IDM Password policy & Siteminder Password services regex limitation.

Document ID : KB000015561
Last Modified Date : 14/02/2018
Show Technical Document Details

This document covers the limitation of Regex expression in Siteminder Password Services and IDM Password services.


Our IDM password policy that is enforced for all users in Production has a regular expression that matches the network Active Directory password policy which forces the user to use 3 out 4 (at least 1 Lowercase, at least 1 Uppercase, at least 1 digit and at least 1 special character). 


Siteminder 12.0 SP3 on Solaris 10 IDM 12.6 SP2 on Solaris 10Oracle DBs

This is a limitation on the structure of the policy store.

If you take a look the <sm_oracle_ps.sql> PSSERVER_ROOT/db/SQL

You will find:
CREATE TABLE smtaggedstring5 (
taggedstringoid VARCHAR2(64) NOT NULL,
passwordpolicyoid VARCHAR2(64) NOT NULL,
taggedstringname VARCHAR2(255) NOT NULL,
taggedvalue VARCHAR2(1024) NULL,


The "taggedvalue" entry is where the Regex Expression are stored for password services. 

Editing this value is not suggested and can lead to unforeseen issues. 



Additional Information:

Siteminder also has a limit to the expression character that listed in the link below. Anything outside of this list could cause issues when password services perform the expression lookup. Siteminder has no support for lookahead Regex expressions.