Thank you for the update.
I changed your iRule to remove Host and scheme in redirect.
when HTTP_REQUEST {
store the host header for the initial /start_policy redirect
set uri [HTTP::uri]
if { ( [HTTP::cookie exists MRHSession] ) or ( [HTTP::uri] starts_with "/start_policy" ) } {
initial redirect to /start_policy (starts access policy evaluation) - or a normal post-policy request
set apm_req 1
return
} else {
APM session disabled until logon process is started
ACCESS::disable
set apm_req 0
return
}
}
when ACCESS_SESSION_STARTED {
store the initial (redirect URI) until it's needed
ACCESS::session data set session.cms.starturi [findstr [HTTP::uri] "/start_policy=" 14]
}
when ACCESS_POLICY_COMPLETED {
log local0. "uri was [ACCESS::session data get session.cms.starturi]"
ACCESS::respond 301 Location "[ACCESS::session data get session.cms.starturi]"
}
when HTTP_RESPONSE {
log local0. "apm_req was $apm_req"
capture the redirect to authenticate
if { ([HTTP::status] eq "401") and ($apm_req eq 0) } {
initiate access policy processing
log local0. "apm_req was $apm_req so redirecting"
HTTP::respond 302 Location "/start_policy=$uri"
}
}