Password must change is selected but user is not forced to change password

Document ID : KB000039462
Last Modified Date : 14/02/2018
Show Technical Document Details

Problem:

IDM has a feature to force a the user to reset their password with the check box (Password Must Change). When an admin changes a user's  password with the password must change  checkbox checked, the user is not prompted to change their password at the next login. Instead it allows the user to login.

Solution:

This issue is usually due to a mapping problem with the well-known attribute %ENABLED_STATE%.

Verify in the corporate directory.xml that there is an entry for %ENABLED_STATE% and that is is mapped to a physical attribute in your directory. For example,

%ENABLED_STATE% = caidmDIsabled: 

<ImsManagedObjectAttr physicalname="caidmDisabled" objectclass="caidmPerson" description="Disabled State" displayname="Disabled State" valuetype="String" wellknown="%ENABLED_STATE%" maxlength="0" hidden="true"/> 

Based on the above example, when you check 'password must change' in the IDM task, IDM updates 'caidmDisabled.' When the user logs into IDM they should be prompted for changing their password. 

If SiteMinder SSO is integrated and you have a different process and different attribute being used to set the disabled status you need to decide whether IDM or SM is going to hold the authoritative disabled state attribute and map the attributes accordingly.

IDM's Password Must Change functionality can update only the attribute mapped to its well-known %ENABLED_STATE%.