[OPENAM-11521] OpenAM should not generate a password when using auto federation and dynamic profile creation Created: 09/Aug/17 Updated: 05/Jul/20
|Remaining Estimate:||Not Specified|
|Time Spent:||Not Specified|
|Original Estimate:||Not Specified|
|Support Ticket IDs:|
When OpenAM is the service provider and auto federation and dynamic user profile creation is configured, SAML federation fails. The generated passwords given to users upon creation are failing the more complicated password policies in OpenDJ.
How to replicate:
Step 1. Default install of OpenAM with an OpenDJ user store (I used an external OpenDJ)
Step 2. Configure auto federation
Step 3. Configure OpenAM to create a user profile if non exist.
Step 4. Create a password validator on an OpenDJ Password Policy. I used the Default Password Policy and I configure the Character Set for a validator.
Federation will fail with the following:
Constraint Violation: The password value for attribute userPassword was found to be unacceptable: The provided password did not contain enough characters from the character set 'ABCDEFGHIJKLMNOPQRSTUVWXYZ'. The minimum number of characters from that set that must be present in user passwords is 1
Since this user will only utilize federation, they do not need a password which would prevent federation from failing when there are complex password validators configured.
|Comment by Simon Moffatt [ 11/Aug/17 ]|
Whilst the password will never be need, the user stores (DJ, AD etc) are likely to stipulate the password field is mandatory. Instead of altering the password policy, it's probably more secure to make sure AM generates a secure password when creating the user profile.
|Comment by Peter Major [X] (Inactive) [ 11/Aug/17 ]|
The default OpenDJ directory schema only requires the userPassword attribute when using the "simpleSecurityObject" objectclass, in all other cases the password field is optional.