Applies To:
Show Versions![Show Versions](/etc/designs/pcx/techdocs/images/expandversions.gif)
BIG-IP APM
- 12.1.6, 12.1.5, 12.1.4, 12.1.3, 12.1.2, 12.1.1, 12.1.0
Per-Request Policy Subroutine for Additional Authentication
About per-request policy subroutines
A per-request policy subroutine is a collection of actions. What distinguishes a subroutine from other collections of actions (such as macros), is that a subroutine starts a subsession that, for its duration, controls user access to specified resources. Subroutine properties not only specify resources but also specify subsession timeout values and maximum subsession duration.
About subsessions
A subsession starts when a subroutine runs and continues until reaching the maximum lifetime specified in the subroutine properties, or until the session terminates. A subsession does not count against license limits. A subsession populates subsession variables that are available for the duration of the subsession. Subsession variables and events that occur during a subsession are logged. Multiple subsessions can exist at the same time.
About typical per-request policy subroutine uses
- Request additional authentication from a user after a period of time or before granting access to sensitive resources.
- Revalidate webtop resources using Active Directory credentials.
- Certificate-based authentication (provided by On-Demand Certificate authentication) when going to a specific URI.
- After SharePoint anonymous access, authenticate a user against Active Directory and do a group lookup.
Additional authentication subroutine example
![](/kb/global/manual_images/MAN-0508-03/ss_per_req_stepup_auth_example.png)
Per-request Policy: Category Lookup and subroutine for authentication
Category Lookup reverse proxy configuration example
![](/kb/global/manual_images/MAN-0508-03/ss_cat_lookup_props_revproxy_example.png)
Category Lookup properties for reverse proxy must specify custom categories
Category Lookup branch configuration example
![](/kb/global/manual_images/MAN-0508-03/ss_prp_stepup_auth_cat_lookup_branch.png)
The branch rule specifies the homedir branch and the homedir custom category
Custom category configuration example
Properties for a custom category homedir
![](/kb/global/manual_images/MAN-0508-03/ss_create_cust_cat_example.png)
Overview: Requiring additional authentication for sensitive resources
Typically, an access policy verifies endpoint security and authenticates a user before starting an access session. If the user requests access to a sensitive resource after the session is established, you can require additional authentication or revalidation of the credentials for that resource by configuring a per-request policy subroutine.