After we finalized the integration between SM and IDM (Siteminder and Identity Manager) we are unable to create users with passwords, we always get the following error in IM log:

ERROR [ims.tmt.submit.validation.blth] (default task-17) IMSException in BLTH handleTask:Password validation failed: Corrupted buffer returned from server.

This produces the following in Siteminder logs:

[IMS6DsLdapProvider.cpp:6178][ERROR][sm-log-00000] (CIMSDsLdapProvider::ConstructDN) Failed to fetch attribute : '%USER_ID%' from the metadata.
[IMS6DsLdapProvider.cpp:6280][ERROR][sm-log-00000] (CIMSDsLdapProvider::ConstructDN) Failed to construct DN
[IMS6DsLdapProvider.cpp:3182][ERROR][sm-log-00000] (CIMSDsLdapProvider::ValidateIMSUserNewPassword) Invalid DN constructed using the org dn and user id
[MarshalUtils.cpp:875][ERROR][sm-log-00000] SmImsCommand (returnPasswordErrorMsg) - The SmPasswordMsgReader could not parse the message
[MarshalUtils.cpp:876][ERROR][sm-log-00000] SmImsCommand (returnPasswordErrorMsg) - smtracedefault log shows the following error

LogMessage:ERROR:[sm-log-00000] (CIMSDsLdapProvider::ConstructDN) Failed to fetch attribute : '%USER_ID%' from the metadata.|
LogMessage:ERROR:[sm-log-00000] (CIMSDsLdapProvider::ConstructDN) Failed to construct DN|
LogMessage:ERROR:[sm-log-00000] (CIMSDsLdapProvider::ValidateIMSUserNewPassword) Invalid DN constructed using the org dn and user id|

Creating users without password is working as expected.

Modifying existing users password is also working as expected

Release : 14.x

Component : IdentityMinder(Identity Manager)

Policy Server inconsistency - IM objects were missing from the Policy Store. Required the integration to be reestablished.

The lookup of the well-known "%USER_ID%"  attribute relies on the Policy Store's IMSDirectory, ManagedObject and ManagedObjectAttribute tables being populated in the policy store with the User and User Attributes.  If that data is not present or only partially populated.   To determine this below are the tables and pseudo-queries needed to inspect the tables.

1. imsdirectory6   - find the row whose name column matches the smuserdirectory object name in use, the imsdiroid of this row gives you the ImDirectory Oid needed for #2 below
2. imsmanagedobject6 - find the row whose imsdiroid matches #1 and whose objectTypetag = 'user'  (not sure of case here), the oid column of this row gives you the User object you need for #3
3. imsmanagedobjectattr6 - find all the rows whose managedobjoid  matches the oid value from #2. This will give you all the User object attribute definitions. Inspect the rows for  the wellknownattrid column values. If there are no rows with '%USER_ID%' then this is the problem.  The data need to be repopulated.

The integration has to be re-established, so all attributes are saved correctly in the Policy Store.

This means removing / recreating the entries - with the integration in place.

Some Production systems do not allow for IME removal and recreation as it will wipe their task persistence history and visibility from VST.

It should be performed on a lower environment first, to validate its behavior and getting familiar with the steps expected.

IM Object Store and Policy Store (LDAP / DB and XPS backup) must be captured prior to any procedure is attempted.

Details on reestablishing the Policy Store can be found in the documentation here:

Enable a CA SSO Integration with Deployed CA Identity Manager Environments