Suppress MFA for a period of time
Problem this snippet solves: This code snippet can be used if you want to suppress MFA for a period of time. This solution uses an encrypted persistent cookie, that will be set at a successful MFA l...
Published Jul 16, 2019
Version 1.0
Stanislas_Piro2
Cumulonimbus
Cumulonimbusyou may merge HTTP_REQUEST and ACCESS_SESSION_STARTED events in ACCESS_SESSION_STARTED.
ACCESS_SESSION_STARTED raise just after HTTP_REQUEST if access session is found... this is just before HTTP redirect to /my.policy... you can use HTTP::cookie commands like in HTTP_REQUEST event.
when ACCESS_SESSION_STARTED {
# store hash from cookie in APM variable
if { [HTTP::cookie exists $static::suppress_mfa(cookie)] } {
ACCESS::session data set session.custom.suppressmfa.hash [HTTP::cookie decrypt $static::suppress_mfa(cookie) $static::suppress_mfa(passphrase)]
}
}Instead of Irule Event, did you try this branch expression?
expr {[b64encode [md5 "c:[mcget session.logon.last.username]:[mcget session.user.agent]"]] == [mcget session.custom.suppressmfa.hash]}I can't test now if it works... but I guess both b64encode and md5 commands works in VPE expressions