Lazy Auth Sessions

I'm trying to use the SAML_AUTH modules in Access Policy to protect a webserver using shibboleth. That in and of itself is easy. I have an iRule that sends down headers to the server based on the assertions we got from SAML_AUTH:

when ACCESS_ACL_ALLOWED {
   set user [ACCESS::session data get "session.saml.last.attr.friendlyName.user"]
  HTTP::header insert "user" $user
}

I even have a decision box in my APM that only lets in users who have specific SAML attribute values (like only SAML users who are in groups).

Now I want to be able to have users get to everything except URIs that start with /admin without requiring auth. Then later if the user goes to /admin they are forced to log in.

I've gotten close with this setup: APM Screenshot

Where

• the URI_Switch does a branch decision based on whether the URI starts with /admin or not
• the SAML_Auth forces login redirects and decodes assertions into F5 session variables
• and the Group_Switch looks at the assertion and decides whether the user has the correct group memberships to see /admin

All of this seems to work fairly well except the Access Policy only runs once per session. So if a user goes to a non-protected URL first, then goes to /admin the Access Policy is not invoked, so the SAML_Auth box is never hit.

So my question is: how do I get the Access Policy to re-run when a user goes to a specific URL?

I'm guessing here but maybe I could have an iRule that runs when HTTP_Request and if the URL is /admin AND the session.saml.last.attr.friendlyName.user is empty then somehow reset the session ID?