Skip to main content
Skip table of contents

Memority MFA Account Policies

Definition

“MFA” stands for “Multi-Factor Authentication”.

Memority MFA Account Policies (also referred to as myMFA policies) allows to configure how MFA should be applied to the population of users.

In order for an identity to be able to use MFA enrollment and authentication, it is necessary that this identity is part of the scope of at least one MyMFA policy.

Configuration

You can access the Memority MFA Account Policy configuration :

  • by clicking on "Policies" → “Memority MFA Account Policies

  • by clicking on "System" → "Configurations" → "Data Model" and perform an import/export.

Properties - Information

Property name

Type

Description

Values (default value in bold)

id

String

The identifier is the unique identifier of each Memority MFA Account Policy.

It is case sensitive and no special characters (except - or _) are allowed.

-

name

String

The Memority MFA Account Policy name.

-

active

Boolean

Allows to define if the Memority MFA Account Policy is activated or not.

ON, OFF

description

String

Allows to describe the purpose of the Policy.

-

Properties - Assignment

Property name

Type

Description

Values (default value in bold)

priority

Integer

Indicates the priority of this policy when resolving which policy to apply on an Identity (1 having more precedence).

If the Object is part of the Scope of several Policies, the Policy with the highest priority (the lowest value) will be taken into account.

1, 2, 3...

scope

-

Allows to configure on which Identities the policy will be applied.

-

Properties - Configuration

Mandatory elements

Property name

Type

Description

Values (default value in bold)

serviceId

Integer

A technical identifier provided by the cloud platform infrastructure to target a specific MFA service.

-

imServiceAlias

String

A string correlated to the IM service id which is used during enrollment to identify the service.

-

ssoServiceAlias

String

A string correlated to the SSO service id which is used during enrollment to identify the service.

-

mobileServiceAlias

String

A string correlated to the mobile service id which is used during enrollment to identify the service.

-

Customization elements

Property name

Type

Description

Values (default value in bold)

profileName

String

A string template capable of holding variables replacement to customize the display of the MFA profile as seen by the user.

Ex: “My profile - {object__firstName}”

-

loginAttribute

String

A valid attribute definition id.

When a mobile enrollment QR code is generated, it will contain:

  • The MFA activation code

  • The tenant id

  • The “login” of the user

This last “login” value is obtained by looking at the value of the attribute specified by this property.

login

enrollmentDelay

String

Duration of validity for an enrollment link sent by mail. This should be written as an ISO8601 period duration.

Ex: “P5D” (5 days validity)

P5D

maxMobiles

Integer

The maximum number of mobile enrollment allowed per user

3

maxBrowsers

Integer

The maximum number of browsers enrollment allowed per user

3

maxStrategy

Enum

The action to apply when a maximum devices limit is reached.

  • ERROR (an error is displayed to the user)

  • AUTO (the oldest used device is replaced before enrollment)

  • AUTO_AFTER (the oldest used device is replaced after enrollment)

Devices quotas are always checked upon enrollment confirmation. If quota is exceeded, the oldest used devices are removed until the quota is met.

ERROR

loginGenerationParameters

Object

This property allows to modify the login generation.

The property is not mandatory but if set, all the sub properties must be declared, namely:

  • loginTemplate: Takes a template in the form “{object.id}-{random.value}” which will be used for the login

  • platformPrefix: a prefix for all logins

null

orphanStrategy

Enum

The strategy to adopt when a MFA account was deleted without using Memority delete API.

When a user account is normally deleted using the Memority portal, a cleanup is done on the user authentication status and authentication modes to remove his ability to authenticate using MFA.

However it is possible that the account was deleted directly on the cloud platform, either by mistake or for maintenance reasons. In this case the policy gives two options to choose from:

  • WARN: Warn the user on the portal but keep the MFA login and authentication mode. The user will likely need to contact an administrator to sort the issue, or reset his account.

  • CLEANUP: Cleanup the user. He will be in the same situation as a user who never had a MFA account. The user will need to perform an enrollment as a first time user.

WARN, CLEANUP

Advanced configuration

These settings are only relevant for compatibility and exceptional on premise installation of the solution.

Property name

Type

Description

serviceUrl

String

The URL of the cloud service performing the MFA enrollment

uiIframePluginUrl

String

The URL of the frontend library (Iframe version)

uiSdkPluginUrl

String

The URL of the frontend library (SDK version)

uiSdkDomainUrl

String

The URL on which the SDK frontend plugin will operate on

memorityAppStoreUrl

String

The URL to the Apple App Store Memority mobile application

memorityPlayStoreUrl

String

The URL to the Google Play Store Memority mobile application

memorityImageLogo

String

The image logo to display during the enrollment for use with the Memority mobile application

memorityImageLogoType

String

The type of the Memority image logo (ex: “PNG”)

Additionally, if one requires to use a custom mobile application to handle the MFA subscription, these settings can be configured:

appStoreUrl

String

The URL to the Apple App Store custom mobile application

playStoreUrl

String

The URL to the Google Play Store custom mobile application

imageLogo

String

The image logo to display during the enrollment for use with the custom mobile application

imageLogoType

String

The type of the custom application image logo (ex: “PNG”)

Example

MyMFA policy.pdf MyMFA policy.xml

Certificate configuration

After creating a new Memority MFA Account Policy, 1 Setting must also be configured:

Setting name

Type

Description

idm.myMFAAccountPolicy.<policy id>.authentication.p12

BinarySecretWithPassword

The Base 64 encoded P12 certificate used for accessing the Memority MFA Account Policy cloud service and the passphrase associated with the certificate

Handling identity migration

When an identity that was in the scope of a Memority MFA Account policy exit this scope (because the identity was patched and no longer match the policy scope), the following happen:

  • The MFA account is deleted, along with all the enrolled devices.

  • A reserved flag “MYMFA_ACCOUNT_MIGRATION” is positioned on the identity indicating that it has migrated from its former MFA policy. This flag can be handled, for instance, in a business policy to send a new enrollment link to the user. The flag will be cleared upon subsequent patches to the identity.

Read Next

Business Policies — A Business Policy allows to configure how to trigger actions on Object Types through a Feature with an optional configured Workflow.
Object Policies — An Object Policy is an Identity Management Service Policy allowing to execute arbitrary actions on Managed Objects, either on a scheduled basis, or in reaction to an Object Operation.
Deduplication Policies — A Deduplication Policy describes how duplicates should be searched for when creating a managed object.
Feature Access Policies — A Feature Access Policy is composed of a right which encompasses several Features.
Manual Provisioning Policies — A Manual Provisioning Policy allows to define that manual provisioning or deprovisioning Workflow is launched when the Role assignment status changes.
Object Lifecycle Policies — An Object Lifecycle Policy allows to configure rules, on all Object Types, that will alter an Object attribute directly when certain lifecycle events occur.
Password Policies — A Password Policy determines how passwords should be composed and which rules apply to their lifecycle.
Role Request Policies — A Role Request Policy allows to define if a Role can be requested, for whom, by whom, and using which Workflow.
Workflow Administration Policies — A Workflow Administration Policy is composed of a right which encompasses several Features.
Memority MFA Account Policies — A Memority MFA Policy allows to configure how multi factor authentication should be applied to a population of user
JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.

Contact Support Close