With help from an F5 engineer, I was able to get this working as I needed. The base of the iRule that I ended up using to get my situation solved is below. This is essentially what the F5 engineer sent along:
when HTTP_REQUEST {
store the host header for the initial /start_policy redirect
set host [HTTP::host]
set uri [HTTP::uri]
if { ( [HTTP::cookie exists MRHSession] ) or ( [HTTP::uri] starts_with "/start_policy" ) } {
initial redirect to /start_policy (starts access policy evaluation) - or a normal post-policy request
set apm_req 1
return
} else {
APM session disabled until logon process is started
ACCESS::disable
set apm_req 0
return
}
}
when ACCESS_SESSION_STARTED {
store the initial (redirect URI) until it's needed
ACCESS::session data set session.cms.starturi [findstr [HTTP::uri] "/start_policy=" 14]
ACCESS::session data set session.cms.starthost [HTTP::host]
}
when ACCESS_POLICY_COMPLETED {
log local0. "host was [ACCESS::session data get session.cms.starthost]"
log local0. "uri was [ACCESS::session data get session.cms.starturi]"
ACCESS::respond 301 Location "https://[ACCESS::session data get session.cms.starthost][ACCESS::session data get session.cms.starturi]"
}
when HTTP_RESPONSE {
log local0. "apm_req was $apm_req"
capture the redirect to authenticate
if { ([HTTP::status] eq "401") and ($apm_req eq 0) } {
initiate access policy processing
log local0. "apm_req was $apm_req so redirecting"
HTTP::respond 302 Location "https://${host}/start_policy=$uri"
}
}