Hi David
The assertion : (added in Gateway 9.3 CR3)
Change CA SSO User Password Assertion - CA API Gateway - 9.3 - CA Technologies Documentation
would be using the : CA Single Sign On DMS Api
Delegated Management Services API - CA Single Sign-On - 12.7 - CA Technologies Documentation
I see the assertion has this note :
The reasonCode context variable is set only if SmDmsUser#changePassword(String newPassword, String oldPassword, boolean doNotRequireOldPassword) method in DMS API fails. If the assertion fails for any other reason (that is, it cannot connect to CA Policy Server, it cannot find user in the user directory, and so on), the reasonCode context variable is not set.
But that the assertion does not specify the "doNotRequireOldPassword" value (at least in the documentation) - So I expect it is set to false.
To use the DMS Api functions there is a two step process :
a) First you need to login, using UN / OldPW
b) And then execute the changePassword function. using (UN/ OldPW/ NewPW)
Step a) the login to SSO will trigger all the normal password failure methods for any normal SSO login and lockout etc.
Step b) for non admin user will give an error if you try and specify another user or doNotRequireOldPassword=true.
So I am fairly sure you are safe.
However, for the raw DMS Api function, if you login as an SSO admin user, they can change other users passwords, and they can also specify the doNotRequreOldPassword=true, to overwrite passwords without checking - but that does not seem how this function is wrapped in the assertion.
But I will have to upgrade to CR3 in my install and check ( that may not happen today, but should be able to get back early next week).
Cheers - Mark
PS: The most common reason for failure is that there is some problem with the new password such as it does not meet complexity requirements or is previously used.