Using Advanced Authentication we got a logical error both in the Risk and Strong Authentication logic.
When the AA components are looking for the users in a LDAP server, if the LDAP server is temporary not connected, Strong and Risk reports wrong messages instead of a failure message.
- Strong Authentication returns a “user not found” message. (So the application could interpret it with the status “the user does not exist”)
- Risk Authentication, during an evaluaterisk respect to a deviceId, is returning that USER and DEVICE are not associated. (So the application could interpret it with the status “this device is not yet associated”)
In both the situation the application could start an enrollment procedure for a user who already exists.
The expected behavior should be provide to the application a failure message, so that the application could report to the user a message like "Internal error, retry later."