ACCESS_Policy_Agent_Event Remove Session
We have our exchange 2013 environment proxied behind APM via iapp configs. For browser authentication (through OWA and ECP) we have them both going to the same SAML IDP for authentication. However, within the SAML IDP, we have separate security levels. So we have regular /owa access to be just username and password. ECP access however, must go through our multifactor mechanisms.
If going to /owa or /ecp from a fresh browser, this works beautifully. However, if a user first authenticates to /owa and then goes to /ecp, APM just automatically logs them in without redirecting the user back to SAML provider to apply the more secure authentication policy. I'm trying to figure out a way to insert an irule event so that when /ecp is accessed (via Landing URI check), the irule event removes any existing access sessions so that APM redirects the user back to SAML to authenticate. I've tried a bunch of different combinations with if/when logic for when http path contains /ecp. But no matter what I try, F5 rejects the irule because "ACCESS:session remove" is not permitted under the ACCESS_Policy_Agent_EVENT. At a basic level, this is essentially what I need:
1) when ACCESS_POLICY_AGENT_EVENT { ACCESS::session remove }
or
2) when ACCESS_POLICY_AGENT_EVENT { when HTTP_REQUEST { if { [HTTP::path] contains "/ecp/" } { ACCESS::session remove } } }
Has anyone tried something like this before?
Your solution won't work with a VPE iRule agent because the Landing URI object is not called for subsequent requests. The access policy only runs once when the user first authenticates. Thus you need to do it in a per-request policy that runs every time or in an iRule not dependent on the VPE agent (i.e.: HTTP_REQUEST or ACCESS_ACL_ALLOWED event).
As noted above by Seth, 12.1 will have step-up authentication capabilities within per-request policies. This is considered an early access feature. I don't believe it enables SAML Auth for stepup use cases yet though, so you'd need to do the MFA using a simple RADIUS event (not RADIUS challenge, support to come later). The benefit of using this approach instead of SAML Auth redirect is the user won't have to enter username/password again at the IdP.
In the meantime or if that does not work for you, this iRule should solve your problem. You should remove the VPE iRule agent event you have now. You should also add a variable assign object after your successful MFA SAML auth that sets the session variable session.custom.mfa (used in the iRule) to 1. I suggest that on your VPE Landing URI object you click "change" on the /ecp URI, go to advanced mode, and change from == to starts_with so that it will capture anything starting with /ecp.
when ACCESS_ACL_ALLOWED { if { [HTTP::uri] starts_with "/ecp" } { if { [ACCESS::session data get session.custom.mfa] != 1 } { ACCESS::session remove ACCESS::respond 301 Location "[HTTP::uri]" } } }