3191208 - The password must comply with the requirements - IPS job error

The target system in an IPS job is Identity Authentication Service (IAS). You have configured the target IAS json to create a password for newly provisioned users by using an existing user attribute. The intention should be to create an initial password for users only. 

Example:

               {
                    "sourcePath": "$['urn:sap:cloud:scim:schemas:extension:sfsf:2.0:User']['firstName']",
                    "targetPath": "$.password",
                    "scope": "createEntity"
               }

Here the firstName attribute is assigned to $.password variable for newly provisioned users with "scope": "createEntity". 

In IPS job logs you get similar error:

• HTTP operation failed invoking https://<IAS_TenantID>.accounts.ondemand.com/service/scim/Users with statusCode: 400, Response: Insufficient password. The password must comply with the requirements
  \n\ncontent={\"active\":true,\"displayName\":\"John Doe (00xxxxxxxxx))\",\"emails\":[{\"value\":\"someuserid@sap-test.de\"}],\"mailVerified\":\"true\",\"name\":{\"familyName\":\"Doe\",\"givenName\":\"John\"},\"password\":\"John\",\"passwordStatus\":\"initial\".....

Here the users name 'John' has been set as the password. 

SAP Business Technology Platform

Configure Identity Authentication (IAS) as target system and run IPS job.

The resultant password created from the transformation is not meeting IAS password policy. 

The IAS minimum password policies must be considered when creating a password for users in such a way. 

The minimum policies are:

• Minimum length of 8 characters
• Maximum length of 255 characters
• Characters from at least three of the following groups:
  • Lower-case Latin characters (a-z);
  • Upper-case Latin characters (A-Z);
  • Base 10 digits (0-9);
  • Non-alphabetic characters (!@#$%...);

When using an existing attribute that will need not the requirements, such as the case of using firstName, you can extend the transformation to append a defined suffix or prefix to the password. The aim should be that all requirements are met to make the password valid for all users it will be created for. 

Taking the firstName attribute as an example, the name 'John' fails as it is less than 8 characters long and only contains characters from two groups (lower-case and upper-case).  

To resolve this, you can apply a function to the transformation to add a suffix or prefix to the password in order to meet the password requirements. 

Example:

{
 "sourcePath": "$['urn:sap:cloud:scim:schemas:extension:sfsf:2.0:User']['firstName']",
 "targetPath": "$.password",
 "scope": "createEntity",
 "functions": [
 {
  "type": "concatString",
  "suffix": "7811!"
 }
 ]
}

here 7811! will be added to the end of the password. With example firstName 'John', the generated password is John7811!.

***Note

This json is for demonstration purposes only. Do not directly use in your own environment!!

Another option when SuccessFactors is the source system of the provisioning to IAS, is to migrate passwords instead of manually creating them via transformation.

• Configuring Password Policies(list of IAS password policy requirements)
• 2950998 - How to migrate User Passwords from SAP SuccessFactors to Identity Authentication

HTTP 400, Insufficient, password, requirements, IPS, Identity Provisioning, $.password, passwordStatus , KBA , BC-IAM-IPS , Identity Provisioning Service (IPS) , Problem