Senior IAM Engineer

Job Description Sr Identity and Access Management Engineer for American Science Cloud (AmSC) Experience level: Senior Work location: remote Must be eligible for a federal security clearance (US Citizen) Project Overview: American Science Cloud - A Platform for Transformative Science AmSC is a secure, federated, and science-optimized cloud environment that integrates the DOE’s world-leading computing and experimental facilities, data resources, and high-performance networks The AmSC platform enables DOE scientists to create, access, and integrate world-class AI-ready datasets, run scalable model training on leadership-class systems, perform distributed simulations, control instruments, and move data efficiently across sites. The project is a multi-Lab and Public-Private Partnership endeavor, working in tandem with the Models Consortium (ModCon) who will deploy transformative AI models and services to the platform. Key DOE capabilities, such as the Frontier (ORNL), Aurora (ANL), Perlmutter (NERSC, at LBL), Energy Services Network (ESnet, at LBL), and the High Performance Data Facility (HPDF, at JLab) will be directly integrated, allowing multi-site workflows. The Team: As an Identity and Access Management Engineer you will work within the L2 Infrastructure Services group of AmSC to support identity management solution architecture, deployment and administration on our multi-cloud central hub infrastructure. The AmSC identity infrastructure supports teams from many different DOE labs and locations deploying a variety of AI and HPC services both on prem and in cloud environments. Your primary responsibilities will be to design and build an Identity Management platform and federation hub that promote collaboration within the AmSC, enabling researches to seamlessly leverage AmSC infrastructure and services for their projects. You will be one of the first full-time AmSC staff members, and this presents a unique opportunity to build something new and exciting. Major Duties/Responsibilities: Lead the architecture, development and implementation of an Identity and Access Management platform using the Ping suite of productsContribute to workflow design, API development, and collaborate with application developers and owners to establish robust integrationsPlan, execute and document application onboarding of a diverse and growing application setCollaborate with IAM personnel from other organizations to design, build and administer a federation hub, allowing users to access resources at any participating facilityBuild out and enable ABAC, RBAC, least privilege access and other common IAM standardsDeploy, configure and support identity and access management services such as single sign on (SSO), OAuth, MFA, zero trust, etc….Lead incident response, providing advanced troubleshooting and building out of monitoring and alerting systemsDefine and implement define KPIs, processes and drive continuous improvement.Participate in on-call rotation providing 24-hour, 7-day support and off-hours maintenance windows.Coordinate with vendors to resolve hardware and software problems.Deliver AmSC’s mission by aligning behaviors, priorities, and interactions with our core values of Impact, Integrity, Teamwork, Safety, and Service. Promote diversity, equity, inclusion, and accessibility by fostering a respectful workplace – in how we treat one another, work together, and measure success.Basic Qualifications: Bachelor’s Degree in computer science or closely related field and a minimum of 5 years of experience as an Identity and Access Management engineer. An equivalent combination of education and experience may be considered. Preferred Qualifications: Extensive experience in Identity and Access Management supporting SSO, OAuth, MFA, and API developmentExcellent interpersonal/communication skills, and the ability to work as part of a team.Proven track record leading and driving the delivery of large, complex IAM projectsStrong experience with the Ping suite of IAM products, bonus points for Ping Government Identity Cloud experienceExtensive experience with web authentication implementation such as SAML, OAuth, API-token, REST, etc….Experience in directory services and directory structure, specifically using LDAP and/or PingDirectoryExperience implementing RBAC and ABAC in complex enterprise environmentsStrong experience in identity federation design and implementation using standards like OIDC and SAML to manage user identities across disparate systemsExperience with Automation and scripting (Python, etc…) for IAM tasksWorking knowledge of cloud application architecture patterns and a thorough grasp of common products and managed services for at least one Cloud Service Provider (e.g. AWS)Working knowledge of Unix system fundamentals and common network protocols.Solid understanding of cloud computing networking concepts.Ability to proactively identify performance issues, problems, and areas for improvement.Ability to identify requirements and to define, plan, and implement requisite solutions.An understanding of code review and familiarity with tools like GitHub and GitLabExperience using tools such as Nagios, Grafana and Prometheus to monitor systems, metrics, and create dashboards.Special Requirement: This position requires the ability to obtain and maintain a federal public trust clearance from the U.S. government. As such, this position is a Workplace Substance Abuse program (WSAP) testing designed position which requires passing a pre-placement drug test and participation in an ongoing random drug testing program in which employees are subject to being randomly selected for testing. The occupant of this position will also be subject to an ongoing requirement to report to any drug-related arrest or conviction or receipt of a positive drug test result.