Change password allows the end user to change password as long as they know the current password. SSPR is an administrative password reset, so you will also want to make sure the AD agent service account has delegated permissions to reset. If you don't want to custom delegate permissions to the agent, I've found adding the AD agent account to the "Account Operators" group gives sufficient perms for pw resets.

You are basically already there. You set the functionality through the password policy.

https://support.okta.com/help/s/article/Creating-a-Password-PolicyOnce the policy is created and assigned to the appropriate groups of users, the end user will Self Service reset from the login page.

By clicking the "need help signing in" link on the login page, the user is presented with "Forgot Password" and/or "unlock account" based on your policy settings. Clicking through this link will initiate the SSPR process. The verbiage for these URLs can be changed under Settings>Customizations.

Be aware that self-service password recovery only works if the user has previously configured the following items in his Okta profile:

1. Forgot password question/answer (required)
2. At least one of the following:
   1. Secondary email (which must be verified before it will function)
   2. Forgot password text message
   3. Forgot password voice call

When attempting to reset their own password, Okta will present the user with all three options regardless of which one or how many the user has actually configured. This is a security feature that helps thwart account compromise. The user must select the appropriate method, respond to the prompt, then answer the forgot password question, and THEN the change password prompt will appear.