Lazy Auth Sessions
I'm trying to use the SAML_AUTH modules in Access Policy to protect a webserver using shibboleth. That in and of itself is easy. I have an iRule that sends down headers to the server based on the assertions we got from SAML_AUTH:
when ACCESS_ACL_ALLOWED {
set user [ACCESS::session data get "session.saml.last.attr.friendlyName.user"]
HTTP::header insert "user" $user
}
I even have a decision box in my APM that only lets in users who have specific SAML attribute values (like only SAML users who are in groups).
Now I want to be able to have users get to everything except URIs that start with /admin without requiring auth. Then later if the user goes to /admin they are forced to log in.
I've gotten close with this setup: APM Screenshot
Where
- the URI_Switch does a branch decision based on whether the URI starts with /admin or not
- the SAML_Auth forces login redirects and decodes assertions into F5 session variables
- and the Group_Switch looks at the assertion and decides whether the user has the correct group memberships to see /admin
All of this seems to work fairly well except the Access Policy only runs once per session. So if a user goes to a non-protected URL first, then goes to /admin the Access Policy is not invoked, so the SAML_Auth box is never hit.
So my question is: how do I get the Access Policy to re-run when a user goes to a specific URL?
I'm guessing here but maybe I could have an iRule that runs when HTTP_Request and if the URL is /admin AND the session.saml.last.attr.friendlyName.user is empty then somehow reset the session ID?