During the login process, the login page automatically redirects users to the Challenge-Response page. Users set up the responses for challenge questions on this page. When users forget their passwords and try to reset it, Self Service Password Reset prompts for the configured questions and asks the users to specify the correct answers. When the answers match with the responses saved earlier by the users, Self Service Password Reset allows the users to reset their passwords. To configure the challenge-response policy for different profiles, see Configuring Profiles.
Apart from configuring random and required questions, you can configure a number of other important settings such as force response setup, the case of the responses, and so forth. All of these components are part of the Setup Security Questions module.
To configure the Setup Security Questions module:
Log in to Self Service Password Reset at https://dns-name/sspr as an administrator.
In the toolbar, click your name.
Click Configuration Editor.
Click Modules > Authenticated > Setup Security Questions.
Configure the following settings:
Enable this option to display the save responses page for users.
Select this option to redirect users to configure the challenge-response when they log in. This setting allows users to save responses if they do not have stored responses yet.
Enable this option to show the responses to the user after they configure responses. This gives users an opportunity to read and review their responses before submitting.
Enable this option to make the responses case-insensitive. The setting does not affect or apply to users who have already configured their responses prior to modifying this setting.
Enable this option to allows users to use duplicate responses. That is not a good security practice. Ensure that you do not select this option if you want users to enter a unique value for each response.
Specify an LDAP search filter or add an LDAP group or LDAP profile to determine if you permit the users to configure challenges. The LDAP query must return the user or else Self Service Password Reset does not permit the user to configure challenges.
To view the list of users that match the query, click View Matches.
Specify the LDAP search filter or specify an LDAP group and LDAP profile.
If the query calls the command servlet with the checkResponses command (/private/CommandServlet?processAction=checkResponses), the system first checks the users to see if they match the specified LDAP query before checking the password responses of the users. If users do not match this query, then the system does not check the responses for the users and redirects the users to the forward URL.
To view the list of users that match the query, click View Matches.
Determine when the users authenticate through ForgottenPassword should have the Password Minimum Lifetime (if set) setting enforced. If you enable this setting, the users cannot change their passwords if the Minimum Lifetime has not passed. If not enabled, the system permits the users to change their passwords when authenticated through Forgotten Password even if the Minimum Lifetime has not changed.
In the toolbar, click Save changes.