Dynamic user profile creation fails with The password value for attribute userPassword was found to be unacceptable error in AM (All versions)
The purpose of this article is to provide assistance if dynamic user profile creation fails with "an ldap exception 19: The password value for attribute userPassword was found to be unacceptable" or "The password did not meet the password policy requirements" error. This issue also occurs if AM is acting as the Service Provider (SP) and auto-federation is configured to use dynamic account creation; you will see "SPACSUtils.processResponse : error code=-1 com.sun.identity.plugin.session.SessionException: Login failed with unknown reason" error as well in this scenario.
Symptoms
User profiles are not created as expected after successful authentication.
An error similar to one of the following is shown in the Authentication debug logs when dynamic user profile creation fails:
- The password value for attribute userPassword was found to be unacceptable: ERROR: Cannot create user profile for: new_user amAuth:05/06/2018 11:31:22:288 PM BST: Thread[default task-1,5,main]: TransactionId[780c49b3-8b87-4eb4-9407-cc8fa553843b-2411231] Stack trace: Message:Plug-in org.forgerock.openam.idrepo.ldap.DJLDAPv3Repo encountered an ldap exception 19: The password value for attribute userPassword was found to be unacceptable: The provided password did not contain <details of password policy> at org.forgerock.openam.idrepo.ldap.DJLDAPv3Repo.handleErrorResult(DJLDAPv3Repo.java:2508) at org.forgerock.openam.idrepo.ldap.DJLDAPv3Repo.create(DJLDAPv3Repo.java:688) at com.sun.identity.idm.server.IdServicesImpl.create(IdServicesImpl.java:427) at com.sun.identity.idm.AMIdentityRepository.createIdentity(AMIdentityRepository.java:463) at com.sun.identity.authentication.service.LoginState.createUserIdentity(LoginState.java:5448) at com.sun.identity.authentication.service.LoginState.createUserProfile(LoginState.java:1925) at com.sun.identity.authentication.service.LoginState.getCreateUserProfile(LoginState.java:2553) at com.sun.identity.authentication.service.LoginState.searchUserProfile(LoginState.java:2394) at com.sun.identity.authentication.service.AMLoginContext.runLogin(AMLoginContext.java:553) at com.sun.identity.authentication.server.AuthContextLocal.submitRequirements(AuthContextLocal.java:586) at com.sun.identity.authentication.AuthContext.submitRequirements(AuthContext.java:1235) at com.sun.identity.authentication.AuthContext.submitRequirements(AuthContext.java:1221)
- The password did not meet the password policy requirements: amAuth:05/06/2018 11:31:22:288 PM BST: Thread[http-nio-8081-exec-1,5,main]: TransactionId[177135ec-ef6e-455f-a2bf-ed4f46a31ae6-1692] Stack trace: Message:The password did not meet the password policy requirements. at org.forgerock.openam.idrepo.ldap.DJLDAPv3Repo.handleErrorResult(DJLDAPv3Repo.java:2485) at org.forgerock.openam.idrepo.ldap.DJLDAPv3Repo.create(DJLDAPv3Repo.java:681) at com.sun.identity.idm.server.IdServicesImpl.create(IdServicesImpl.java:427) at com.sun.identity.idm.AMIdentityRepository.createIdentity(AMIdentityRepository.java:462) at com.sun.identity.authentication.AuthContext.submitRequirements(AuthContext.java:1218) at com.sun.identity.plugin.session.impl.FMSessionProvider.createSession(FMSessionProvider.java:247)
If AM is acting as the SP, federation will fail and the user is returned to the login page after attempting to federate.
The following errors are shown in the Federation debug log when this happens:
libSAML2:05/06/2018 11:31:22:292 PM EDT: Thread[default task-28,5,main]: TransactionId[f9aee006-bdf8-45df-bae5-b3ff46f54607-6629766] SPACSUtils.processResponse : error code=-1 com.sun.identity.plugin.session.SessionException: Login failed with unknown reason. at com.sun.identity.plugin.session.impl.FMSessionProvider.createSession(FMSessionProvider.java:275) at com.sun.identity.saml2.profile.SPACSUtils.processResponse(SPACSUtils.java:1220) at org.apache.jsp.saml2.jsp.spAssertionConsumer_jsp._jspService(spAssertionConsumer_jsp.java:317) at org.apache.jasper.runtime.HttpJspBase.service(HttpJspBase.java:70) at javax.servlet.http.HttpServlet.service(HttpServlet.java:790) libSAML2:05/06/2018 11:31:22:293 PM EDT: Thread[default task-1,5,main]: TransactionId[780c49b3-8b87-4eb4-9407-cc8fa553843b-2411231] ERROR: spAssertionConsumer.jsp: SSO failed. com.sun.identity.saml2.common.SAML2Exception: Login failed with unknown reason. at com.sun.identity.saml2.profile.SPACSUtils.processResponse(SPACSUtils.java:1241) at org.apache.jsp.saml2.jsp.spAssertionConsumer_jsp._jspService(spAssertionConsumer_jsp.java:317) at org.apache.jasper.runtime.HttpJspBase.service(HttpJspBase.java:70) at javax.servlet.http.HttpServlet.service(HttpServlet.java:790)Recent Changes
Configured dynamic user profile creation.
Configured password policies in DS.
Causes
AM generates passwords for dynamically created user profiles; these are not configurable and do not adhere to any password policies configured in DS. You will see this issue when the password policy in DS requires a different format to the one used by AM when it generates passwords.
Solution
You can workaround this issue by disabling the DS password policy validation for administrators, which allows AM to create passwords during dynamic user profile creation.
You can disable password policy validation using dsconfig, for example:
$ ./dsconfig set-password-policy-prop --policy-name "Default Password Policy" --set skip-validation-for-administrators:true --no-promptSee Also
How does AM (All versions) use account mapping to identify the end user from a SAML Assertion?
How do I configure the SAML2 Authentication module for Auto Federation in AM (All versions)?
Core authentication attributes
Related Training
N/A