Dynamic user profile creation fails with The password value for attribute userPassword was found to be unacceptable error in AM (All versions)

Symptoms

User profiles are not created as expected after successful authentication.

An error similar to one of the following is shown in the Authentication debug logs when dynamic user profile creation fails:

• The password value for attribute userPassword was found to be unacceptable: ERROR: Cannot create user profile for: new_user amAuth:05/06/2018 11:31:22:288 PM BST: Thread[default task-1,5,main]: TransactionId[780c49b3-8b87-4eb4-9407-cc8fa553843b-2411231] Stack trace: Message:Plug-in org.forgerock.openam.idrepo.ldap.DJLDAPv3Repo encountered an ldap exception 19: The password value for attribute userPassword was found to be unacceptable: The provided password did not contain <details of password policy> at org.forgerock.openam.idrepo.ldap.DJLDAPv3Repo.handleErrorResult(DJLDAPv3Repo.java:2508) at org.forgerock.openam.idrepo.ldap.DJLDAPv3Repo.create(DJLDAPv3Repo.java:688) at com.sun.identity.idm.server.IdServicesImpl.create(IdServicesImpl.java:427) at com.sun.identity.idm.AMIdentityRepository.createIdentity(AMIdentityRepository.java:463) at com.sun.identity.authentication.service.LoginState.createUserIdentity(LoginState.java:5448) at com.sun.identity.authentication.service.LoginState.createUserProfile(LoginState.java:1925) at com.sun.identity.authentication.service.LoginState.getCreateUserProfile(LoginState.java:2553) at com.sun.identity.authentication.service.LoginState.searchUserProfile(LoginState.java:2394) at com.sun.identity.authentication.service.AMLoginContext.runLogin(AMLoginContext.java:553) at com.sun.identity.authentication.server.AuthContextLocal.submitRequirements(AuthContextLocal.java:586) at com.sun.identity.authentication.AuthContext.submitRequirements(AuthContext.java:1235) at com.sun.identity.authentication.AuthContext.submitRequirements(AuthContext.java:1221)
• The password did not meet the password policy requirements: amAuth:05/06/2018 11:31:22:288 PM BST: Thread[http-nio-8081-exec-1,5,main]: TransactionId[177135ec-ef6e-455f-a2bf-ed4f46a31ae6-1692] Stack trace: Message:The password did not meet the password policy requirements. at org.forgerock.openam.idrepo.ldap.DJLDAPv3Repo.handleErrorResult(DJLDAPv3Repo.java:2485) at org.forgerock.openam.idrepo.ldap.DJLDAPv3Repo.create(DJLDAPv3Repo.java:681) at com.sun.identity.idm.server.IdServicesImpl.create(IdServicesImpl.java:427) at com.sun.identity.idm.AMIdentityRepository.createIdentity(AMIdentityRepository.java:462) at com.sun.identity.authentication.AuthContext.submitRequirements(AuthContext.java:1218) at com.sun.identity.plugin.session.impl.FMSessionProvider.createSession(FMSessionProvider.java:247)

If AM is acting as the SP, federation will fail and the user is returned to the login page after attempting to federate.

The following errors are shown in the Federation debug log when this happens:

Recent Changes

Configured dynamic user profile creation.

Configured password policies in DS.

Causes

AM generates passwords for dynamically created user profiles; these are not configurable and do not adhere to any password policies configured in DS. You will see this issue when the password policy in DS requires a different format to the one used by AM when it generates passwords.

Solution

You can workaround this issue by disabling the DS password policy validation for administrators, which allows AM to create passwords during dynamic user profile creation.

You can disable password policy validation using dsconfig, for example:

See Also

How does AM (All versions) use account mapping to identify the end user from a SAML Assertion?

How do I configure the SAML2 Authentication module for Auto Federation in AM (All versions)?

Core authentication attributes

dsconfig

Related Training

N/A

Related Issue Tracker IDs

OPENAM-11521 (OpenAM should not generate a password when using auto federation and dynamic profile creation)