Seamless Elevation from Single Factor to 2 Factor Webtops

Hey all... Hopefully someone else has run into this issue and may be able to point me in the right direction to solve it... Thanks in advance.

 

We are running 11.2.1 firmware

 

Requirement:

 

We allow our users to log in as single factor and 2 factor. Single factor will only show a subset of the applications available. If the user has logged in as single factor, we would like to provide a button/link to allow them to "elevate" to 2 factor authentication (which would take them to another webtop with more applications). The key is that we do not want them to have to enter their username and password again, but only enter in their SecurID token.

 

Considerations:

 

1.) Ideally we would stay in the same Access Policy and just throw up a new logon page only asking for SecurID which takes them to a 2 factor webtop. (I don't see how this would be possible)

 

2.) We could get the link to log them off and redirect to a different virtual server, but in this scenario how to we maintain the username and password so they don't need to enter them again?

 

Has anyone run into this issue, or something similar. Any assistance greatly appreciated!