Hi,
HTTP_REQUEST is not the good event to use as it is evaluated for any following requests and not only during policy evaluation.
you can do it with (event only evaluated when new session):
when ACCESS_SESSION_STARTED {
if {[set uri [HTTP::uri]] contains "/idp/SSO.ping" && $uri contains "_"} {
if {[scan $uri {/f5-w-%[^$]$$%s} garbage SSO_URI] == 2} {
ACCESS::session data set session.lmt.sso.starturi "$SSO_URI"
} else {
ACCESS::session data set session.lmt.sso.starturi $uri
}
}
}
or variable assign
session.lmt.sso.starturi =
if {[scan [mcget {session.server.landinguri}] {/f5-w-%[^$]$$%s} garbage SSO_URI] == 2} {
return $SSO_URI
} else { return [mcget {session.server.landinguri}]}
If you want to evaluate this code for every requests, you must use ACCESS_ACL_ALLOWED event (same as HTTP_REQUEST but after APM and rewrite profile). in this event there is no need to parse HTTP::uri.