Password Manager 5.8.2 - Administrator Guide (AD LDS edition)

About Password Manager Getting Started Upgrading Password Manager to 5.8.1 Password Manager Architecture Management Policies
Checklist: Configuring Password Manager Understanding Management Policies Configuring Access to the Administration Site Configuring Access to the Self-Service Site Configuring Access to the Helpdesk Site Configuring Questions and Answers Policy Workflow Overview Custom Workflows Custom Activities Self-Service Workflows Helpdesk Workflows User Enforcement Rules
General Settings Password Policies One Identity Hybrid Subscription One Identity Starling Reporting Appendix A: Accounts Used in Password Manager for AD LDS Appendix B: Open Communication Ports for Password Manager for AD LDS Appendix C: Customization Options Overview Glossary

Questions and Answers Policy Overview

Questions and Answers Policy Overview

Questions and Answers policy consists of secret questions and Q&A profile settings. Secret questions are questions that users must answer to create their profiles and then use the profiles for authentication. You can create question lists in multiple languages. Each question list contains mandatory, optional, and helpdesk questions. When creating profiles, users must answer all mandatory and helpdesk questions, and a specified number of optional and user-defined questions. You can specify the required number of question in the Q&A profile settings.

When authenticating on the Self-Service site with Q&A profiles, users can use mandatory, optional and user-defined questions from their profiles. When a helpdesk operator authenticates users, the operator can use mandatory and helpdesk questions from users’ profiles.

Q&A profile settings are a collection of settings that define the number of user-defined and optional questions required for registration, minimum length of answers, encryption setting for storing answers, and others.

Q&A Policy and Authentication

Q&A Policy and Authentication

When you configure the Q&A policy, you should remember that the settings you specify may affect the authentication process. The following authentication activities use the Q&A policy settings:

  • Authenticate with Q&A profile (random questions) - This activity is used in self-service workflows. It relies on the number of secret questions you specify in the activity. If a user’s profile contains fewer questions, you can select whether to authenticate the user or not. For more information, see Authenticate with Q&A Profile (Random Questions).
  • Authenticate with Q&A profile (specific questions) - This activity is used in self-service workflows. It relies on the specific secret questions you specify in the activity. If the specified questions cannot be found in a user’s profile, the user will not be authenticated. For more information, see Authenticate with Q&A Profile (Specific Questions).
  • Authenticate with Q&A profile - This activity is used in helpdesk workflows. It relies on the specific secret questions you specify in the activity and on the Store answers using reversible encryption option that you specify in the Q&A profile settings. If the specified questions cannot be found in a user’s profile, the user will not be authenticated.

This activity uses mandatory and helpdesk questions. Helpdesk questions are always stored using reversible encryption. Mandatory questions are hashed, unless you select the Store answers using reversible encryption option in the Q&A profile settings. Note, that if mandatory questions are hashed, you will not be able to use the activity option that specifies that helpdesk operators verify user identity by comparing the answers provided by users with the displayed answers (the Answers to the specified questions (user’s answer is shown) option). For more information, see Authenticate with Q&A Profile.

Q&A Policy and User Enforcement

Q&A Policy and User Enforcement

The Q&A profile settings affects the Invite users to create/update Q&A profiles enforcement rule. This rule has conditions that state when users should be notified to create or update their profiles. These conditions correspond to the Q&A profile settings. For example, the User’s answers are shorter than required condition corresponds to the Minimum length of answers setting. So, when you change any of the Q&A profile settings, you can then select the corresponding condition in the rule and enforce users to create or update their profiles in accordance with the new settings. For more information, see Invite Users to Create/Update Profiles.

Data Replication

Data Replication

This section provides information on how Password Manager stores and replicates data.

Related Documents