When OpenAM is the service provider and auto federation and dynamic user profile creation is configured, SAML federation fails. The generated passwords given to users upon creation are failing the more complicated password policies in OpenDJ.
How to replicate:
Step 1. Default install of OpenAM with an OpenDJ user store (I used an external OpenDJ)
Step 2. Configure auto federation
Step 3. Configure OpenAM to create a user profile if non exist.
Step 4. Create a password validator on an OpenDJ Password Policy. I used the Default Password Policy and I configure the Character Set for a validator.
Federation will fail with the following:
Constraint Violation: The password value for attribute userPassword was found to be unacceptable: The provided password did not contain enough characters from the character set 'ABCDEFGHIJKLMNOPQRSTUVWXYZ'. The minimum number of characters from that set that must be present in user passwords is 1
Since this user will only utilize federation, they do not need a password which would prevent federation from failing when there are complex password validators configured.