Symantec Access Management

  • Private Community
 View Only

  • 1.  SSO - RegEx not working

    Posted Dec 03, 2019 11:43 PM

    Team,


    I am facing challenges in using RegEx as part of password policy configuration to meet one the requirement:

    • Must contain at least three of these four:
    • Uppercase letter
    • Lowercase letter
    • Number
    • Symbols allowed:  ! # % ( ) * , ; : @ - $ =

    Here is a RegEx to meet my exact requirement which I have been trying to make it work with password policy:


    /^((?=.*[A-Z])(?=.*[a-z])(?=.*\d)|(?=.*[a-z])(?=.*\d)(?=.*[\$\%\&])|(?=.*[A-Z])(?=.*\d)(?=.*[\$\%\&])|(?=.*[A-Z])(?=.*[a-z])(?=.*[\$\%\&])).{8,16}$/

    https://rubular.com/r/tPcR0v5rgV


    Also found a caveat for these kind of lengthy expressions:
    https://techdocs.broadcom.com/content/broadcom/techdocs/us/en/ca-enterprise-software/layer7-identity-and-access-management/single-sign-on/12-8-03/configuring/policy-server-configuration/password-services-and-policies/how-to-configure-password-policies.html?_ga=2.261765069.1157089255.1575321144-720136992.1571758684

    Limit:
     Each regular expression can contain no more than 10 subexpressions, including the expression itself. The number of subexpressions equals the number of left or opening parentheses in the regular expression plus one more left parenthesis for the expression itself.

    Appreciate any suggestions.

    Thanks
    Ashok



  • 2.  RE: SSO - RegEx not working
    Best Answer

    Broadcom Employee
    Posted Dec 06, 2019 10:17 AM
    Hi Ashok,

    There may be other ways or work around to do this.
    The quoted regular expression can be configured in admin ui, but I am not sure at run time if exceptions will be reached since the documentation specifically says "no more than 10 subexpressions".
    Since they are logically OR, would it be possible defining two separate regular expressions instead?
    Also the configuration option can be "MUST Match"  vs. "MUST NOT MATCH".
    In 3rd party link, it explains other option like:
    ^(.{0,7}|[^0-9]*|[^A-Z]*|[^a-z]*|[a-zA-Z0-9]*)$

    If anything matches that, then it's an invalid password.
    You may customize it further base on specific requirement.

    https://stackoverflow.com/questions/19605150/regex-for-password-must-contain-at-least-eight-characters-at-least-one-number-a

    Thank You,

    Hongxu Liu



    Original Message


  • 3.  RE: SSO - RegEx not working

    Posted Dec 09, 2019 10:49 AM
    Thank you Hongxu for your response.

    Yes, we can break up the regular expressions, however Siteminder Password policy may treat them as AND instead of OR. I don't see any options in AdminUI to specify them as AND or OR. any idea ?

    I am yet to look into the other suggestion which you have provided.

    Thanks
    Ashok
    Original Message