This document covers the limitation of Regex expression in Siteminder Password Services and IDM Password services.
Our IDM password policy that is enforced for all users in Production has a regular expression that matches the network Active Directory password policy which forces the user to use 3 out 4 (at least 1 Lowercase, at least 1 Uppercase, at least 1 digit and at least 1 special character).
This is a limitation on the structure of the policy store.
If you take a look the <sm_oracle_ps.sql> PSSERVER_ROOT/db/SQL
You will find:
CREATE TABLE smtaggedstring5 (
taggedstringoid VARCHAR2(64) NOT NULL,
passwordpolicyoid VARCHAR2(64) NOT NULL,
taggedstringname VARCHAR2(255) NOT NULL,
taggedvalue VARCHAR2(1024) NULL,
nomatch INTEGER DEFAULT 0 NULL,
The "taggedvalue" entry is where the Regex Expression are stored for password services.
Editing this value is not suggested and can lead to unforeseen issues.
Siteminder also has a limit to the expression character that listed in the link below. Anything outside of this list could cause issues when password services perform the expression lookup. Siteminder has no support for lookahead Regex expressions.