Manual Chapter : Configuring URL branching for step-up authentication

Applies To:

  • BIG-IP APM

    21.0.0, 17.5.1, 17.5.0, 17.1.3, 17.1.2, 17.1.1, 17.1.0, 17.0.0, 16.1.6, 16.1.5, 16.1.4, 16.1.3, 16.1.2, 16.1.1, 16.1.0, 15.1.10, 15.1.9

back-action Overview: Configuring step-up authentication

Updated Date: 04/30/2026

Configuring URL branching for step-up authentication

Add a URL branching agent to a per-request policy or to a per-request policy subroutine to create simple branching rules based on URLs. You might use URL branching to run different types of step-up authentication for different URLs or to skip step-up authentication altogether for a group of URLs.

  1. Open the per-request policy for editing.

  2. To edit a per-request policy subroutine, expand it.

  3. In the per-request policy or in the per-request policy subroutine, in the branch where you want to add URL branching, click [+].

    The Add Item popup screen opens.

  4. On the Classification tab, select URL Branching and click Add Item.

    The Properties screen opens.

  5. Click the Branch Rules tab.

    The screen displays the default rule, Allow, and the expression, URL contains: domain.com.

  6. If you do not want a rule that matches a URL substring, delete the default rule; (click x).

    The URL Branching agent can be configured to exactly match a URL, or to match a substring or a prefix or a suffix in a URL, or to perform glob pattern matching on a URL.

  7. If you want to replace the value (domain.com) in the default rule:

    Note: You can use AND and OR operators to configure expressions for your rules. For simplicity of illustration, the examples do not include these operators.

    1. Click the change link.

      An additional popup screen opens.

    2. In the URL contains field, delete domain.com, and type the substring that you want to match.

    3. Click Finished.

      The popup screen closes.

    4. If you have no more changes to make, click Save.

  8. To add a rule, click Add Branch Rule.

    1. In the Name field, replace the default name Branch Rule number with a name for the branch.

    2. For Expression: Empty, click the change link.

      A popup screen opens.

    3. Click Add Expression.

      Fields with default values display.

    4. For the Agent Sel field, select or retain URL Branching.

    5. For Condition, select one from the list.

      When you select a condition, a related input field displays.

    6. For Condition Equals in the URL is field, type the URL that you want to exactly match.

    7. For Condition Substring in the URL contains field, type the string that you want to match.

    8. For Condition Prefix Match in the URL begins with field, type the prefix that you want to match.

    9. For Condition Suffix Match in the URL ends with field, type the suffix that you want to match.

    10. For Condition Glob Match in the URL glob pattern field, type the globbing pattern that you want to match.

      URL branching supports these globbing patterns:

      • * Matches any number of characters (none or one or more).
      • ? Matches a single character in these sets: [a-z] or [0-9] or [A-Za-z].
      • [ characters ] Matches one of the specified characters.
      • [^ characters ] Matches any characters except for those specified.
      • [! characters ] Matches any characters except for those specified.

    11. Click Add Expression, then click Finished.

      The popup screen closes; the updated expression displays on the Branch Rules screen.

    12. Click Save.

      The popup screen closes; the visual policy editor displays.

The per-request policy or subroutine includes URL branching.

After the URL branch, you can add step-up authentication if that’s what you are trying to do. In a per-request policy, you can insert a call to a subroutine after a URL branch. Or, in a subroutine, you can insert an authentication agent after a URL branch. Make sure to add the per-session and per-request policies to the virtual server.