RapidIdentity Product Guide

Challenge Policy

The Challenge Policy allows administrators to define Challenge Questions and Restricted Answers along with allowing users to define their own Challenge Questions and Answers. Administrators can determine the numbers of questions required to answer, both in terms of administrator-defined questions and user-defined questions. 


The advantage of this policy manager is to provide users with a mechanism to recover a forgotten password; the organizational benefit is to reduce IT-HelpDesk workflow and to delegate action (responsibility) to end-users.

The Profiles Module supports multiple policies; the most prioritized policy is on top, bolded, and subordinate policies are grayed.

To manage policy priority, select a policy and click the corresponding Up or Down arrows to adjust policy priority accordingly.


The General tab allows administrators to define global settings with respect to a specific policy.

For each policy, RapidIdentity Portal assigns a fixed, unique ID. The policy Name is the only required field.

Table 62. General Tab

Field Name


Name (Required)

The name of the Challenge policy.


The Description is text to help identify this policy. Click the Challenge_Description_Expand.jpg icon next to the Description field to open a Rich Text editor for easier formatting of any setup instructions that need to be conveyed to the user.


Enables or disables the challenge policy.

Default Policy

Enables or disables this policy as the default policy.

RapidIdentity Portal requires a default policy and only supports a one default policy at a given time. Default policies cannot have a group DN restriction associated with them. The default policy always applies to users that do not match any other challenge policies.

No Challenge Policy

Users assigned to this policy are not required to answer challenge questions. They will also not be able to use the forgotten password system.

Allow Users To Skip Setup

If selected, users are allowed to bypass the challenge setup process. Otherwise, all users are required to set up challenge questions and may not move past the setup screen until they have completed the challenge setup process.

Allow Users To Create Questions

If selected, users can define their own challenge questions to answer. Administrators can define the parameters for questions users create in the User-Defined Questions tab.


The Questions tab allows administrators to define the default questions to appear for all RapidIdentity Portal authenticated users.  


Administrators can define the number of questions to ask at setup and login, and these question numbers can be different.

If a question is marked as Required, users must answer these questions when Challenge Questions are an Authentication Policy method.

Table 63. Questions Tab

Field Name


Questions to Ask at Setup

The number of questions users must answer during their initial Challenge setup.

Questions to Ask at Login

The number of questions to ask when a user authenticates to RapidIdentity.

Question to Ask

The question presented to the user. Administrators can define whether the question is required.

Answer Length

Administrators can define the minimum and maximum character lengths required for the Answer. The maximum character length is 255.

User-Defined Questions

The User-Defined Questions tab gives the Administrator the opportunity to define the number of questions that the user must answer in various workflow circumstances.

It is important to note that the User-Defined Questions tab only appears if the Allow Users To Create Questions checkbox is selected.

Table 64. User-Defined Questions



Minimum User Defined Questions to Setup

This field is only available if Allow user-defined Questions is enabled

The minimum number of User Defined Questions that the user must answer when setting up their challenge set responses.

User Defined Questions to Ask for Authentication

This field is only available if Allow user-defined Questions is enabled

The number of random user-defined Questions to ask when authenticating. This value must be less than or equal to the defined number of Minimum User Defined Questions To Setup.

Minimum User Defined Questions Length

This field is only available if Allow user-defined Questions is enabled

The minimum allowable length of responses to User Defined Questions.

Maximum User Defined Questions Length

This field is only available if Allow user-defined Questions is enabled

The maximum allowable length of responses to User Defined Questions.

Restricted Answers

The Restricted Answers tab allows administrators to define illegal answers to Challenge Questions.

Administrators can choose to define answers by the text itself or by a directory service attribute value, along with whether answers to Challenge Questions must match fully. Administrators can also manually add answers that are forbidden.  

Table 65. Restricted Answers



Restrict Words that Appear in Question

When selected, this option prevents any of the words contained in the question from being allowed within the answer itself. This option prevents users from using the question for their answer.

Answers Must Be Unique

When selected, this option does not allow users to repeat a single answer across two or more questions.

Answers Must Be Given After

This date defines the oldest possible date in which an answer to a Challenge Question is allowed.

Set to Now

This button updates the date in the Answers Must Be Given After field to the current date. This effectively invalidates everyone's questions/answers and requires everyone in this policy to set up their challenge questions again.

Full Match (Text)

When selected, the answer to a challenge question must match exactly. When not selected, any answer to a challenge question that contains the character string results in an invalid answer.

Full Match (Attribute Value)

When selected, the answer to the challenge question must match an attribute value exactly. When not selected, an invalid answer occurs if the user's answer is contained anywhere in any of the attribute values.

Restricted Answers (Attribute Value)

Restricted Answers by attribute value allows administrators to enter directory service attributes whose values are forbidden as possible challenge answers. The attribute that is entered in this field must be an exact match to what is listed in the directory service. For example, if "givenName" is the attribute used for a user's first name, "givenName" must be entered in this field. Entering "GIVEN_NAME" would not restrict the user's first name, provided there is no directory attribute of "GIVEN_NAME", because there is not an attribute in the directory in which the value could be matched.

Restricted Answers that Match by Text and Match by Attribute value are case-insensitive.

Table 66. Answer Fields

Match by Text (text = AUTO)

Your Challenge Answer

Full Match Enabled


Full Match Disabled











Table 67. Attributes

Match by Attribute Value (directory attribute: givenName, with this value equal to "James" for the user)

Challenge Answer

Full Match Enabled


Full Match Disabled