On-Demand Cert Auth Fallback

JoeLupo73, first things first, I was saying that you should NOT set Request or Require in both the client SSL profile and the APM On-Demand Cert Auth agent. Only do it in one. If you select Request or Require in the client SSL profile, mutual authentication happens in the first SSL handshake with the client. The certificate data will still be accessible to the access session. If you set the client SSL profile to Ignore, and then set the APM On-Demand Cert Auth agent to Request or Require, mutual authentication will happen in a renegotiated SSL handshake after the initial handshake. This renegotiated handshake also has the benefit of being completely encrypted with the session keys from the first handshake, so an eavesdropper cannot see who is logging into your application.

In both cases though, the Require option is a hard fail. If certificate validation fails, or the user simply doesn't present a certificate, the session is closed. The Request option is a soft fail. If certificate validation fails, or the user simply doesn't present a certificate, the session is maintained and you can then make additional decisions, like passing HTML content to the user.