IDM Password policy & Siteminder Password services regex limitation.

book

Article ID: 15561

calendar_today

Updated On:

Products

CA Single Sign On Secure Proxy Server (SiteMinder) AXIOMATICS POLICY SERVER CA Single Sign On SOA Security Manager (SiteMinder) CA Single Sign-On

Issue/Introduction

This document covers the limitation of Regex expression in Siteminder Password Services and IDM Password services.



Our IDM password policy that is enforced for all users in Production has a regular expression that matches the network Active Directory password policy which forces the user to use 3 out 4 (at least 1 Lowercase, at least 1 Uppercase, at least 1 digit and at least 1 special character). 

 

Environment

Siteminder 12.0 SP3 on Solaris 10 IDM 12.6 SP2 on Solaris 10Oracle DBs

Resolution

This is a limitation on the structure of the policy store.

If you take a look the <sm_oracle_ps.sql> PSSERVER_ROOT/db/SQL

You will find:
CREATE TABLE smtaggedstring5 (
taggedstringoid VARCHAR2(64) NOT NULL,
passwordpolicyoid VARCHAR2(64) NOT NULL,
taggedstringname VARCHAR2(255) NOT NULL,
taggedvalue VARCHAR2(1024) NULL,
nomatch INTEGER DEFAULT 0 NULL, 

 

The "taggedvalue" entry is where the Regex Expression are stored for password services. 

Editing this value is not suggested and can lead to unforeseen issues. 

 

 

Additional Information

Siteminder also has a limit to the expression character that listed in the link below. Anything outside of this list could cause issues when password services perform the expression lookup. Siteminder has no support for lookahead Regex expressions.

URL:https://support.ca.com/cadocs/0/CA%20SiteMinder%2012%2052%20SP1-ENU/Bookshelf_Files/HTML/idocs/2194471.html#o346030