Challenge Policy
The Challenge Policy allows administrators to define Challenge Questions and Restricted Answers along with allowing users to define their own Challenge Questions and Answers. Administrators can determine the numbers of questions required to answer, both in terms of administrator-defined questions and user-defined questions.
 |
The advantage of this policy manager is to provide users with a mechanism to recover a forgotten password; the organizational benefit is to reduce IT-HelpDesk workflow and to delegate action (responsibility) to end-users.
The Profiles Module supports multiple policies; the most prioritized policy is on top, bolded, and subordinate policies are grayed.
To manage policy priority, select a policy and click the corresponding Up or Down arrows to adjust policy priority accordingly.
General
The General tab allows administrators to define global settings with respect to a specific policy.
For each policy, RapidIdentity Portal assigns a fixed, unique ID. The policy Name is the only required field.
Field Name | Description |
|---|---|
Name (Required) | The name of the Challenge policy. |
Description | The Description is text to help identify this policy. Click the |
Enabled | Enables or disables the challenge policy. |
Default Policy | Enables or disables this policy as the default policy. RapidIdentity Portal requires a default policy and only supports a one default policy at a given time. Default policies cannot have a group DN restriction associated with them. The default policy always applies to users that do not match any other challenge policies. |
No Challenge Policy | Users assigned to this policy are not required to answer challenge questions. They will also not be able to use the forgotten password system. |
Allow Users To Skip Setup | If selected, users are allowed to bypass the challenge setup process. Otherwise, all users are required to set up challenge questions and may not move past the setup screen until they have completed the challenge setup process. |
Allow Users To Create Questions | If selected, users can define their own challenge questions to answer. Administrators can define the parameters for questions users create in the User-Defined Questions tab. |
Questions
The Questions tab allows administrators to define the default questions to appear for all RapidIdentity Portal authenticated users.
 |
Administrators can define the number of questions to ask at setup and login, and these question numbers can be different.
If a question is marked as Required, users must answer these questions when Challenge Questions are an Authentication Policy method.
Field Name | Description |
|---|---|
Questions to Ask at Setup | The number of questions users must answer during their initial Challenge setup. |
Questions to Ask at Login | The number of questions to ask when a user authenticates to RapidIdentity. |
Question to Ask | The question presented to the user. Administrators can define whether the question is required. |
Answer Length | Administrators can define the minimum and maximum character lengths required for the Answer. The maximum character length is 255. |
User-Defined Questions
The User-Defined Questions tab gives the Administrator the opportunity to define the number of questions that the user must answer in various workflow circumstances.
It is important to note that the User-Defined Questions tab only appears if the Allow Users To Create Questions checkbox is selected.
 |
Field | Description |
|---|---|
Minimum User Defined Questions to Setup | This field is only available if Allow user-defined Questions is enabled The minimum number of User Defined Questions that the user must answer when setting up their challenge set responses. |
User Defined Questions to Ask for Authentication | This field is only available if Allow user-defined Questions is enabled The number of random user-defined Questions to ask when authenticating. This value must be less than or equal to the defined number of Minimum User Defined Questions To Setup. |
Minimum User Defined Questions Length | This field is only available if Allow user-defined Questions is enabled The minimum allowable length of responses to User Defined Questions. |
Maximum User Defined Questions Length | This field is only available if Allow user-defined Questions is enabled The maximum allowable length of responses to User Defined Questions. |
Restricted Answers
The Restricted Answers tab allows administrators to define illegal answers to Challenge Questions.
Administrators can choose to define answers by the text itself or by a directory service attribute value, along with whether answers to Challenge Questions must match fully. Administrators can also manually add answers that are forbidden.
 |
Field | Description |
|---|---|
Restrict Words that Appear in Question | When selected, this option prevents any of the words contained in the question from being allowed within the answer itself. This option prevents users from using the question for their answer. |
Answers Must Be Unique | When selected, this option does not allow users to repeat a single answer across two or more questions. |
Answers Must Be Given After | This date defines the oldest possible date in which an answer to a Challenge Question is allowed. |
Set to Now | This button updates the date in the Answers Must Be Given After field to the current date. This effectively invalidates everyone's questions/answers and requires everyone in this policy to set up their challenge questions again. |
Full Match (Text) | When selected, the answer to a challenge question must match exactly. When not selected, any answer to a challenge question that contains the character string results in an invalid answer. |
Full Match (Attribute Value) | When selected, the answer to the challenge question must match an attribute value exactly. When not selected, an invalid answer occurs if the user's answer is contained anywhere in any of the attribute values. |
Restricted Answers (Attribute Value) | Restricted Answers by attribute value allows administrators to enter directory service attributes whose values are forbidden as possible challenge answers. The attribute that is entered in this field must be an exact match to what is listed in the directory service. For example, if "givenName" is the attribute used for a user's first name, "givenName" must be entered in this field. Entering "GIVEN_NAME" would not restrict the user's first name, provided there is no directory attribute of "GIVEN_NAME", because there is not an attribute in the directory in which the value could be matched. |
Restricted Answers that Match by Text and Match by Attribute value are case-insensitive.
Match by Text (text = AUTO) Your Challenge Answer | Full Match Enabled Accepted? | Full Match Disabled Accepted? |
|---|---|---|
AUTO | No | No |
My DOG'S NAME IS AUTO | Yes | No |
MY DOG'S NAME IS AUTOMATION | Yes | No |
Match by Attribute Value (directory attribute: givenName, with this value equal to "James" for the user) Challenge Answer | Full Match Enabled Accepted? | Full Match Disabled Accepted? |
|---|---|---|
JAMES | No | No |
MY NAME IS JAMES | Yes | No |
MY LAST NAME IS JAMESON | Yes | No |