During the login process, the login page automatically redirects users to the Challenge-Response page. Users set up the responses for challenge questions on this page. When a user forgets their password and tries to reset it, SSPR prompts the configured questions and asks user to specify the correct answer. When the answer matches with the response saved earlier by the user, SSPR will allow the user to reset the password. To configure the challenge-response policy for different profiles, refer Section 5.3, Configuring Challenge Response Policy for a Profile
You must select Enable Setup Responses check box to enable SSPR to display the save responses page to users.
Apart from configuring random and required questions, you can configure a number of other important settings such as force response setup, case of the responses, Wordlist, and so forth.
To configure the challenge settings, perform the following steps:
In Configuration Editor, click Settings > Challenge Settings.
Click View > Always Show Advanced Settings to see and configure the advanced settings.
The following table lists all configurable settings with their descriptions:
|
Field |
Description |
|---|---|
|
Enable Setup Responses |
Select this check box to display the save responses page to users. |
|
Force Response Setup |
Select this check box to redirect users to configure challenge-response when they log in. This setting s users to save responses if they do not have stored responses yet. |
|
Show Response Confirmation |
Select this check box to show the responses to the user after they configure responses. This gives users an opportunity to read and review their responses before submitting. |
|
Apply Wordlist |
Select this check box to configure a Wordlist. The Wordlist prevents commonly used words to be used in responses. Users cannot use response values that are added in the Wordlist. |
|
Case Insensitive Responses |
Select this check box to make the responses case-insensitive. The setting will not affect or apply to users who have already configured their response prior to modifying this setting. |
|
Maximum Characters of Challenge Allowed in Response |
Specify the maximum number of a character to be allowed in the response. This prevents a user's response to be the same as the challenge. |
|
Allow Duplicate Responses |
Do not select this check box if you want users to enter unique value for each response. |
|
Save Challenge Query Match (Advanced) |
Specify the query string to detect whether a user can configure challenge-responses. If users do not match this query, then the user responses are not checked, and users are redirected to the forward URL. To view the list of users that match the query, click View Matches. |
|
Check Responses Query Match |
Specify the LDAP response query. If the command servlet is called with the checkResponses command (/private/CommandServlet?processAction=checkResponses), the users are first checked to see if they match the specified LDAP query before the user's password responses is checked. If users do not match this query, then the users responses are not checked, and users are redirected to the forward URL. To view the list of users that match the query, click View Matches. |
|
Minimum Password Lifetime (Advanced) |
When you select this check box, the user cannot change password until the minimum lifetime has completed. |