Forum Discussion
Yes, well. its step up auth. so its not done on the access policy. but on a pre request policy. and also has to be done as a subroutine, so my reading tells me that per request subroutines don't have access to the session variables as writeable. only readable.
quick check via the gui interface and it show that the cert info is in the per request sub session variables. how can I insert headers from a subroutine in a pre request policy .. i thinking the only way is to use a irule event ...
but this seems rather hard.
Note - i am note sure when access_acl_allowed is fired, but I have checked the session variables - no sign of the cert in the main session variables :(
Hi
No, i am a newbie and this is the current solution i have come up with if you can show me a better way - potentially easier happy to listen
So I will try and outline the problem i am trying to solve
I want users to be able to go to
https://www.example.com - with no APM no login .. as anon. let them use it
but when they hit
https://www.example.com/secret
I want APM to kick in - they must have a valid sso session - maybe group based (I have this working )
but when they hit
https://www.example.com/secret/ultraSecret
I want a OTP or some other MFA to kick in.
I have tried to stay away from using irule for all of that and used the VPE.
I have a sso multidomain setup its at auth.example.com
so that people can go to
https://www.example.com/
then to
https://clients.example.com/
with out having to re login again and to any other site I might manage under example.com
So my presumption is
Access policy - per session only kicks in at the first place a session is started. So
if user goes to
https://www.example.com/secret
APM bumps it to
https://auth.example.com/
and this is where Access policy per session starts - it uses the VPE for auth.example.com not www.example.com
and its only evaluated at session creation.
So thats why i created a per request access policy - also part of the zero trust setup.
So I can use this for
https://www.example.com/secret
bump up to needing to be authorized
and I can do the dump up for
https://www.example.com/secret/ultraSecret
I can force needing a cert - works well.
The issues is getting information from the subsession and back into the session variables.
I'm thinking maybe .. doing more googling that the localdb might be the place to also keep variables / info ...
if you have a different way to produce the above I would be happy to try it
thanks