I have a policy that's attached to a resource looking for a query string, if it finds it, it executes an infomap authentication to do two things: set a session attribute if it's not present, and if it is present, deny the request.  This particular action results in the user impersonating another user in a backend application and the user must only have one impersonation session valid at a time.  When the user is done with the session, they exit in a way that unsets that session attribute and lets them start a new one.

What I'm having an issue with is on the initial session, the browser flow goes like this:

• /application?impersonation=true
• Policy executes here, sets attribute
• /application?impersonation=true gets 301 to:
• /application/?impersonation=true
• Policy executes again, request denied because session attr already exists.

I've noticed the slash-before-query-redirect is available, but still does the redirect even if you move the slash to the end so I'm assuming the same behavior.

Is there a way to prevent re-execution on the ISVA side?  I can request the application owner to add the slash to the request but I'd rather just deal with it on our end. It's never been an issue until this specific case but I've gone back and noticed multiple other policies that do this as well and it's just unnecessary overhead.

Thanks,

Brian