I discussed about challenge questions in OIM here , In this post I am going to cover everything you must know about challenge questions in OIM.

Oracle Identity Management (OIM) is an identity provisioning and identity management software from Oracle Identity & Access Management Suite. User’s password reset and forgot password functionality is provided by OIM.

1. By default when user logs in to OIM first time, system prompts user to reset password and set challenge questions (Number of questions user must set is controlled by system property name Number of Questions PCQ.NO_OF_QUES )


2. When user clicks on forgot password link or access forgot password page, then OIM system presents set of challenge questions (default value 3 is controlled by system property Number of Questions PCQ.NO_OF_QUES).



3. In order to successfully set new password (in forgot password case), user must answer challenge questions correctly (Minimum number of questions user must answer correct in order to change forgot password is controlled by system property Number of Correct Answers PCQ.NO_OF_CORRECT_ANSWERS )

Note: Assume PCQ.NO_OF_QUES is set to 6 and PCQ.NO_OF_CORRECT_ANSWERS is set to 4 that means at time of first time login, OIM will present 6 questions that user must set. As time of forgot password, OIM will still present 6 questions out of which user must answer at least 4 correct to change their password.

 4. User can change challenge questions from Self Service Console -> Profile -> Security



5. Oracle Adaptive Access Manager (OAAM – another product from Oracle Identity & Access Management Suite) also provides rich set of challenge questions, more on OAAM here, Knowledge Based Authentication (KBA) in OAAM here and here

6. Challenge Question from OAAM is more advanced compared to challenge questions in OIM in terms of

a) Challenge Questions Registration Logic feature in OAAM
b) Answer Logic to Challenge Questions  (1st and first can be configured to be acceptable as same) is more sophisticated in OAAM
c) Challenge question can be asked by customer service representative (or helpdesk) without compromising answers of challenge questions in OAAM
d) Reset of challenge questions by customer service representative (or helpdesk)

7. You can integrate OIM with OAAM for challenge questions so that OAAM is used as setting/validation of Challenge Questions . More on OIM-OAAM integration here and on request flow for OIM-OAM-OAAM integration here

8. It is possible to add more challenge questions in OIM (by default OIM system provide 4 questions) in OIM. (More on step by step instructions to add additional challenge questions in OIM later)

9. Additional questions in OIM can be localised by updating customResources.properties and customResources[language].properties file in ORACLE_HOME/server/customResources . More on localisation in OIM here and here

10. Default 4 questions in OIM are configured in English language only. If you wish to see these questions in a specific locale, add properties for these questions in customResource_lang.properties file that represents the locale’s language. For example customResources_ja.properties file contains language property translations for Japanese.

11. You can also configure OIM in such a way that user can set their own question (apart from answers). This is controlled by system property Use of Default Questions PCQ.USE_DEF_QUES and default value is TRUE which means system will ask for pre-defined questions in OIM .


More on OIM system properties related to challenge questions and how to add  additional questions in OIM challenge question in next post



Related Posts for Identity Manager

  1. Oracle Identity Manager (User Provisioning – Thor)
  2. Installing Oracle Identity Manager (Thor Xellerate)
  3. Oracle Identity Manager 9.1 released
  4. Oracle Identity Manager (Thor Xellerate) Architecture
  5. Resource, Reconciliation, Provisioning and Connector in Oracle Identity Manager #OIM
  6. Oracle Identity Manager (OIM) Connector for Oracle Internet Directory (OID) : Architecture and Overview
  7. Step by Step Installation of OIM Design Console 9.1.0
  8. Error while running PurgeCache in OIM 11g : LoginException unable to find LoginModule class : WebLogic Full Clinet
  9. Integrate OIM 11g with OID using connector for Provisioning / Reconcilliation – Installation
  10. PurgeCache in OIM 11g : CategoryName
  11. OIM LDAP Sync : Overview and Key Points
  12. OIM 11g : How to export/import/delete Files from MDS
  13. Where are OAM details stored in OIM (account unlock, password reset)
  14. libOVD adapters in OIM LDAP Integration : LDAPsync – view and modify Adapter settings (bindDN and bindPassword)
  15. Error Starting OIM Design Console (xlclient.sh) on Linux java.lang. NoClassDefFoundError
  16. OIM 11g Challenge Questions (PCQ) for forgot password
  17. Oracle EBS Integration with OIM (Identity Manager) : Things you should know
  18. Users not synced from OID to OIM : Debug Scheduled Job
  19. OIM Connector for Microsoft : AD, Exchange, Windows, Password Management
  20. Connector Server for OIM connectors : .NET or JAVA
  21. OIM 11g Challenge Questions – Everything you must know
  22. OIM 11g How to add Challenge Questions
  23. OIM : Assign AD resource : An error occurred because the Adapters are not compiled : How to compile adapters in OIM
  24. OIM User Creation : An Error occurred while performing create user operation. Unable to get LDAP connection
  25. OIM – AD integration : Active Directory Group Lookup Recon failed with error Remote Framework Key is invalid
  26. Microsoft Active Directory (AD) to Oracle Identity Manager (OIM) Password Synchronization: Things you must know : Part I
  27. Provision resource “Microsoft Exchange” to user in OIM : Status remains in Provisioning : Part I
  28. Target Resource (or Managed Resource) vs Trusted Source (or Authoritative Source) Mode : OIM integration with applications (AD, OID, OVD, EBS, SAP, HR, LDAP)
  29. 500 Internal server accessing OIM application : com.bea. security.MicroSM. getInstance oracle.iam. platform. authz.impl
  30. Your account is locked. You can unlock your account by going to Forgot Password
  31. OIM 11g : How to find User and Manager details : USR table
  32. OIM 11g : User Detail/Attribute (Description) not visible in OIM User screen : EBS / OID / OIM integration
  33. OIM 11g: The add proxy operation for user XXXXX failed with following error oracle. bpel. services. workflow. client. workflowservieclientException javax.xml.ws.WebServiceException could not determine wsdl ports
  34. Oracle Identity Manager BP07 for 11gR1 PS1 (16097399) is now available – (Part of Identity Management SUite BP03 16209876)
  35. OIM 11g : SQL to List User’s Manager
  36. OIM integrated with OAM (SSO) showing OIM login screen : User Soft Locked
  37. OIM 11g: Beware if you are applying WebLogic patch !
  38. Help Me : Microsoft Active Directory Password Sync version and latest patch for Oracle Identity Manager
  39. Upgrade OIM connector for Microsoft Exchange to Part I
  40. OIM Administrators : Is your OIM database Growing ? Do you purge enough ?
  41. EBS Integration with OIM : Employee Reconciliation : NumberFormatException: “BUSINESS_GROUP_ID”
  42. OIM EBS User Management : eBusiness UM Lookup Definition Reconciliation failed with Invalid Schedule Task Parameter