2FA using RSA SecureID tokens


We would like to setup OOD to use 2FA using our RSA Secure ID tokens and we wanted to know what the best approach would be to accomplish this?



Really it comes down to how are you going to configure Apache httpd to do this.

I found these docs which I did not really comprehend, but at a glance there’s some sort of RSA agent running on the same machine that apache can talk to?


Maybe someone else in the community has done this, I’m not sure. You may also want to reach out to RSA and ask them how to integrate RSA Secure ID and a apache httpd web server.

@msgambati-INL what is the initial authentication mechanism being used by your OnDemand instance? I’m assuming that you want 2FA after an initial password based auth?

Hi guys,

Sorry for letting this ticket sit around for so long. We finally had time to get this implemented and the solution was what Jeff offered, plus we implemented RSA for PAM:



Did you get PAM to work out of the box with Open OnDemand? We had to install the mod_authnz_pam package on CentOS 7.7.

Then, we had to configure the httpd24 for this (form our Ansible playbooks):

    - name: configure load apache pam module
        content: |
          LoadModule authnz_pam_module modules/mod_authnz_pam.so
        dest: /opt/rh/httpd24/root/etc/httpd/conf.modules.d/55-authnz_pam.conf
        - restart httpd

    - name: link in apache pam module
        dest: /opt/rh/httpd24/root/usr/lib64/httpd/modules/mod_authnz_pam.so
        src: /usr/lib64/httpd/modules/mod_authnz_pam.so
        state: link

After which we could configure ood_portal.yml

  - 'AuthType Basic'
  - 'AuthName "Enter chariteuser_c or mdcuser_m and your usual password to login."'
  - 'AuthBasicProvider PAM'
  - 'AuthPAMService httpd'
  - 'Require valid-user'
  - 'RequestHeader unset Authorization'

I hope this is (complete and) of help to anyone.

1 Like

HI Manuel (@holtgrewe),

We do not use PAM for our authentication, we use LDAP. This is great information for those who happen to use PAM though. I appreciate the information.