After APIM upgraded to version 10.00, change password is not working via Siteminder API.
search cancel

After APIM upgraded to version 10.00, change password is not working via Siteminder API.


Article ID: 218099


Updated On:


SITEMINDER CA Single Sign On Agents (SiteMinder)


APIM assertion "Change CA Single Sign-On User Password"  is not working in upgraded new version 10.00.

Same policy was working on APIM version 9.4.

The user can change the password only if the user is in enabled state (0). 

When it is not in enabled state (0), user will be looping when prompted to change password.

Expectation is that product should allow user to change password for user states like “Sm_Api_Reason_ImmedPWChangeRequired”.

Currently when a user Sm_Api_Reason is set to enable 0, user can initiate ChangePassword, which works.

Any other user state fails like:  Sm_Api_Reason_ImmedPWChangeRequired = 20.

Per API gateway customer:

"If you manipulate the SiteMinder disabled flag in the user directory to 16777216, which returns the reason code 20, you can see the error that the "account is not enabled" in the response.

Sm_Api_Reason 7 is disabled. 

Sm_Api_Reason 1, 19, 20 are enabled states but password expired and should let the password be changed using the DMSAPI

Sm_Api_Reason 21,22 are error conditions in the password change flow. 

These do work with SiteMinder ( SSO) password services just not with the change password assertion in Layer7 gateway.



Siteminder Policy server Version: 12.8 SP4 build 2278

Siteminder Policy server OS: Windows 2016

APIM OS: centos 7

APIM version: upgraded 9.4 to 10.00 Version. 


This issue is caused by a change in SSO implementation for changePassword API in later 12.8 release.

Once fix is applied, APIM side test result becomes:

Set the disabled flag change password results:
1 - Fails: User account is not in enabled state.
2 -  Fails:  User account is not in enabled state
4 - Fails:  User account is not in enabled state.
16777216 - WORKS
Disabled Flag – user defined attribute possible values:
Disabled Reason Type Value 
Sm_Api_Disabled_DisabledMask Mask    0x00ffffff
Sm_Api_Disabled_Enabled Mask 0     
Sm_Api_Disabled_AdminDisabled   Bits    0x00000001
Sm_Api_Disabled_MaxLoginFail Bits    0x00000002
Sm_Api_Disabled_Inactivity  Bits    0x00000004
Sm_Api_Disabled_PWExpired   Bits    0x00000008
Sm_Api_Disabled_DirNativeDisabled   Bits    0x00000010


Dev fix is provided to customer on specific 12.8sp4 version.

Please follow below steps to apply dev fix. This dev fix is prepared on 12.8.04 GA version of SiteMinder policy server.

1. Stop policy server

2. Take backup of existing "smtransactems2.dll" from your<PS_Install_Location>\bin folder    //For Linux platform, it will be under ~siteminder/lib

3. Copy the provided dll from devfix to <PS_Install_Location>\bin folder

4. Start policy server.

Additional Information

APIM issue 32737023 DE505874

Siteminder issue 32738815 DE506000