Release : 14.3
Component : IdentityMinder(Identity Manager)
No. The SSO username in ra.xml should be an administrator account that has modification privileges, i.e. create, write, delete privileges, not only to the Domain or Realm but also Rules, Responses, User Directory, Authentication Scheme, Password Policy, etc.
If you do User Directory or Password Policy modification in Identity Manager this is supposed to be propagated to SSO. In case the SSO username in ra.xml is limited to the Domain then this propagation won't work.
For example, if we created the imssouser that has scope to the Identity Manager domain.
And then we modified the ra.xml accordingly and restarted Identity Manager. Identity Manager was started up
Error: Password Policies are not supported. A Password Data attribute must be configured on the SiteMinder user directory to support password policies. This is automatically configured when deploying a new Identiy Manager directory with an attribute specified for the %PASSWORD_DATA% well-known.
Policy Server trace log shows the following error
<ObjectClassName = UserDirectory>
<Name = 0e-98a4bac6-2964-4e46-8279-b85e82e91eaf>
<status=E/0913/-4/Policy API error>
Update to User Directory on Management Console failed with the following error
An error occurred while configuring Identity Manager. Reverting configured objects...
Error: The user directory "UserStore" does not exist.
Modifying IM Environment such as Advanced Settings > Web Services on Management Console yields following error
Configuring web services...
Error: Could not find the agent for the domain associated with the environment. Cannot configure the policy to protect web services
Identity Manager and SSO integration is not being designed to use an SSO legacy Administrator that privileges are restricted to SSO Domain.