SiteMinder password policies (expiration, Password Must Change, account lockout) are not enforced when the authentication flow is delegated to IDSP. The CHANGE_PASSWORD next action is never returned.

Identity security platform

Version 4.0

The unsupported configuration is using LDAP for both user disambiguation and password authentication while bindControlsCsv on the LDAP config also references the SM SPI provider.

1. Import the SiteMinder Access Gateway certificate into IDSP
2. Create the SM SPI Custom Provider with spi.discover.capabilities: smpasswordauthenticator
3. Update the LDAP config so bindControlsCsv points to the SM SPI provider (using {sm} prefix) — LDAP is used for disambiguation only, not the bind
4. Update the authentication policy password obligation to use the {sm} prefix, routing it through SiteMinder

After switching to the correct SPI-based password validation, the Password Must Change state triggered correctly and the error could no longer be reproduced.