SAP Knowledge Base Article - Public

3191208 - The password must comply with the requirements - IPS job error


The target system in an IPS job is Identity Authentication Service (IAS). You have configured the target IAS json to create a password for newly provisioned users by using an existing user attribute. The intention should be to create an initial password for users only. 


                    "sourcePath": "$['urn:sap:cloud:scim:schemas:extension:sfsf:2.0:User']['firstName']",
                    "targetPath": "$.password",
                    "scope": "createEntity"

Here the firstName attribute is assigned to $.password variable for newly provisioned users with "scope": "createEntity". 

In IPS job logs you get similar error:

HTTP operation failed invoking https://<IAS_TenantID> with statusCode: 400, Response: Insufficient password. The password must comply with the requirements

\n\ncontent={\"active\":true,\"displayName\":\"John Doe (00xxxxxxxxx))\",\"emails\":[{\"value\":\"\"}],\"mailVerified\":\"true\",\"name\":{\"familyName\":\"Doe\",\"givenName\":\"John\"},\"password\":\"John\",\"passwordStatus\":\"initial\".....

Here the users name 'John' has been set as the password. 


SAP Business Technology Platform

Reproducing the Issue

Configure target IAS json and run IPS job.


The resultant password created from the transformation is not meeting IAS password policy. 


The IAS minimum password policies must be considered when creating a password for users in such a way. 

The minimum policies are:

  • Minimum length of 8 characters
  • Maximum length of 255 characters
  • Characters from at least three of the following groups:
    Lower-case Latin characters (a-z);
    Upper-case Latin characters (A-Z);
    Base 10 digits (0-9);
    Non-alphabetic characters (!@#$%...);

When using an existing attribute that will need not the requirements, such as the case of using firstName, you can extend the transformation to append a defined suffix or prefix to the password. The aim should be that all requirements are met to make the password valid for all users it will be created for. 

Taking the firstName attribute as an example, the name 'John' fails as it is less than 8 characters long and only contains characters from two groups (lower-case and upper-case).  

To resolve this, you can apply a function to the transformation to add a suffix or prefix to the password in order to meet the password requirements. 


 "sourcePath": "$['urn:sap:cloud:scim:schemas:extension:sfsf:2.0:User']['firstName']",
 "targetPath": "$.password",
 "scope": "createEntity",
 "functions": [
  "type": "concatString",
  "suffix": "7811!"

here 7811! will be added to the end of the password. With example firstName 'John', the generated password is John7811!.


This json is for demonstration purposes only. Do not directly use in your own environment!!

Another option when SuccessFactors is the source system of the provisioning to IAS, is to migrate passwords instead of manually creating them via transformation.

See Also

Configuring Password Policies(list of IAS password policy requirements)

2950998 - How to migrate User Passwords from SAP SuccessFactors to Identity Authentication


KBA , BC-IAM-IPS , Identity Provisioning Service (IPS) , Problem


SAP SuccessFactors HXM Core 2111