Need to make regex expression case insensitive in SSO Password Policy
search cancel

Need to make regex expression case insensitive in SSO Password Policy

book

Article ID: 190936

calendar_today

Updated On:

Products

CA Single Sign On Secure Proxy Server (SiteMinder) CA Single Sign On Agents (SiteMinder) CA Single Sign On Federation (SiteMinder) CA Single Sign On SOA Security Manager (SiteMinder) SITEMINDER

Issue/Introduction

The requirement is to exclude certain words to be used as password, regardless of the case
We are setting up restrictions in password policy by adding Regex expressions:

By default, the Regex for the blacklisted words is case sensitive, while the requirements are for it to be case insensitive.

For example - would like to restrict any of the following to be used - they should all be rejected:
Password, password, pAsSword etc

Regex documentation indicates (?i) should be used to make the expression case insensitive, however this doesn't seem to work.

However regex works without i flag but is case sensitive , adding i to the regex for case insensitive doesn't work.

the Regex expression in question is as following:
^(.*(password)+.*)$ - this works but is case sensitive
(?i)^(.*(password)+.*)$ - not working as expected

Environment

Release : 12.8.03 / Component : SITEMINDER -POLICY SERVER
Release : 14.x / Component : Identity Manager (when SSO is integrated)

Resolution

By adjusting the registry and setting the UsePCREPasswordChecks key in the registry (Policy Server) we are able to use the Regex expression in case insensitive mode.
1. Add the registry key UsePCREPasswordChecks as per the documentation

 Add the " UsePCREPasswordChecks " registry key under below the location.

" HKEY_LOCAL_MACHINE\SOFTWARE\Netegrity\SiteMinder\CurrentVersion\PolicyServer\UsePCREPasswordChecks " 

- Modify the registry value to 1 to enable the registry.


2. Restart the Policy Server
3. Configure case insensitive expression ie (?i)^(.*(password)+.*)$

Attempting to set a new password of values such as Password, password, pAsSword will all be rejected

Additional Information

https://techdocs.broadcom.com/content/broadcom/techdocs/us/en/ca-enterprise-software/layer7-identity-and-access-management/single-sign-on/12-8-03/configuring/policy-server-configuration/password-services-and-policies/how-to-configure-password-policies.html