Solutions

Dynamic user profile creation fails with The password value for attribute userPassword was found to be unacceptable error in AM (All versions) and OpenAM 13.x

Last updated Jul 9, 2018

The purpose of this article is to provide assistance if dynamic user profile creation fails with "an ldap exception 19: The password value for attribute userPassword was found to be unacceptable" or "The password did not meet the password policy requirements" error. This issue also occurs if AM/OpenAM is acting as the Service Provider (SP) and auto-federation is configured to use dynamic account creation; you will see "SPACSUtils.processResponse : error code=-1 com.sun.identity.plugin.session.SessionException: Login failed with unknown reason" error as well in this scenario.


Symptoms

User profiles are not created as expected after successful authentication.

An error similar to one of the following is shown in the Authentication debug logs when dynamic user profile creation fails:

  • The password value for attribute userPassword was found to be unacceptable:
    ERROR: Cannot create user profile for: new_user
    amAuth:05/06/2018 11:31:22:288 PM BST: Thread[default task-1,5,main]: TransactionId[780c49b3-8b87-4eb4-9407-cc8fa553843b-2411231]
    Stack trace: 
    Message:Plug-in org.forgerock.openam.idrepo.ldap.DJLDAPv3Repo encountered an ldap exception 19: The password value for attribute userPassword was found to be unacceptable: The provided password did not contain <details of password policy>
       at org.forgerock.openam.idrepo.ldap.DJLDAPv3Repo.handleErrorResult(DJLDAPv3Repo.java:2508)
       at org.forgerock.openam.idrepo.ldap.DJLDAPv3Repo.create(DJLDAPv3Repo.java:688)
       at com.sun.identity.idm.server.IdServicesImpl.create(IdServicesImpl.java:427)
       at com.sun.identity.idm.AMIdentityRepository.createIdentity(AMIdentityRepository.java:463)
       at com.sun.identity.authentication.service.LoginState.createUserIdentity(LoginState.java:5448)
       at com.sun.identity.authentication.service.LoginState.createUserProfile(LoginState.java:1925)
       at com.sun.identity.authentication.service.LoginState.getCreateUserProfile(LoginState.java:2553)
       at com.sun.identity.authentication.service.LoginState.searchUserProfile(LoginState.java:2394)
       at com.sun.identity.authentication.service.AMLoginContext.runLogin(AMLoginContext.java:553)
       at com.sun.identity.authentication.server.AuthContextLocal.submitRequirements(AuthContextLocal.java:586)
       at com.sun.identity.authentication.AuthContext.submitRequirements(AuthContext.java:1235)
       at com.sun.identity.authentication.AuthContext.submitRequirements(AuthContext.java:1221)
    
  • The password did not meet the password policy requirements:
    amAuth:05/06/2018 11:31:22:288 PM BST: Thread[http-nio-8081-exec-1,5,main]: TransactionId[177135ec-ef6e-455f-a2bf-ed4f46a31ae6-1692]
    Stack trace: 
    Message:The password did not meet the password policy requirements.
       at org.forgerock.openam.idrepo.ldap.DJLDAPv3Repo.handleErrorResult(DJLDAPv3Repo.java:2485)
       at org.forgerock.openam.idrepo.ldap.DJLDAPv3Repo.create(DJLDAPv3Repo.java:681)
       at com.sun.identity.idm.server.IdServicesImpl.create(IdServicesImpl.java:427)
       at com.sun.identity.idm.AMIdentityRepository.createIdentity(AMIdentityRepository.java:462)
       at com.sun.identity.authentication.AuthContext.submitRequirements(AuthContext.java:1218)
       at com.sun.identity.plugin.session.impl.FMSessionProvider.createSession(FMSessionProvider.java:247)
    

If AM/OpenAM is acting as the SP, federation will fail and the user is returned to the login page after attempting to federate.

The following errors are shown in the Federation debug log when this happens: 

libSAML2:05/06/2018 11:31:22:292 PM EDT: Thread[default task-28,5,main]: TransactionId[f9aee006-bdf8-45df-bae5-b3ff46f54607-6629766]
SPACSUtils.processResponse : error code=-1
com.sun.identity.plugin.session.SessionException: Login failed with unknown reason.
   at com.sun.identity.plugin.session.impl.FMSessionProvider.createSession(FMSessionProvider.java:275)
   at com.sun.identity.saml2.profile.SPACSUtils.processResponse(SPACSUtils.java:1220)
   at org.apache.jsp.saml2.jsp.spAssertionConsumer_jsp._jspService(spAssertionConsumer_jsp.java:317)
   at org.apache.jasper.runtime.HttpJspBase.service(HttpJspBase.java:70)
   at javax.servlet.http.HttpServlet.service(HttpServlet.java:790)
libSAML2:05/06/2018 11:31:22:293 PM EDT: Thread[default task-1,5,main]: TransactionId[780c49b3-8b87-4eb4-9407-cc8fa553843b-2411231]
ERROR: spAssertionConsumer.jsp: SSO failed. 
com.sun.identity.saml2.common.SAML2Exception: Login failed with unknown reason.
   at com.sun.identity.saml2.profile.SPACSUtils.processResponse(SPACSUtils.java:1241)
   at org.apache.jsp.saml2.jsp.spAssertionConsumer_jsp._jspService(spAssertionConsumer_jsp.java:317)
   at org.apache.jasper.runtime.HttpJspBase.service(HttpJspBase.java:70)
   at javax.servlet.http.HttpServlet.service(HttpServlet.java:790)

Recent Changes

Configured dynamic user profile creation.

Configured password policies in DS/OpenDJ.

Causes

AM/OpenAM generates passwords for dynamically created user profiles; these are not configurable and do not adhere to any password policies configured in DS/OpenDJ. You will see this issue when the password policy in DS/OpenDJ requires a different format to the one used by AM/OpenAM when it generates passwords.

Solution

You can workaround this issue by disabling the DS/OpenDJ password policy validation for administrators, which allows AM/OpenAM to create passwords during dynamic user profile creation.

You can disable password policy validation using dsconfig, for example:

$ ./dsconfig set-password-policy-prop --policy-name "Default Password Policy" --set skip-validation-for-administrators:true --no-prompt

See Also

How does AM/OpenAM (All versions) use account mapping to identify the end user from a SAML Assertion?

How do I configure the SAML2 Authentication module for Auto Federation in AM (All versions) and OpenAM 13.x?

Authentication and Single Sign-On Guide › User Profile

SAML v2.0 Guide › Configuring How Remote Accounts Map To Local Accounts

Reference › dsconfig

Related Training

N/A

Related Issue Tracker IDs

OPENAM-11521 (OpenAM should not generate a password when using auto federation and dynamic profile creation)



Copyright and TrademarksCopyright © 2018 ForgeRock, all rights reserved.

Recommended Books

Loading...