Identity Services Engineer
University of Virginia · Charlottesville, VA · 5 mo ago
EngineeringFull-time
Responsibilities
- Design, configure, customize, and support enterprise IAM platforms, including Grouper, Fischer Identity, Shibboleth Identity Provider, and Delinea PAM.
- Implement and maintain group- and attribute-based access models (RBAC, ABAC, PBAC) that support institutional policy, delegated administration, and least-privilege access.
- Serve as a senior technical contributor for Grouper, including attestation workflows, GSH templates, ABAC implementations, and integration patterns.
- Support identity governance and lifecycle processes using Fischer Identity, including integrations with authoritative sources and downstream systems.
- Operate and troubleshoot federated authentication and single sign-on services using SAML, OIDC, and OAuth2, aligned with InCommon trust frameworks.
- Integrate IAM services with LDAP registries, Active Directory, databases, and enterprise applications.
- Support security, compliance, and operations by integrating privileged access management workflows using Delinea.
- Diagnose and resolve complex IAM issues spanning directories, authentication flows, access policies, and application integrations.
- Contribute to secure-by-design IAM architectures that support regulatory and contractual requirements, including FERPA, HIPAA, PCI-DSS, and research data protections.
- Collaborate with application teams, infrastructure groups, and security stakeholders to onboard services and improve access consistency.
- Contribute to testing, change management, and promotion of updates across development, QA, and production environments.
- Maintain clear technical documentation for configurations, customizations, and operational procedures.
- Participate in a shared on-call rotation, supported by strong documentation and team practices.
Qualifications
- Five or more years of professional experience supporting or engineering identity and access management systems.
- Hands-on experience with one or more IAM platforms commonly used in higher education, such as Grouper, Shibboleth, Fischer Identity, or Microsoft Entra ID.
- A strong understanding of IAM concepts, including authentication, authorization, access lifecycle management, and identity governance.
- Experience working with LDAP directories and/or Active Directory in production environments.
- Proficiency with Linux-based systems and the ability to troubleshoot integrated, distributed services.
Preferred Qualifications
- Familiarity with the InCommon Trusted Access Platform (TAP) and community-driven IAM architectures, including meaningful hands-on experience with Grouper and Shibboleth.
- Experience operating federated identity services in a research or academic context.
- Experience integrating IAM platforms with ERP, LMS, research, or administrative systems.
- Exposure to containerized deployments such as Docker Swarm or Kubernetes.
- Experience with CI/CD pipelines or configuration-as-code approaches.
- Experience with privileged access management tools or workflows.
- Identity-related certifications (e.g., IDPro, IMI) or active participation in the higher-education IAM community.