If I am using federated identity for SSO access to native applications can I create a policy that forces the application passwords to change per policy without having the user involved?

The goal is to always provide access to the application with their local credentials while the application passwords are changed and comply to corporate policy.

Release : 14.3, 14.4

Component : CA IDENTITY SUITE (VIRTUAL APPLIANCE)

No. An administrator will still have to change the service accounts password.

Please see here:

https://techdocs.broadcom.com/us/en/symantec-security-software/identity-security/identity-suite/14-3/virtual-appliance/Change-the-Password-of-Identity-Suite-Components.html

In searching the IM documentation for endpoint password management. I do not see anywhere in our documentation where an application, like Siteminder, can initiate a password change. Siteminder itself does not have the ability to call out to other application APIs so cannot initiate a TEWS call to IM to reset the user's password in IM to synch to an endpoint.
There is no "sweeping" process in IM where you could call a password change to an endpoint. Password changes could be initiated by an external TEWS client, and you could use policy express to generate a password, but doing this could be dangerous.