IM - Force password change policy does not work.
search cancel

IM - Force password change policy does not work.


Article ID: 231704


Updated On:


CA Identity Suite CA Identity Manager



Login requests are configured to pass through 3rd party authentication software (openID) with a password policy configured in IM to force users to change their expired passwords. 

The IM Password policy is not triggering even when forcing the password change when the password is expired. 



The password policy works as expected when using IM Authentication but fails when integrating with 3rd Party Authentication (except CA SSO).

When using IM Authentication, the enabled status in the IM userstore is set with the value "16777216".  This does not happen when integrated with the 3rd Party Authentication.



What is the expected behavior of the IM (Identity Manager) password functionality when integrated with 3rd Party Authentication (Not CA SSO)?



Release : 14.4.x

Component : IdentityMinder(Identity Manager)


User Case


The CA Identity Manager (Symantec IGA) login password policy should NOT be configured as the password is managed by the IdP (Identity Provider), for example, SAML or OpenId connect. 


Additional Information

In this scenario, if there is an Identity authentication provider (IdP), we would expect them to maintain the credential as well as validation of the composed passwords, redirection of failed authentications and, password reset conditions.  

There may be some options for the OpenId Provider to provide some integration with Identity Manager for certain flows, but in the IdP model, we expect to delegate all aspects of authentication and management of the credential used for authentication.

This is not an issue for IDM it should be managed by your OpenId Provider.  CA Identity Manager (IM) will not maintain the redirection of failed authentications or password reset conditions on expiration as this has to be done on OpenId provider side.

In summary, CA Identity Manager is working as designed and when the product is integrated with an Identity Provider (IdP) the password policy should be managed from their side.  There is no further scope for enhancement at this time.