iRule check multiple logon in APM

I think I may have something.

1. Create an access policy that authenticates a user (ie. logon page + AD Auth) - make sure that the user's logon name gets applied to the session.logon.last.username session variable.

2. After the authentication, perform a query (AD or LDAP) that pulls the group membership value for that user. In the below iRule example I've populated the AD "comment" block with either "GROUPA" or "GROUPB".

3. Add an iRule event after the successful query. In the example below the iRule event ID is "GROUPCHECK".

4. Add the following iRule to the virtual server (tweak as required):

when RULE_INIT {
   set static::policy_debug 1
}
when ACCESS_POLICY_AGENT_EVENT {
   if { [ACCESS::policy agent_id] equals "GROUPCHECK" } {
      if { [ACCESS::session data get session.ldap.last.attr.comment] equals "GROUPB" } {
         if { [expr [llength [ACCESS::uuid getsid "[ACCESS::session data get session.access.profile].[ACCESS::session data get session.logon.last.username]"]] > 0] } {
            if { $static::policy_debug } { log local0. "[ACCESS::session data get session.logon.last.username] in GROUP B attempted multiple sessions" }
            ACCESS::session remove
         }
      }
   }
}

Within the APM iRule event (based on the "GROUPCHECK" ID), we'll check the query result. If the query value equals "GROUPB" AND the count of sessions for this user, using the ACCESS::uuid getsid command exceeds 1 session, remove the session.

If the first session is closed by simply closing the browser, the session will remain in the session cache until it expires, preventing another session from opening. So while the above should work to prevent multiple sessions for a given group of users, you'll need a way to more proactively close the session when the user leaves, which is not always an easy thing to do.