clientless - sso

Your thread title actually suggests the answer. You can use the clientless-mode header in the HTTP_REQUEST event, collect the payload if it's a POST request (and a specific URI?), and then process the values inside the access session from ACCESS_SESSION_STARTED and beyond. Clientless-mode will allow youto pass through and evaluate an access policy without the initial 302 redirect to /my.policy. The biggest downside of clientless mode is that you can't do any interactive functions in the policy (ie. logon forms, message boxes, and some other things). Here's an example:

when HTTP_REQUEST {    
    HTTP::header insert "clientless-mode" 1        
    if { ( [HTTP::method] equals "POST" ) and ( [string tolower [HTTP::uri]] starts_with "/auth" ) } {        
        HTTP::collect [HTTP::header Content-Length]              
    }      
}    
when HTTP_REQUEST_DATA {    
     parse the XML payload in request        
}