πŸͺͺ Identity & Access Management (IAM)

Hubungan ke Vault

IAM adalah fondasi dari network-security dan endpoint-security. Konsep least privilege dan RBAC di sini terkait erat dengan blueteam-detection-matrix dan purple-team-osi-killchain.

Daftar Isi

  1. Konsep Dasar IAM
  2. Authentication vs Authorization
  3. Faktor Authentication
  4. MFA β€” Multi-Factor Authentication
  5. SSO β€” Single Sign-On
  6. Federated Identity
  7. OAuth 2.0 & OpenID Connect
  8. SAML
  9. LDAP & Active Directory
  10. RBAC β€” Role-Based Access Control
  11. ABAC β€” Attribute-Based Access Control
  12. PAM β€” Privileged Access Management
  13. Zero Trust & IAM
  14. Passwordless Authentication
  15. Session Management
  16. Token-Based Auth
  17. API Authentication
  18. IAM Architecture Patterns
  19. Threats & Mitigations
  20. Compliance & Standards
  21. Tools Comparison
  22. Bottom Line

Konsep Dasar IAM

Identity & Access Management (IAM) β€” framework kebijakan dan teknologi yang memastikan the right people punya akses ke the right resources di the right time dan the right reason.

Tiga pilar IAM:

PilarDeskripsiContoh
IdentificationKlaim identitasUsername, email, UUID
AuthenticationVerifikasi klaimPassword, biometric, OTP
AuthorizationIzin setelah verifikasiRBAC, ACL, policy engine

Tujuan IAM:

  • Least privilege β€” user hanya punya akses minimum yang dibutuhkan
  • Segregation of duties β€” pisahin peran antagonis (admin vs auditor)
  • Auditability β€” setiap akses tercatat
  • Lifecycle management β€” provisioning β†’ review β†’ deprovisioning

Authentication vs Authorization

AspekAuthentication (AuthN)Authorization (AuthZ)
Pertanyaan”Siapa kamu?""Kamu boleh apa?”
MekanismePassword, biometric, OTPRBAC, ABAC, ACL, policy
OutputIdentity token / sessionAccess token / permission set
Contoh ProtocolOIDC, SAML AuthnRequestOAuth 2.0, XACML, AWS IAM Policy
FlowLoginSetelah login, setiap request

Kerangka NIST SP 800-63 β€” membedain AuthN strength level (IAL/AAL/FAL).


Faktor Authentication

Tiga faktor utama (NIST SP 800-63B):

FaktorJenisContoh
Something you knowKnowledgePassword, PIN, security question
Something you havePossessionOTP app, hardware token (YubiKey), SMS, smart card
Something you areInherenceFingerprint, face ID, iris, voice

Faktor tambahan (diusulkan):

  • Somewhere you are (location-based) β€” geolocation, IP range
  • Something you do (behavioral) β€” typing pattern, mouse movement

Autentikasi Multi-Faktor (MFA) β€” mewajibkan dua+ faktor dari kategori berbeda.


MFA β€” Multi-Factor Authentication

Metode MFA

MetodeSecurityConvenienceFaktor
SMS/Phone OTP❌ Lemahβœ… TinggiPossession (rentan SIM swap)
TOTP (Google Auth, Authy)βœ… Kuatβœ… TinggiPossession
Push Notificationβœ… Kuatβœ…βœ… Sangat tinggiPossession
Hardware Token (YubiKey, Titan)βœ…βœ… Sangat kuat⚠️ MediumPossession (phishing-resistant)
FIDO2/WebAuthnβœ…βœ… Sangat kuatβœ…βœ… Sangat tinggiPossession + Inherence
Biometric only⚠️ Mediumβœ…βœ… TinggiInherence
Backup Codes⚠️ Mediumβœ…βœ… TinggiKnowledge

Phishing-Resistant MFA (FIDO2/WebAuthn)

Mekanisme U2F/FIDO2 nggak bisa di-phish karena:

  • Challenge-response dengan origin-bound key pair
  • Private key never leaves device
  • Attestation β€” server verify device manufacturer
β”Œβ”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”  challenge   β”Œβ”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”
β”‚  Server   │─────────────>β”‚ Browser  β”‚
β”‚          β”‚<─────────────│          β”‚
β”‚          β”‚  signature +  β”‚  WebAuthnβ”‚
β”‚          β”‚  credentialId β”‚  API     β”‚
β””β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”˜              β””β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”˜
                                  β”‚
                          β”Œβ”€β”€β”€β”€β”€β”€β”€β”΄β”€β”€β”€β”€β”€β”€β”€β”
                          β”‚   Authenticator β”‚
                          β”‚   (TPM/Secure   β”‚
                          β”‚   Enclave/Yubi) β”‚
                          β””β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”˜

Best Practices MFA

  • Wajib MFA untuk: admin, VPN, remote access, API keys
  • Rate-limit MFA attempts β€” prevent brute force 6-digit TOTP
  • Fallback mechanism: recovery codes, backup TOTP
  • Monitor: MFA fatigue attack β€” push spamming sampe user approve
  • Never use SMS as primary MFA β€” NIST deprecating SMS OTP (NIST SP 800-63B)

SSO β€” Single Sign-On

SSO memungkinkan satu kredensial untuk akses ke banyak aplikasi.

Arsitektur SSO

β”Œβ”€β”€β”€β”€β”€β”€β”     Login     β”Œβ”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”    Token     β”Œβ”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”
β”‚User  │──────────────>β”‚   IdP    │─────────────>β”‚   SP 1   β”‚
β”‚      β”‚<──────────────│ (Keycloakβ”‚<─────────────│          β”‚
β”‚      β”‚   SAML/OIDC   β”‚  Okta/   β”‚  validate    β”‚   SP 2   β”‚
β”‚      β”‚               β”‚  AzureAD)│─────────────>β”‚          β”‚
β””β”€β”€β”€β”€β”€β”€β”˜               β””β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”˜    Token     β””β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”˜

Komponen SSO:

  • IdP (Identity Provider) β€” nyimpen & verifikasi identitas (Keycloak, Okta, Azure AD, Google)
  • SP (Service Provider) β€” aplikasi yang nerima identitas
  • Federation Protocol β€” SAML 2.0, OIDC, WS-Federation

Keuntungan SSO

  • Satu password lebih kuat daripada banyak password lemah
  • Password rotation lebih jarang
  • Centralized user lifecycle β€” disable one account revokes all access
  • MFA applied once at IdP, applies everywhere

Kerugian SSO

  • Single point of failure β€” IdP down = semua aplikasi nggak bisa diakses
  • Lateral movement risk β€” compromised IdP = complete domain compromise
  • Privilege escalation β€” misconfigured attribute mapping bisa kasih akses berlebih

Federated Identity

Federated Identity = IdP yang berbeda organisasi trust satu sama lain (cross-domain SSO).

Federation Trust Models

ModelDeskripsiContoh
Direct FederationDua organisasi punya trust bilateralPartner VPN access
Brokered FederationIdP broker antara banyak SPLogin with Google/GitHub
Hub & SpokeOne central IdP, many SPsEnterprise: Okta β†’ SaaS apps
Mesh FederationBanyak IdP, many-to-many trusteduGAIN (universitas global)

Federation Protocols

  • SAML 2.0 β€” enterprise, government
  • OpenID Connect β€” modern web & mobile
  • WS-Federation β€” legacy .NET apps
  • SCIM (System for Cross-domain Identity Management) β€” user provisioning API

OAuth 2.0 & OpenID Connect

OAuth 2.0

Framework authorization β€” bukan authentication. Delegated access untuk resource owner.

Grant Types:

Grant TypeUse CaseSecurity
Authorization CodeWeb app (server-side)βœ… Secure (+PKCE)
Authorization Code + PKCEMobile/SPAβœ…βœ… Secure
Client CredentialsMachine-to-machineβœ… No user context
Device CodeTV/CLI devices⚠️ Medium
Implicit (deprecated)Legacy SPA❌ Insecure
Resource Owner Password (deprecated)Legacy migration❌ Insecure

OAuth 2.1 β€” menyederhanakan: hanya Authorization Code + PKCE dan Client Credentials.

Flow Authorization Code + PKCE:

β”Œβ”€β”€β”€β”€β”€β”  Auth Request +         β”Œβ”€β”€β”€β”€β”€β”€β”      β”Œβ”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”
β”‚Clientβ”‚  code_challenge         β”‚  Auth β”‚     β”‚  Resource β”‚
β”‚ SP   │────────────────────────>β”‚Server β”‚      β”‚  Server   β”‚
β”‚      β”‚<────────────────────────│       β”‚      β”‚          β”‚
β”‚      β”‚  Auth Code              β””β”€β”€β”€β”€β”€β”€β”˜      β”‚          β”‚
β”‚      β”‚                                            β”‚
β”‚      β”‚  Auth Code +                              β”‚
β”‚      β”‚  code_verifier                            β”‚
β”‚      │─────────────────────────────────────────>β”‚          β”‚
β”‚      β”‚<─────────────────────────────────────────│          β”‚
β”‚      β”‚  Access + Refresh Token                    β””β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”˜
β””β”€β”€β”€β”€β”€β”˜

OpenID Connect (OIDC)

Lapisan identity di atas OAuth 2.0. Adds:

ComponentFungsi
ID TokenJWT berisi identity claims (sub, name, email, email_verified)
UserInfo EndpointAPI untuk dapetin profile claims
Discovery/.well-known/openid-configuration β€” semua endpoint di satu URL

OIDC Flows:

  • Authorization Code Flow β€” server-side web apps
  • Implicit Flow (deprecated) β€” legacy SPA
  • Hybrid Flow β€” sebagian claims langsung di auth response
  • CIBA (Client Initiated Backchannel Auth) β€” passwordless push

Best Practices Token

  • Access token: short-lived (15-60 menit)
  • Refresh token: longer-lived, bound to client
  • JWT signing: RS256 (asymmetric) > HS256 (symmetric)
  • JWT validation: verify signature, issuer, audience, expiry, nbf
  • Token binding (DPoP / mTLS) β€” prevent token replay

SAML

Security Assertion Markup Language 2.0 β€” XML-based protocol untuk SSO, dominan di enterprise & government.

SAML Flow (SP-Initiated)

β”Œβ”€β”€β”€β”€β”€β”€β”  Req resource     β”Œβ”€β”€β”€β”€β”€β”€β”    AuthnRequest     β”Œβ”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”
β”‚User  │─────────────────> β”‚  SP  │────────────────────>β”‚   IdP    β”‚
β”‚      β”‚<──────────────── β”‚      β”‚<────────────────────│          β”‚
β”‚      β”‚  resource         β”‚      β”‚    Assertion/Resp   β”‚          β”‚
β”‚      β”‚                   β””β”€β”€β”€β”€β”€β”€β”˜                     β””β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”˜

SAML Components

ComponentDeskripsi
AssertionXML statement: Authentication, Attribute, Authorization Decision
Subject<saml:Subject> β†’ NameID (user identifier)
ConditionsNotBefore, NotOnOrAfter, AudienceRestriction
AuthnContextClassRefAuthentication strength (password, MFA, X.509)
SingleLogoutLogout dari semua SP sekaligus

SAML vs OIDC

AspekSAML 2.0OIDC
FormatXMLJSON
TransportHTTP Redirect/POST POST ArtifactHTTP GET/POST, AJAX
TokenXML AssertionJWT
BindingBrowser redirect, SOAP, PAOSREST API
MaturityEnterprise 20+ tahunModern web/mobile (~10 tahun)
ComplexityTinggi (XML parsing, signing)Rendah (JSON, simple)
SessionIdP-initiated logoutRP-initiated + session management
EcosystemLegacy enterprise stacksModern stacks (OAuth ecosystem)

LDAP & Active Directory

LDAP (Lightweight Directory Access Protocol) β€” protocol akses directory service (RFC 4511).

Active Directory β€” Microsoft’s directory service, pakai LDAP + Kerberos + DNS.

LDAP Structure

dn: cn=jars,ou=Users,dc=azharmtq,dc=com
cn: jars
uid: jars
mail: azhar@example.com
objectClass: inetOrgPerson
memberOf: cn=admin,ou=Groups,dc=azharmtq,dc=com

LDAP Operations

OperationFungsiContoh
BindAuthenticationUsername + password
SearchQuery directory(&(objectClass=user)(mail=*))
CompareCheck attribute valuememberOf membership
Add/Modify/DeleteCRUD entriesUser provisioning

Binding dengan AD

Strategi aman LDAP:

  • LDAPS (port 636) β€” wajib, avoid LDAP (389, plaintext)
  • StartTLS β€” upgrade koneksi ke encrypted
  • Service Account dengan limited scope, bukan admin credentials
  • Channel binding + LDAP signing β€” prevent LDAP relay attack

AD Attack Vectors (relevant untuk blue team)

AttackDeskripsiMitigasi
KerberoastingRequest TGS untuk service account, crack offlineComplex service account passwords, Managed Service Accounts (gMSA)
AS-REP RoastingUser tanpa pre-auth Kerberos, crackable hashEnable pre-authentication (default)
Golden TicketForge KRBTGT hash β†’ domain admin foreverFrequent KRBTGT password rotation, monitor event ID 4672/4624
Silver TicketForge TGS untuk serviceLimit service account privileges, monitor Kerberos TGS events
DCSyncReplicate directory via DRSUAPIProtect Replication ACL, monitor event ID 4662
Pass-the-HashUse NTLM hash instead of passwordEnable Credential Guard, disable NTLM where possible
LDAP RelayRelay LDAP auth to escalateLDAP signing + channel binding, SMB signing
ACL AbuseModify ACL (AdminCount, GenericAll)Monitor AD ACL changes (event 5136)

RBAC β€” Role-Based Access Control

NIST SP 800-162 β€” akses berdasarkan peran, bukan per-user.

Komponen RBAC

                 β”Œβ”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”
                 β”‚   Roles     β”‚
                 β”‚  admin      β”‚
                 β”‚  developer  β”‚
                 β”‚  auditor    β”‚
                 β”‚  viewer     β”‚
                 β””β”€β”€β”€β”€β”€β”€β”¬β”€β”€β”€β”€β”€β”€β”˜
                        β”‚
    β”Œβ”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”Όβ”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”
    β”‚                   β”‚                   β”‚
    β–Ό                   β–Ό                   β–Ό
β”Œβ”€β”€β”€β”€β”€β”€β”€β”€β”       β”Œβ”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”       β”Œβ”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”
β”‚ Users  β”‚       β”‚ Permissionsβ”‚       β”‚  Sessions     β”‚
β”‚  (User β”‚  has  β”‚  Resources β”‚  can  β”‚  (activated   β”‚
β”‚  Role  β”‚       β”‚  CRUD      β”‚  be   β”‚  role subset) β”‚
β”‚  Mappings)     β”‚  Actions   β”‚       β”‚               β”‚
β””β”€β”€β”€β”€β”€β”€β”€β”€β”˜       β””β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”˜       β””β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”˜

RBAC Models

ModelDeskripsi
Flat RBACUser β†’ Role β†’ Permission (langsung)
Hierarchical RBACRole inheritance (admin inherits viewer)
Constrained RBACSSD (Static Separation of Duty) & DSD (Dynamic)
Session-based RBACRole aktif dipilih per session

Best Practices RBAC

  • Minimal role count β€” jangan bikin role per individual
  • Role naming standard β€” {domain}.{level} β†’ network.admin, logs.viewer
  • Principle of least privilege β€” start with no access
  • Regular access review β€” quarterly recertification
  • Role mining β€” analisis existing permissions buat cluster peran

ABAC β€” Attribute-Based Access Control

NIST SP 800-162 β€” akses berdasarkan attributes (user, resource, environment), bukan role saja.

Attribute Categories

CategoryContoh
Subject Attributesdepartment=security, clearance=top-secret, location=ID
Resource Attributesclassification=confidential, owner=security-team
Action Attributesmethod=DELETE, time=working-hours
Environment Attributesip=192.168.x.x, network=vpn, device=managed

Policy ABAC

Policy: "Allow delete hanya jika"
  subject.department == "admin"
  AND
  resource.classification != "critical"
  AND
  environment.ip in [10.0.0.0/8, 172.16.0.0/12]
  AND
  environment.time between "08:00" and "18:00"

Tool: AWS IAM Policy, OPA/Rego, XACML, Cedar (AWS), Oso.

RBAC vs ABAC

AspekRBACABAC
GranularityCoarse (by role)Fine-grained (by attribute)
ManagementRole explosionPolicy complexity
FlexibilityStatic, need new role per exceptionDynamic, policy-based exceptions
PerformanceFast (simple lookup)Slower (attribute resolution)
AuditClear role assignmentsComplex policy evaluation trace
Best forUniform access patternsFine-grained, context-aware

PAM β€” Privileged Access Management

PAM β€” subset IAM yang fokus pada privileged accounts (admin, root, service accounts).

Privileged Account Types

Account TypeRisikoMitigasi
Local Admin (root/Administrator)Direct system compromiseLocal admin password solution (LAPS)
Domain AdminFull AD compromiseTier 0 admin, jump box only
Service AccountUnmanaged, password never rotatesgMSA/managed service account
Application AccountHardcoded credsSecret vault (HashiCorp Vault)
Emergency AccountBackdoor riskBreak-glass procedure, MFA, monitoring
API TokenLong-lived, token theftShort-lived, scoped, rotate constantly

PAM Architecture

                    β”Œβ”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”
                    β”‚    PAM Vault          β”‚
                    β”‚  (CyberArk/Delinea/   β”‚
                    β”‚   HashiCorp Vault)    β”‚
                    β”‚                      β”‚
                    β”‚  β”Œβ”€β”€β”€β”€β”€β”€β”€β” β”Œβ”€β”€β”€β”€β”€β”€β”  β”‚
                    β”‚  β”‚ Secre-β”‚ β”‚Sessn β”‚  β”‚
                    β”‚  β”‚ t Storβ”‚ β”‚ Mgmt β”‚  β”‚
                    β”‚  β””β”€β”€β”€β”€β”€β”€β”€β”˜ β””β”€β”€β”€β”€β”€β”€β”˜  β”‚
                    β””β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”¬β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”˜
                               β”‚
            β”Œβ”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”Όβ”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”
            β”‚                  β”‚                  β”‚
            β–Ό                  β–Ό                  β–Ό
     β”Œβ”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”       β”Œβ”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”       β”Œβ”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”
     β”‚  Session β”‚       β”‚  Admin   β”‚       β”‚  Service β”‚
     β”‚  Record  β”‚       β”‚  Checkoutβ”‚       β”‚  Account β”‚
     β”‚  (video) β”‚       β”‚  (JIT)   β”‚       β”‚  Rotationβ”‚
     β””β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”˜       β””β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”˜       β””β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”˜

PAM Best Practices

  • JIT (Just-In-Time) β€” privilege elevation on-demand, selalu expire
  • Session Recording β€” record SSH/RDP/REST session buat audit
  • Password Rotation β€” auto-rotate after checkout
  • Credential Checkout β€” admin harus β€œcheckout” akun, traceable
  • Zero Standing Privileges β€” no permanent privileged access
  • Break Glass β€” emergency account dengan notifikasi + MFA
  • Approval Workflow β€” request β†’ approve (or deny) β†’ grant

Zero Trust & IAM

Prinsip Zero Trust untuk IAM (NIST SP 800-207):

PrinsipImplementasi IAM
Never trust, always verifyAuthN every request, never assume network perimeter
Least privilegeJIT & fine-grained authorization
Assume breachMicro-segmentation, risk-based conditional access
Continuous verificationSession risk scoring β†’ re-auth on anomaly

IAM Arsitektur Zero Trust

β”Œβ”€β”€β”€β”€β”€β”   β”Œβ”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”   β”Œβ”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”   β”Œβ”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”
β”‚User  │──>β”‚  Policy  │──>β”‚  IdP +   │──>β”‚  Apps     β”‚
β”‚      β”‚   β”‚  Engine  β”‚   β”‚  AuthZ   β”‚   β”‚          β”‚
β””β”€β”€β”€β”€β”€β”˜   β”‚  (PEP)   β”‚   β”‚  (PDP)   β”‚   β””β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”˜
          β””β”€β”€β”€β”€β”¬β”€β”€β”€β”€β”€β”˜   β””β”€β”€β”€β”€β”¬β”€β”€β”€β”€β”€β”˜
               β”‚               β”‚
               β”‚   β”Œβ”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”΄β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”
               β”‚   β”‚  Context: device posture,  β”‚
               β”‚   β”‚  location, behavior, time, β”‚
               β”‚   β”‚  risk score                β”‚
               β”‚   β””β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”˜
               β–Ό
          β”Œβ”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”
          β”‚ Logs + SIEMβ”‚
          β””β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”˜

Conditional Access

Policy engine evaluates every auth request against context:

Subject + Device + Location + Behavior + Risk = Access Decision
   β”‚        β”‚        β”‚          β”‚          β”‚
   β”‚        β”‚        β”‚          β”‚          β”‚
   β–Ό        β–Ό        β–Ό          β–Ό          β–Ό
Allow(step-up MFA) | Deny | Block | Require approval

Passwordless Authentication

Passwordless β€” authentication tanpa password statis.

Methods

MethodHow It WorksSecurity Level
Magic LinkEmail dengan one-time login link⚠️ Medium (email compromise)
OTPOne-time password (TOTP/HOTP)βœ… Kuat (possession factor)
Push AuthPhone notification β†’ approveβœ… Kuat (phishing-resistant)
FIDO2/WebAuthnPublic key crypto, bound to deviceβœ…βœ… Sangat kuat
BiometricFingerprint/FaceID on deviceβœ…βœ… Kuat (local validation)
PasskeysFIDO2 credential sync via cloudβœ…βœ… Sangat kuat + convenience

Passkeys (Apple/Google/Microsoft standard)

  • FIDO2 credential sync via iCloud Keychain / Google Password Manager / MS Authenticator
  • Cross-device tetapi origin-bound β€” phishing-resistant
  • Replaces password entirely β€” no server-side secret

Session Management

Session Lifecycle

FaseDeskripsiBest Practice
CreationSession ID generated after AuthNSecure random CSPRNG, HttpOnly, Secure, SameSite
MaintenanceSend session cookie on each requestSliding expiry, refresh before expiry
ValidationServer check session validityValidate IP, user-agent, fingerprint
TerminationLogout / timeout / revokeExplicit logout, idle timeout, absolute timeout

Session Attack Vectors

AttackMitigasi
Session FixationRegenerate session ID after login
Session HijackingHttpOnly + Secure + SameSite cookies, channel binding
CSRFAnti-CSRF token, SameSite=Strict/Lax
Session PredictionCSPRNG-based session IDs, minimum 128-bit
Concurrent SessionLimit concurrent session per user, kill old session on re-auth
Session Timeout BypassEnforce server-side timeout, not just client-side timer

Token-Based Auth

JWT (JSON Web Token) Structure

BASE64(Header) . BASE64(Payload) . Signature

Header:

{ "alg": "RS256", "typ": "JWT", "kid": "key-id-1" }

Payload (claims):

{
  "sub": "user-abc-123",
  "iss": "https://auth.azharmtq.com",
  "aud": "https://api.azharmtq.com",
  "exp": 1767298800,
  "iat": 1767212400,
  "nbf": 1767212400,
  "jti": "unique-token-id",
  "email": "azhar@example.com",
  "roles": ["admin", "network-operator"]
}

JWT Best Practices

PracticeDetail
Use asymmetric signingRS256/ES256 > HS256 (shared secret lebih rentan)
Short expiry15 menit access token, refresh token 7-30 hari
Validate all claimssub, iss, aud, exp, nbf, iat, jti
Token binding (DPoP)Binding token ke client private key β€” prevent replay
RevocationToken blacklist (redis) atau short-lived + refresh rotation
Don’t store secrets in JWTJWT payload is base64 encoded, NOT encrypted by default
JWE for sensitive claimsEncrypted JWT (JWE) jika payload mengandung PII

Refresh Token Rotation

Auth β†’ Access(15m) + Refresh(7d)
  When access expires:
    Exchange Refresh β†’ New Access(15m) + New Refresh(7d) + Old Refresh invalidated
  If refresh stolen & used:
    Both tokens revoked β†’ user must re-auth

API Authentication

API Auth Methods

MethodUse CaseSecurity
API KeyPublic APIs, developer access❌ Low (static, easy to leak)
Bearer Token (JWT)User-context APIβœ… High (short-lived, signed)
OAuth 2.0 Client CredentialsM2M APIβœ… High (scoped, client secret)
mTLSHigh-security internal APIsβœ…βœ… Very high (certificate-based)
HMAC SignatureFinancial APIsβœ…βœ… Tamper-proof (AWS SigV4)
Basic AuthLegacy (never use)❌ Dangerous

API Auth Best Practices

  • Rate limiting per API key/identity β€” prevent abuse
  • API key rotation β€” auto-rotate keys berkala
  • Scope-based tokens β€” read:logs β‰  write:logs
  • Audit logging setiap API auth attempt (success & failure)
  • Block leaked keys β€” monitor GitHub secret scanning

IAM Architecture Patterns

Pattern 1: Centralized IdP

               β”Œβ”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”
               β”‚  IdP     β”‚
               β”‚ (Okta/   β”‚
               β”‚  Keycloakβ”‚
               β”‚  AzureAD)β”‚
               β””β”€β”€β”€β”€β”¬β”€β”€β”€β”€β”€β”˜
                    β”‚
     β”Œβ”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”Όβ”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”
     β”‚              β”‚              β”‚
     β–Ό              β–Ό              β–Ό
β”Œβ”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”  β”Œβ”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”  β”Œβ”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”
β”‚ App 1    β”‚  β”‚ App 2    β”‚  β”‚ App 3    β”‚
β”‚ (Web)    β”‚  β”‚ (Mobile) β”‚  β”‚ (API)    β”‚
β””β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”˜  β””β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”˜  β””β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”˜

Cocok untuk: Enterprise dengan banyak aplikasi, SSO requirement.

Pattern 2: API Gateway Auth

User β†’ API Gateway β†’ Auth Service β†’ Token β†’ Gateway β†’ Microservice
          β”‚                                              β”‚
          β”‚  Validate JWT at Gateway (PEP)               β”‚
          β”‚  Forward sub/permissions as header           β”‚
          β””β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”˜

Cocok untuk: Microservices, zero-trust architecture.

Pattern 3: Decentralized (Self-Contained)

App ──→ Local Policy Engine ──→ DB (local RBAC table)
       ↑
  Each app manages own authz

Cocok untuk: Small-scale, simple role model.

Pattern 4: Externalized (PDP/PEP)

User β†’ [PEP] β†’ PDP (OPA/Cedar/AWS) β†’ [PEP] β†’ Resource
         ↑                               ↑
    Policy Decision Point          Policy Enforcement Point

Threats & Mitigations

IAM Attack Categories

AttackIAM ComponentDampakMitigasi
Credential StuffingAuthNAccount takeoverRate limit, CAPTCHA, MFA, credential monitoring
PhishingAuthNCredential theftFIDO2 (phishing-resistant) MFA, Security Keys
SIM SwapMFA (SMS)MFA bypassDeprecate SMS, use TOTP/Push/FIDO
Token ReplayAuthZ (token)Session hijackDPoP/mTLS token binding, short expiry
Privilege EscalationAuthZ (RBAC/ABAC)Unauthorized accessRegular access review, JIT privilege, tiered admin
IDORAuthZ (API)Access other user’s dataObject-level authorization, not just API-level
MFA FatigueAuthN (push)MFA bypass via user approvalNumber matching, rate-limit push, geo-fencing
Session FixationSession MgmtSession hijackRegenerate session ID on login
OAuth MisconfigurationOAuth/OIDCToken theftPKCE, proper redirect URI validation, state parameter
Token Theft (offline)Token storagePersistent accessSecure storage (Keychain/DPAPI), biometric unlock
Insider ThreatIAM policyData exfiltrationDLP, UEBA, monitoring, least privilege
Backdoor AccountProvisioningUndetected accessPeriodic audit, automated discovery, disable dormant accounts

Compliance & Standards

StandardFokusIAM Requirement
NIST SP 800-63Identity AssuranceAuthentication strength levels (AAL1/2/3)
NIST SP 800-207Zero TrustContinuous verification, micro-segmentation
SOC 2Access ControlAuthentication, authorization, access review
PCI DSS v4.0AuthNMFA for admin access to CDE (Req 8.4)
ISO 27001A.9 Access ControlAccess control policy, user access provisioning
GDPRData PrivacyPseudonymization, access log, right to erasure
HIPAAHealthcare PHIUnique user IDs, automatic logoff, audit controls
SOXFinancial controlsAccess management, SoD (segregation of duties)
FedRAMPUS GovernmentFICAM, PIV/CAC integration, continuous monitoring
EE.UU. ITEIndonesiaPerlindungan data pribadi (PDP Bill), access logging

Tools Comparison

IdP / SSO Solutions

ToolTypeOpen SourceMulti-TenantFIDO2SCIMNotes
KeycloakIdPβœ… (Apache 2.0)βœ…βœ…βœ…Community, feature-rich
OktaIdPβŒβœ…βœ…βœ…Enterprise, expensive
Azure ADIdPβŒβœ…βœ…βœ…Microsoft ecosystem, hybrid AD
Google WorkspaceIdPβŒβœ…βœ…βœ…GWS ecosystem
Auth0IdPβŒβœ…βœ…βœ…Developer-friendly, CIAM
GluuIdPβœ…βœ…βœ…βœ…Open-source, certified
Ping IdentityIdPβŒβœ…βœ…βœ…Enterprise, very mature
AuthentikIdPβœ…βœ…βœ…βœ…Modern, focused on automation

PAM Solutions

ToolTypeOpen SourceSession RecordingJITSecretsNotes
CyberArkPAMβŒβœ…βœ…βœ…Market leader, expensive
Delinea (Thycotic)PAMβŒβœ…βœ…βœ…Mid-range PAM
HashiCorp VaultSecretsβœ… (BSL)βŒβœ…βœ…Secrets-focused, integrate with PAM
TeleportPAMβœ…βœ…βœ…βœ…SSH/k8s/database access
Border0PAMβŒβœ…βœ…βŒZero Trust access
wallixPAMβŒβœ…βœ…βœ…European PAM
ManageEngine PAM360PAMβŒβœ…βœ…βœ…Mid-market

Auth Libraries (Developer)

LibraryProtocolLanguageNotes
OIDC Client (npm)OIDCNode.jsRelying Party library
OAuth2 ProxyOAuth/OIDCGoReverse proxy auth
Spring SecurityOAuth/SAMLJavaFull-stack security
Devise + OmniAuthOAuthRubyRails standard
python-social-authOAuth/SAMLPythonDjango/Flask
oauthlibOAuthPythonLow-level OAuth
PyJWTJWTPythonJWT encode/decode
dexIdPGoKubernetes-native IdP
CasdoorIdPGoModern open-source IdP

Bottom Line

Bottom Line

IAM bukan cuma soal login. Di level minimum, setiap service harus punya:

  1. MFA untuk privileged access β€” phishing-resistant (FIDO2) preferred
  2. Least privilege β€” RBAC atau ABAC, bukan wildcard permission
  3. Short-lived tokens β€” JWT 15m access, refresh rotation
  4. Audit trail β€” every auth attempt logged, SIEM-integrated
  5. Lifecycle automation β€” provisioning β†’ review β†’ deprovision, zero standing privileges

Untuk jarsWAF: IAM relevant pas implementasi admin dashboard, API authentication, dan multi-tenant isolation. PAM techniques (JIT credential, short-lived keys) jadi inspirasi buat API token management di WAF control plane.


Referensi & Lanjutan