Senior SSO Implementation Engineer

Senior SSO Implementation Engineer (8–10+ years)

You will own end-to-end SSO implementations and federation architecture for large, complex customers — from discovery and design to delivery, automation, and operational handover. You’ll act as the technical lead for SSO/IAM projects, collaborate with solution architects and product teams, and drive best practices across security, scalability, and reliability.

Key responsibilities

• Architect, lead and deliver enterprise SSO/federation projects using SAML, OAuth2, OpenID Connect, WS-Federation and SCIM.
• Design integration patterns for cloud (SaaS) apps, legacy on-prem apps, microservices and APIs.
• Implement and configure IdPs/SPs (Okta, Azure AD, Ping, ForgeRock, Keycloak, OneLogin, etc.) and customize integrations when needed.
• Lead complex migrations (legacy SSO → modern OIDC/OAuth or cloud IdP migrations) with zero/low downtime.
• Build reusable templates, automation, and runbooks for onboarding apps (SAML metadata, certificate rotation, attribute mapping, SCIM provisioning).
• Integrate SSO with API gateways, reverse proxies and WAFs (NGINX, HAProxy, Apigee, Kong, AWS API Gateway).
• Implement authentication/authorization flows for web, mobile and APIs, including OAuth2 grant types, JWT validation, token lifecycles and refresh strategies.
• Own certificate and PKI lifecycle management for SSO components.
• Develop automation (Terraform, Ansible, CloudFormation) for IaC, deployment pipelines, and environment provisioning.
• Troubleshoot complex auth failures, perform root cause analysis, and implement fixes; provide L2/L3 handover with documentation.
• Define security standards (token encryption, key rotation, session management), run threat/risk assessments and ensure compliance (SOC2, ISO27001, GDPR where applicable).
• Mentor junior engineers, run knowledge sessions, and perform code/config reviews.
• Engage with customers and presales for scoping, estimates, and technical proposals.

Must-have technical skills & experience

• 8–10+ years in IAM/SSO/Authentication engineering with multiple full lifecycle SSO projects.
• Deep, hands-on experience with SAML 2.0, OAuth2, OpenID Connect, WS-Federation and SCIM.
• Proven experience implementing/configuring major IdPs: Okta, Azure AD, Ping, ForgeRock, Keycloak, OneLogin (any 2+ in depth).
• Strong experience integrating SSO with SaaS (Office365, Salesforce, Google Workspace), custom web apps (.NET/Java/Node), and mobile apps.
• Solid programming/scripting skills: Python, PowerShell, Java, C#, or Node.js — used for automation or custom adapters.
• Automation & IaC: Terraform, Powershell, Ansible, CloudFormation (production use).
• Cloud: architecture & implementation experience on AWS, Azure or GCP (at least one).
• Web/API security fundamentals: JWT, JWKs, OAuth token flows, CSRF, cookie/session security, TLS, cert management.
• Directory services and provisioning: Active Directory, LDAP.
• Debugging and observability: logs/traces with Splunk/ELK, metrics with Prometheus/Grafana.
• CI/CD: Jenkins, GitLab CI, or GitHub Actions.
• Experience with containers and orchestration: Docker, Kubernetes (deploying IdP or gateway components).
• Strong stakeholder management, client-facing skills, and ability to lead technical discussions.

Nice-to-have / Preferred

• Hands-on with identity governance (SailPoint, Saviynt) or entitlement management.
• Experience with API gateways (Apigee, Kong) and service mesh patterns.
• Familiarity with PKI solutions and HSMs for key management.
• Certifications: CISSP, CCSP, Okta Certified, Azure AD/Microsoft Identity certifications, ForgeRock or Ping certs.
• Prior exposure to compliance audits (SOC2/ISO) and security assessment tools (Burp Suite, Nessus).

Job Type: Full-time

Benefits:

• Commuter assistance
• Leave encashment
• Paid sick time
• Paid time off

Experience:

• IAM: 5 years (Required)
• SSO: 5 years (Required)

Shift availability:

• Night Shift (Preferred)

Work Location: In person