Duo, Yubikey, and RSA-AM HTTP Backends
These specialized HTTP backends provide multi‑factor / token validation and strong authentication support layered on top of primary credential checks (username/password, EAP inner methods, etc.). They share core HTTP backend semantics (timeouts, connection pooling, TLS, statistics) but expose service‑specific fields.
| Backend | Purpose | Typical Factor |
|---|---|---|
duo | Duo Security MFA / pre-auth workflows | Push / OTP / Phone |
yubikey | Yubico OTP validation | One-time password token |
rsa-am | RSA Authentication Manager / SecurID | Hardware/software token (PIN+token code) |
1. Duo Backend (duo)
pre_authentication can classify a request (allow / deny / enroll) before primary auth completes.
| Field | Required | Notes |
|---|---|---|
url | Yes | Duo API hostname |
username | Yes | Integration / client key |
secret | Yes | HMAC secret key |
pre_authentication | Recommended | true to perform pre-auth triage |
timeout | Yes | Milliseconds per request |
connections | No | Connection pool size |
Example:
backends {
duo "DUO_MFA" {
url "https://api-12345678.duosecurity.com";
username "DIXXXXXXXXXXXXXXXXXX";
secret "deadbeefdeadbeefdeadbeefdeadbeefdeadbeef";
pre_authentication true;
timeout 5000;
}
}
2. Yubikey Backend (yubikey)
Validates modhex OTPs against Yubico (or compatible) validation servers.
| Field | Required | Notes |
|---|---|---|
url | Yes | Base URL (https://api.yubico.com) |
username | Yes | Client ID |
secret | Yes | API secret key (HMAC) |
timeout | Yes | Milliseconds per request |
connections | No | Pool size |
Example:
backends {
yubikey "YUBIKEY_AUTH" {
url "https://api.yubico.com";
username "12345";
secret "abcdefghijklmnopqrstuvwxyz234567";
timeout 4000;
}
}
3. RSA Authentication Manager (rsa-am)
Challenge/response token validation with optional multi‑step flow.
| Field | Required | Notes |
|---|---|---|
url | Yes | RSA AM API endpoint |
username | Yes | API user |
secret | Yes | API secret / password |
challenge_timeout | Recommended | Milliseconds allowed for challenge flow |
policy | Optional | Server-side policy name |
timeout | Yes | Base HTTP timeout |
connections | No | Pool size |
Example:
backends {
rsa-am "RSA_AM" {
url "https://rsa-am.example.com";
username "api_user";
secret "SuperSecretPassword";
challenge_timeout 60000;
policy "DefaultPolicy";
timeout 5000;
}
}