AltostratusAPM, OAM Multi-factor Authentication, iRules, and a Missing Cookie
We are attempting to implement OAM multi-factor authentication for one of our applications that uses APM for SSO. The requirement is that when I user logs in via APM for the first time, they should be prompted for a one time pin. Additionally, the user can opt to not be prompted for MFA when logging in, which is achieved by storing a cookie in the client that expires in 90 days.
Initially we found that the MFA cookie wasn't being stored to the client, so I created an iRule to inserts the cookie into the response header in the HTTP_RESPONSE_RELEASE event. This works without issue. The problem we are having is that the cookie isn't being sent back to the OAM server, which causes the user to be prompted for MFA every time they login, despite the MFA cookie still being in their browser.
After much digging, I decided to try adding the cookie to the header in the HTTP_REQUEST_SEND event. I can see the cookie in the header after doing so, but it still doesn't make it back to OAM server. I heard that APM, by design, holds on to cookies and doesn't send them in requests/responses to and from the client, which explains the issue we are encountering.
Has anyone here ever run into the same problem, or one similar to it? Is there a workaround or viable solution to this issue? I've pushed the limits of what I know how to do with an iRule with no success, and I can't seem to find any documentation or forum posts that could get me on track to fix the problem.
Any help, suggestions, or thoughts would be greatly appreciated.