ALERT: Some images may not load properly within the Knowledge Base Article. If you see a broken image, please right-click and select 'Open image in a new tab'. We apologize for this inconvenience.

IDM Password policy & Siteminder Password services regex limitation.


Article ID: 15561


Updated On:


CA Single Sign On Secure Proxy Server (SiteMinder) CA Single Sign On SOA Security Manager (SiteMinder) CA Single Sign-On


This document covers the limitation of Regex expression in Siteminder Password Services and IDM Password services.

Our IDM password policy that is enforced for all users in Production has a regular expression that matches the network Active Directory password policy which forces the user to use 3 out 4 (at least 1 Lowercase, at least 1 Uppercase, at least 1 digit and at least 1 special character). 



Siteminder 12.0 SP3 on Solaris 10 IDM 12.6 SP2 on Solaris 10Oracle DBs


This is a limitation on the structure of the policy store.

If you take a look the <sm_oracle_ps.sql> PSSERVER_ROOT/db/SQL

You will find:
CREATE TABLE smtaggedstring5 (
taggedstringoid VARCHAR2(64) NOT NULL,
passwordpolicyoid VARCHAR2(64) NOT NULL,
taggedstringname VARCHAR2(255) NOT NULL,
taggedvalue VARCHAR2(1024) NULL,


The "taggedvalue" entry is where the Regex Expression are stored for password services. 

Editing this value is not suggested and can lead to unforeseen issues. 



Additional Information

Siteminder also has a limit to the expression character that listed in the link below. Anything outside of this list could cause issues when password services perform the expression lookup. Siteminder has no support for lookahead Regex expressions.