I have a garden-variety webtop with a handful of portals on it. But we have a requirement that the user that authenticated must have accepted our site's most recent terms and conditions before continuing. These are external business partners, and that is tracked in a separate database that the F5 can't read.
We want APM, upon successful authentication, to redirect the user to a webserver that checks, prompts the user to accept the terms if they haven't already, and then redirect back when done - then the user gets to see the webtop, select a portal, and carry on with their session. If they don't accept, the session is to be dropped.
That server is not exposed outside, so we want this redirect to occur through the portal, meaning that the client browser needs to see a URI that is the encoded & rewritten address for the Ts&Cs server that will be resolved inside.
I tried ending the policy with a redirect and keep session open after the resource assign, but that isn't allowed with portals. Modification of the session.server.landinguri doesn't seem to have any effect.
Is there a way to approach this like 2FA? Or something completely different?
More details. APM is doing the auth, but we need to send the credentials over to this external server (SSO, essentially). I don't get any data back, but the user will be thrown on the floor if they haven't or don't accept the T's & C's, and redirected back to APM if they have. So I need a way to do a forms post to this external page. If I set up an SSO profile (assuming that even works prior to policy "Allow" ending), then I can't use it for the apps behind the portal, since you can only have one SSO profile on a policy.
Why don't you try to use an AAA HTTP to send the request to the webserver and do all the checks? You just have to check the response back from the web server and show the message with the terms based on that. You can use a decision message box to finish the session if the user doesn't agree. You can use another AAA HTTP to confirm that the user accepted the terms.
If that webserver is able to receive a POST message with the information you have from the customer, this should do the work.
Another option is to use an irule with sideband connections.