We have an APM portal using AD authentication. We recently transitioned to using Azure AD MFA to log into it. This was done by following the solution to integrate APM with Azure AD using the bigIP as a SAML SP and works without issue. However, after logging into the portal and clicking on any of the links for the the various apps (which are also Azure AD integrated) the user must go through the login process with Azure AD all over again which is anyoing. Is there a way to somehow use the original SAML authentication from loging into the portal to seemlessly be logged into the various apps? Interestingly, once the user clicks on subsequent apps after the second login, they are logged in automatically so I believe it's able to use the session tokens stored in the browser for subsequent logins after the second login (but not after the initial log in to the portal).
Once APM receives a SAML assertion from an IdP, it should usually finish authentication and the user's session should be in "Allow" state.
Upon the first network request without a cookie, APM creates a session ID and sends it to the client in an "MRHSession" cookie. Upon each subsequent network request, the client should transmit this cookie and to tie the request to the user's session. It sounds like for whatever reason, your login session isn't following this pattern.
To see why, use your browser's dev tools to examine the cookies sent and recieved by your user's browser. It might be that you're using multi-domain mode (when you visit a host with no MRHSession cookie, the APM will redirect you to the "Primary Authentication URI" for login, then redirect back to the original URI and use some HTTP redirect tricks to share the MRHSession cookie between the domains specified in the config). This is where that multi-domain mode is set up:
The problem could also be something else, but in any case looking at the network requests and cookies in your browser dev tools will get you closer to an answer.