Integrating Identity Manager with SiteMinder, there is some confusion
as to how Password Policies work.
How do Password Policies work, when Identity Manager and SiteMinder
work together ?
All versions of IdentityManager 12.x and SiteMinder 12.x
When integrating IM/SM both IM and SM have their own copies of each
password policy: IM in the IM Object Store and SM in the Policy Store.
When making changes from Identity Manager, those changes need to be
mirrored on the SM server and Policy Store by issuing a SMIMSCommand
via the 4x tunnel.
DO NOT modify the SM policies in SM AdminUI, as they will not get
modified in IM and we’ll end up out of sync. SiteMinder has no
mechanism to synchronize data back to IM at all.
In an IM/SM integrated environment, both IM and SM are involved in the
It works like this:
Both IM directory and SM directory have the same %enabled_state%
flag. Upon logging into SiteMinder Web Agent, the Policy Server
will check that value to see if everything is valid, or if the user
has to take some password action (e.g. Password Must Change, or
password expired, etc). Based on this flag, SiteMinder will
redirect to the URL that is specified in the password
policy. Typically, this is Identity Manager’s password services
When integrated with SiteMinder, Identity Manager relies on SiteMinder
to authenticate and send an SMTOKEN value in the redirection
header. Identity Manager takes that SMTOKEN value and asks the Policy
Server that is it integrated to see if this is a valid authenticated
session and who the user is, so we can determine the user object to
reset the password of.
Then on the IM password services page, the password policy is checked
again to make sure the customer doesn’t violate any password
composition or reuse rules. If everything is ok with the password, IM
resets it and redirects the user to the original page that the
customer was trying to access.