[OPENAM-11521] OpenAM should not generate a password when using auto federation and dynamic profile creation Created: 09/Aug/17  Updated: 05/Jul/20

Status: Open
Project: OpenAM
Component/s: None
Affects Version/s: 14.0.0
Fix Version/s: None

Type: Improvement Priority: Major
Reporter: Tina Roper Assignee: Unassigned
Resolution: Unresolved Votes: 1
Labels: AME, Backlog
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Issue Links:
is duplicated by OPENAM-12914 OpenDj Password Policy preventing Sam... Closed
Support Ticket IDs:


When OpenAM is the service provider and auto federation and dynamic user profile creation is configured, SAML federation fails.  The generated passwords given to users upon creation are failing the more complicated password policies in OpenDJ.

How to replicate:

Step 1.  Default install of OpenAM with an OpenDJ user store (I used an external OpenDJ)

Step 2.  Configure auto federation

Step 3.  Configure OpenAM to create a user profile if non exist.

Step 4.  Create a password validator on an OpenDJ Password Policy.  I used the Default Password Policy and I configure the Character Set for a validator.

Federation will fail with the following:

Constraint Violation: The password value for attribute userPassword was found to be unacceptable: The provided password did not contain enough characters from the character set 'ABCDEFGHIJKLMNOPQRSTUVWXYZ'. The minimum number of characters from that set that must be present in user passwords is 1 

Since this user will only utilize federation, they do not need a password which would prevent federation from failing when there are complex password validators configured.

Comment by Simon Moffatt [ 11/Aug/17 ]

Whilst the password will never be need, the user stores (DJ, AD etc) are likely to stipulate the password field is mandatory.  Instead of altering the password policy, it's probably more secure to make sure AM generates a secure password when creating the user profile.

Comment by Peter Major [X] (Inactive) [ 11/Aug/17 ]

The default OpenDJ directory schema only requires the userPassword attribute when using the "simpleSecurityObject" objectclass, in all other cases the password field is optional.

Generated at Mon Sep 21 15:58:11 UTC 2020 using Jira 7.13.12#713012-sha1:6e07c38070d5191bbf7353952ed38f111754533a.