviderConfig", "exc": "NotFoundSyncException(<Response [404]>)", "level": "warning", "logger": "authentik.lib.sync.outgoing.base", "pid": 1044373, "provider": "vcs-test-scim", "schema_name": "public", "task_id": "task-38d6928dc46c403e8c4eb2ed7d8a92c5", "timestamp": "2025-09-03T04:37:43.902347"}
{"domain_url": null, "event": "failed to get ServiceProviderConfig", "exc": "NotFoundSyncException(<Response [404]>)", "level": "warning", "logger": "authentik.lib.sync.outgoing.base", "pid": 1044367, "provider": "vcs-test-scim", "schema_name": "public", "task_id": "task-f1f3428502b1435790184f0b765fb369", "timestamp": "2025-09-03T04:37:44.233414"}
{"domain_url": null, "event": "failed to get ServiceProviderConfig", "exc": "NotFoundSyncException(<Response [404]>)", "level": "warning", "logger": "authentik.lib.sync.outgoing.base", "pid": 1044373, "provider": "vcs-test-scim", "schema_name": "public", "task_id": "task-9a2373a18601469493692b8fc0e0c41c", "timestamp": "2025-09-03T04:37:44.310113"}
....

For us this easily generates several thousand warnings each day for this provider alone.

Version and Deployment (please complete the following information):

• authentik version: 2025.6.4
• Deployment: n/a

Additional context

authentik/authentik/providers/scim/clients/base.py

Lines 92 to 103 in 59d5f85

	try:
	config = ServiceProviderConfiguration.model_validate(
	self._request("GET", "/ServiceProviderConfig")
	)
	if self.provider.compatibility_mode == SCIMCompatibilityMode.AWS:
	config.patch.supported = False
	if self.provider.compatibility_mode == SCIMCompatibilityMode.SLACK:
	config.filter.supported = True
	return config
	except (ValidationError, SCIMRequestException, NotFoundSyncException) as exc:
	self.logger.warning("failed to get ServiceProviderConfig", exc=exc)
	return default_config

This code unconditionally fetches the service provider config and warns if it failed to do so. Now vCenter does not provide an endpoint for GET /scim/v2/ServiceProviderConfig and rightfully produces a 404.

A simple solution seems to be to provide an additional compatibility mode (analog to AWS and Slack) for vCenter for which we never try that endpoint and return default_config instead. This seems fairly trivial.

Do you want me to provide a PR for that?

[authentik-automation]

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.

[dominic-r]

A PR would be appreciated. Could you push up the branch ^^ to Github? Thanks