---
title: Using risk score in the PingFederate authentication policy
description: Guidance on how to configure a branching PingFederate authentication policy based on an assigned risk score.
component: akamai
page_id: akamai:setup:pf-akamai-p8-using-score
canonical_url: https://docs.pingidentity.com/integrations/akamai/setup/pf-akamai-p8-using-score.html
revdate: March 30, 2026
section_ids:
  how-the-adapter-handles-requests-with-or-without-the-specified-request-header: How the adapter handles requests with or without the specified request header
  configuring-the-pingfederate-authentication-policy: Configuring the PingFederate authentication policy
---

# Using risk score in the PingFederate authentication policy

After receiving a request, the Akamai Account Protector IdP Adapter examines it to determine if the Akamai Account Protector header is present. If the header is present, the adapter parses its value as described in the following sections.

|   |                                                                                                                                                                                                                                                                                        |
| - | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
|   | The default request header the adapter looks for is `Akamai-User-Risk`. To change this value, configure the **Akamai Account Protector Header Name** advanced field as described in [Akamai Account Protector IdP Adapter settings reference](pf-akamai-p7-adapter-settings-ref.html). |

## How the adapter handles requests with or without the specified request header

Based on the threshold values configured in the adapter instance, the adapter evaluates the incoming request and determines a risk level. You can then use the resulting risk level and corresponding score to drive authentication policy decisions.

* Learn more about configuring threshold values in the **Medium Limit** and **High Limit** fields described in [Akamai Account Protector IdP Adapter settings reference](pf-akamai-p7-adapter-settings-ref.html).

* Learn more about using the risk score in the authentication policy in the Authentication policy configuration section.

If the Akamai Account Protector header isn't present in the incoming request:

* The adapter exits, setting the `status` to `SUCCESS` and the `level` core contract attribute to `noscore`.

* The adapter doesn't fulfill the `score` contract attribute.

## Configuring the PingFederate authentication policy

1. In the PingFederate admin console, go to **Authentication > Policies > Policies** and make sure the **IdP Authentication Policies** checkbox is selected.

2. Open an existing policy or click **Add Policy**.

   You can find more information in [Defining authentication policies](https://docs.pingidentity.com/pingfederate/latest/administrators_reference_guide/pf_defining_auth_policies.html) in the PingFederate documentation.

3. In the **Policy** area, in the **Select** list, select a Akamai Account Protector IdP Adapter adapter instance.

4. In the **Rules** modal, create paths for the possible outcomes of the `level` core contract attribute.

   You can find more information in [Configuring rules in authentication policies](https://docs.pingidentity.com/pingfederate/latest/administrators_reference_guide/pf_config_rules_auth_policies.html) in the PingFederate documentation.

   1. Under the Akamai Account Protector IdP Adapter adapter instance, click **Rules**.

   2. In the **Authentication Source** list, select the adapter instance.

   3. In the **Attribute Name** list, select the `level` core contract attribute.

   4. In the **Condition** list, select **equal to**.

   5. In the **Value** field, enter `low`, `medium`, `high`, `no_score`, or `client_error`.

      |   |                                                                                                                                                                                                                                                                                                                    |
      | - | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ |
      |   | `client_error` is a value the adapter sets if it received the Akamai Account Protector header but encountered a runtime error when reading the `score` value. For example, if the value isn't an integer, the adapter can't determine where it falls as far as the configured **Medium Limit** and **High Limit**. |

   6. In the **Result** field, enter a name.

      This appears as a new policy path that branches from the authentication source.

   7. To add more policy paths, click **Add** and repeat steps a - e.

   8. (Optional) Clear the **Default to success** checkbox.

   9. Click **Done**.

   For example:

   ![Screen capture of an example rules configuration for the Akamai Account Protector IdP Adapter.](_images/akamai-authn-policy.png)

5. Configure each of the authentication policy paths you created based on the output of the `level` core contract attribute.

6. Click **Done**.

7. In the **Policies** window, click **Save**.