Skip to main content

Unexpected evaluation decision

If you have completed Session ID correlation and cannot locate an Events service API event or Adaptive access report detail with a corresponding Session ID, ensure you have

  1. attached an Adaptive access policy.
    When an Access policy is attached to your Native Web application and you receive a valid response such as allow, MFA or block, however no Adaptive access event is generated, this indicates Adaptive access was not invoked.
  2. correct Error response handling.
    If the API was not invoked correctly an error is returned from the Proxy SDK which must be handled. If the API was invoked correctly but there was insufficient data, additional collection may be required. In both cases no event is generated.

If you have located a corresponding Session ID an Adaptive access assessment was invoked.

Change in user or device attributes

Adaptive access uses deep identity insights, through a sophisticated risk calculation engine (IBM TrusteerĀ®), to accurately match Access policies to the user profile throughout their digital interaction with the application.
During collection, detection and assessment the Session ID may have been evaluated by the risk calculation engine differently to the expected manual testing process.
A range of indicators may alter the assessment result including

  • user was not new
  • user had a pending MFA from a previous session
  • location, device or behavioral patterns changed significantly
Adaptive access report detail for new user with change of attributes

Access policy logic error

Access policies combine the riskiest result from Adaptive access, reauthentication and any matching Policy rule.
If there are no Policy rules, or none are matched during evaluation, the Default rule is used for the riskiest comparison.
Ensure you have

  1. configured the correct action for the expected risk level in the Adaptive access policy.
  2. validated the Reauthentication and Policy rules did not return a riskier result.
    "rule_name" in the Events service API JSON and Rule name in the Adaptive access report detail indicate the riskiest result for the policy evaluation.
Adaptive access report detail for new user with change of attributes

Multiple unsuccessful access policy invocations

When an Adaptive access policy has insufficient data to complete an assessment additional collection is required.
If the Native Web application does have correct Error response handling, however the evaluation is unsuccessful multiple times, the Risk Service Unavailable is returned and the associated event is generated.

Access policy re-invocation

When an MFA challenge is returned from an Adaptive access policy evaluation and the the challenge is successfully completed, two events are generated

  1. the initial MFA challenge event
  2. an Allow event during the policy re-evaluation

When only the MFA challenge event is generated ensure you have

  1. satisfied the requires response from assessPolicy(context) of the IBM Security Verify Proxy SDK with one of the allowedFactors.

    {
    "status": "requires",
    "transactionId": "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx",
    "allowedFactors": ["emailotp", "smsotp", "totp", "push", "fido"]
    }
  2. invoked assessPolicy(context) following the successful completion of the previous requires response.

Previous: Risk Service Unavailable