Overview
Directories
With Mamori you can access resources using identities defined in
- Mamori's built-in directory
- one or more integrated AD/LDAP directories
- one or more integrated cloud directories (Azure, Okta or Duo)
Any identity from any directory can be multifactored with
- Mamori's built-in multifactor
- integrated 3rd-party multifactor
When Mamori receives a connection, it first validates the connection with the directory. If the connection is valid, then Mamori sends the configured multifactor request for the user.
Multifactor Support
Mamori built-in multifactor includes
- mobile push notifications via the Mamori.io mobile application
- push totp via a web browser
Both of these methods work from standard tools accessing all resources types (web, ssh, db and ip resources).
User Multifactor Configuration
When a user logs into the Mamori portal if their multifactor is not configured, then a QRCode will be displayed. To complete the registration process the user needs to scan the QRCode with the appropriate mobile application.
logins from standard tools will fail if a user has not configured their multifactor. They must login to the Mamori portal at least once to configure it.
Mobile Push
With Mobile push multifactor the user accepts or denies the access request on their Mamori mobile application. This is the recommended form of multifactor as it is easy for users to work with.
Requirements
Mamori mobile application installed on user's device
IOS : search for Mamori 2FA
Android : search for Mamori
Mamori server requires HTTPS (port 443) send and receive from:
fcm.googleapis.com/*
oauth2.googleapis.com/*
accounts.google.com/*
Timed One-Time Passwords
With Timed One-Time Passwords a user starts a web Mamori authenticator session and enters the one-time token when it is requested. This is the recommended form of multifactor when the Mamori server has no internet access.
Requirements
Any Authorization App installed on a user's device that scans one-time password QR codes.
No internet access required