ACCESS_Policy_Agent_Event Remove Session

Your solution won't work with a VPE iRule agent because the Landing URI object is not called for subsequent requests. The access policy only runs once when the user first authenticates. Thus you need to do it in a per-request policy that runs every time or in an iRule not dependent on the VPE agent (i.e.: HTTP_REQUEST or ACCESS_ACL_ALLOWED event).

As noted above by Seth, 12.1 will have step-up authentication capabilities within per-request policies. This is considered an early access feature. I don't believe it enables SAML Auth for stepup use cases yet though, so you'd need to do the MFA using a simple RADIUS event (not RADIUS challenge, support to come later). The benefit of using this approach instead of SAML Auth redirect is the user won't have to enter username/password again at the IdP.

In the meantime or if that does not work for you, this iRule should solve your problem. You should remove the VPE iRule agent event you have now. You should also add a variable assign object after your successful MFA SAML auth that sets the session variable session.custom.mfa (used in the iRule) to 1. I suggest that on your VPE Landing URI object you click "change" on the /ecp URI, go to advanced mode, and change from == to starts_with so that it will capture anything starting with /ecp.

when ACCESS_ACL_ALLOWED {
    if { [HTTP::uri] starts_with "/ecp" } {
        if { [ACCESS::session data get session.custom.mfa] != 1 } {
            ACCESS::session remove
            ACCESS::respond 301 Location "[HTTP::uri]"
        }
    }
}