Overview

Directories

With Mamori you can access resources using identities defined in

  • Mamori's built-in directory
  • one or more integrated AD/LDAP directories
  • one or more integrated cloud directories (Azure, Okta or Duo)

Any identity from any directory can be multifactored with

  • Mamori's built-in multifactor
  • integrated 3rd-party multifactor
How does the extended multifactor work?

When Mamori receives a connection, it first validates the connection with the directory. If the connection is valid, then Mamori sends the configured multifactor request for the user.


Multifactor Support

Mamori built-in multifactor includes

  • mobile push notifications via the Mamori.io mobile application
  • push totp via a web browser

Both of these methods work from standard tools accessing all resources types (web, ssh, db and ip resources).

Use push totp when there is no internet access

User Multifactor Configuration

When a user logs into the Mamori portal if their multifactor is not configured, then a QRCode will be displayed. To complete the registration process the user needs to scan the QRCode with the appropriate mobile application.

logins from standard tools will fail if a user has not configured their multifactor. They must login to the Mamori portal at least once to configure it.

Mobile Push

With Mobile push multifactor the user accepts or denies the access request on their Mamori mobile application. This is the recommended form of multifactor as it is easy for users to work with.

Requirements

Mamori mobile application installed on user's device

IOS : search for Mamori 2FA

Android : search for Mamori

Mamori server requires HTTPS (port 443) send and receive from:

fcm.googleapis.com/*

oauth2.googleapis.com/*

accounts.google.com/*

Timed One-Time Passwords

With Timed One-Time Passwords a user starts a web Mamori authenticator session and enters the one-time token when it is requested. This is the recommended form of multifactor when the Mamori server has no internet access.

Requirements

Any Authorization App installed on a user's device that scans one-time password QR codes.

No internet access required

Edit this page on GitHub Updated at Sat, Jul 13, 2024