F5 APM SAML skip MFA for X days

Hi Slayer,

When using multi-domain SSO there is only one Primary Authentication URI. I think this will help, so you only will have to set one cookie for the Primary Authenticaton URI. If you use multiple websites with each it's own access policy, the cookie that is set for example to website1 will not be send by the browser when accessing website2, unless all websites are part of the same domain, then you could set a domain cookie.

It's difficult to fingerprint a specific device, unless these are managed devices and you could do certificate auth.

But maybe a hash of the username and user-agent are sufficient, because the device will present a cookie. The cookie will probably get stored on the local device only. This will limit the 'skip MFA' to this specific device only.

I will try and create an example iRule for you. Hope to get some time this week to do this.