Hi Vincent,
If the two VIPs are on the same domain, you could use a cookie to track that the client has successfully authenticated against the auth server and redirect the client to the HTTP VIP. You could then check for that cookie on the HTTP VIP before redirecting the client back to HTTPS. From a security standpoint, you could try encrypting the client User-Agent header value with a timestamp and use that for the cookie. On requests, if the cookie value can be decrypted, the user-agent header from the cookie matches the client's user-agent and the timestamp is newer than some session timeout value, you would consider the auth cookie as valid.
Also, in 9.4+ the four AUTH_ events have been deprecated in favor of a single event, AUTH_RESULT (
Click here).
You can get a few examples from the Codeshare for doing auth:
http://devcentral.f5.com/wiki/default.aspx/iRules/ClientAuthUsingHTMLForms.html
http://devcentral.f5.com/wiki/default.aspx/iRules/ClientAuthUsingHttpCookie.html
And you can check the default LDAP auth rule, _sys_auth_ldap.
Aaron