SiteMinder Regular Expressions Limitation

Document ID : KB000053368
Last Modified Date : 14/02/2018
Show Technical Document Details

Description:

Customer Environment:

Policy Server: Policy Server 6.0.4.2

OS: Windows 2003

Policy Store: eDirectory server (8.7.3.9).

Problem:

Customer wants to use Regular Expressions in a password policy and needs to understand why theirs is failing:

Pattern to match "(([A-Za-z]+[0-9]*)([0-9]+[0-9a-zA-Z]*)([0-9a-zA-Z]+.*))|(([A-Za-z]+[0-9a-zA-Z]*)([0-9a-zA-Z]+[ 0-9]*)([0-9]+.*))$"

Solution:

There are a few siteminder limitations for the default regular expression function out of box.

  1. Siteminder regular expression only accept its own predefined operators.
    See details in Policy Design Guide -> Rules -> Resource Matching and Regular Expressions -> Regular Expressions for Resource Matching.

  2. The regular expression used in password policy configuration must not exceed 10 sub-expressions - in the customers example this is not meant.

  3. CA suggest customers test their regular expression on any one of the free online test tools.

In this case, out of box solution cannot meet their complex business requirement and customer is recommend to use SiteMinder layered product APS for implementation resolution.