No session expiration message w/SAML Auth

We recently switched our access policy to SAML auth, using the SAML provider as the IdP and F5 as the SP. Before the SAML switch, we had a logon page as step 1 of the access policy, which would show a 'session expired, click here for new session' window if the access policy timeout was reached. There is no point of a logon page when using SAML since the SAML auth step takes users straight to the IdP logon page.

Here's the issue. Users leave their VPN client connected overnight and get disconnected at some point, due to machine going to sleep, etc, which prompts a reconnection process from BIG-IP Edge client. The SAML login page is presented at stage 1, which can sit there for an unknown amount of time. The access policy has already expired by the time users actually log back in, but there is no indication of this so the user enters credentials and receives an access denied message.

Any ideas how to workaround this?

I've tried:

• Adding message box (janky but works)
• Increase access policy timeout (not really a great solution?)
• iRules

In regards to iRules, I am a novice. I understand how to throw some syntax together but the problem is figuring out an approach. Since step 1 of access policy sends to SAML auth, there's no great way on the F5 side to control behavior once it goes to the IdP. When running a Fiddler trace, there is no traffic event when the access policy deny timeout is hit, so I have no event to work with. The only traffic I could act on is after users enter their credentials at the IdP, but anything at that stage will require a second login for users. I've been looking on the IdP side for a way to create a timeout.

Any advice appreciated!