Challenge Questions/Answers Overview
The objective is to provide users with a mechanism to update specific Challenge Question Answers selected by an organization (e.g. one or two question/answers in a challenge set of six questions) in a custom, organization-specific front-end environment without requiring users to use the RapidIdentity Challenge Question dialog. These challenge questions are presented on the front end through a drop-down box for each question and users are forbidden from answering the same question more than once. Users can also input three of their own question and make only one of them required.
This use case is an example of how RapidIdentity technology can operate in the background and is relatively common since many organizations have their own portal-type environment in which users are required to authenticate to gain access to their secure organization network and applications and prefer to use their own, company-branded interface to avoid user confusion as new technology is integrated.
Before launching into the order-of-operations to address this use case conceptually, it is important to consider what is likely to be necessary to address this use case first. The following eight items compose a nonexhaustive list of key issues to consider.
User Authentication Process
RapidIdentity Challenge Response APIs
Organization APIs
Filtering Challenge Set Questions
Data format (JSON or XML)
Authoritative Source Synchronization (e.g. Directory Service, Database)
Audit Logs
Regulatory Concerns
Not all of these eight issues will be addressed in the solution approach because that is beyond the scope of this topic and the intention is to provide a conceptual overview.
Admins trigger Challenge Question Answer updates through RapidIdentity Portal.
Challenge Set Questions are obtained by API, filtered by the organization, and the updated user responses are returned to RapidIdentity in JSON format using API.
Only one Challenge Set Policy Exists.
Updates are sent to the directory service.
Audit logs are updated through RapidIdentity.
Regulatory concerns are not addressed.
With these six assumptions in hand, the simplified order of operations to address this use case is as follows.
Administrator navigates to RapidIdentity Portal | Configuration | Profiles | Extended | Challenge Policy Manager | General and click Set to Now.
Administrators must have the RapidIdentity Portal Profiles Admin role.
User authenticates.
User challenge questions are obtained through API call to RapidIdentity.
GET /arms/ws/rest/actm/actions/challenge/setup
RESPONSE 200 OK:
{ "targetId":"0dbe1c00-7056-11e6-aa1d-0e37b9aa2711", "challengePolicy":{ "id":"397b0e20-6ee9-11e6-a4b4-0e37b9aa2711", "name":"Default Challenge Policy", "noChallenge":false, "adminQuestions":[ { "required":true, "question":"What is your favorite color" } ], "minAdminQuestionPoolSize":1, "allowUserDefinedQuestions":true, "minUserQuestionPoolSize":0, "maxUserQuestionPoolSize":255, "minQuestionLength":3, "maxQuestionLength":255, "minAnswerLength":3, "maxAnswerLength":255, "numAdminAnswersForAuth":1, "numUserAnswersForAuth":0, "numHelpdeskQuestions":0, "restrictWordsFromQuestion":false, "canSkipSetup":false, "enforceUniqueAnswers":true }, "adminQuestions":[ { "required":true, "question":"What is your favorite color" } ], "userQuestions":[ { "question":"What is my dog's favorite toy" }, { "question":"What is my favorite song" }, { "question":"Who was my first college roommate" } ] }Admin parses JSON to extract questions. Admin determines whether user questions are allowed and then pushes all questions to the user interface.
User answers questions and clicks Submit.
Admin creates pre-request JSON and makes POST API call to RapidIdentity.
POST /arms/ws/rest/actm/actions/challenge/setup
{ "targetId": "0dbe1c00-7056-11e6-aa1d-0e37b9aa2711", "challengePolicy": { "id": "397b0e20-6ee9-11e6-a4b4-0e37b9aa2711", "version": 1, "name": "Default Challenge Policy", "priority": 1, "enabled": true, "noChallenge": false, "default": true, "groupAclsEnabled": false, "groupAcls": [ {} ], "filterAclEnabled": false, "filterAcl": "", "adminQuestions": [ { "required": true, "question": "What is your favorite color" } ], "minAdminQuestionPoolSize": 1, "allowUserDefinedQuestions": true, "minUserQuestionPoolSize": 1, "maxUserQuestionPoolSize": 3, "minQuestionLength": 3, "maxQuestionLength": 255, "minAnswerLength": 3, "maxAnswerLength": 255, "numAdminAnswersForAuth": 1, "numUserAnswersForAuth": 1, "numHelpdeskQuestions": 0, "restrictWordsFromQuestion": false, "canSkipSetup": false, "enforceUniqueAnswers": true, "oldestAllowedResponseTimestamp": 20170622 }, "adminQuestions": [ { "required": true, "question": "What is your favorite color", "answer": "Orange" } ], "userQuestions": [ { "required": true, "question": "What is my dog's favorite toy", "answer": "Squirrel" }, { "required": false, "question": "What is my favorite song", "answer": "Cheeseburger in Paradise" }, { "required": false, "question": "Who was my first college roommate", "answer": "Luke" } ] }RESPONSE 200 OK:
{ "target": "0dbe1c00-7056-11e6-aa1d-0e37b9aa2711", "targetName": "Doc Admin", "success": true }
While this use case focuses on specific challenge questions and their answers in a set, this use case solution approach could easily be adapted to password self-service, account claiming, or any other delegated administration action.
To develop solutions for additional RapidIdentity self-service use cases (e.g. Password, Account Claim) by adopting the above approach, it is necessary to substitute the corresponding APIs specific to your use case and constructing the POST pre-request JSON script to match the API.