IDM 3.5 User App challenge response set up failing for user when accessed via Access Manager

Installed IDM User App 3.5 and set up self registration for users (accessed via AM). Once they register, users are emailed their initial password and a link is sent to them. The link takes them to the ChallengeResponseJsf page (again, via AM) and to get to that they have to authenticate to the Identity server first, followed by an identity injection of credentials at the Access Gateway to give users a single sign on (SSO) to the above IDM UserApp.

The authentication at the UserApp forces them to set a new password (initial one expired). That all seems to work fine and the user is presented with the page to set up their 4 question answer pairs (3 admin defined, one user defined). When the user submits that form through the Access Gateway, there is a success message but now the three admin defined questions are all the exact same question. Looking at the user with DSBROWSE or in iManager one can see that there are only two SAS:Login Secret values (which reflect the two questions on the success page).

IDM 3.5 UserApp has an issue with credentials being passed in the basic authentication header. The IDM engineering is aware of the issue and will be addressed in the next patch. For now, disable Identity Injection for this protected resource to work around the issue.