IM allows creating and managing password policies. These password policies apply to users in the corporate store. In a standalone environment this is working well. However, when integrated with SiteMinder it is getting more complicated. SiteMinder allows authenticating a user against one storage while authorizing him off of another. When this feature is enabled then IM's corporate directory is in fact the authorization storage of SiteMinder. SiteMinder's authentication directory is unknown for Identity Manager. However, since IM defines password policies they are kicked in prior to the authentication. They, in turn, verify if the password needs to be reset and if other policies are valid in order to challenge the user for authentication. What happens is that when a user is trying to log into IM, it will kick in the password policies which are based off of the authorization directory, however, the user's password is in another storage (in the authentication directory) and so the password policies won't apply correctly. This only happens in this configuration where SiteMinder controls the authentication storage while IDM is controlling the password services on a different storage.