IAM Operations Consultant (Ping Identity & SailPoint)

Role: IAM Operations Consultant (Ping Identity & SailPoint)Location: Plano, TX Type - Full time Role Summary:Key Responsibilities:Service Operations:- Own day-to-day operations for Ping Identity and SailPoint platforms, ensuring availability, performance, and security SLAs.- Proactively monitor platform health, perform routine checks, capacity planning, backups, and schedule/execute maintenance, patching, and upgrades.- Triage and resolve incidents, service requests, and problems; lead root cause analysis and implement permanent fixes.- Execute changes via CAB with clear runbooks, rollback plans, impact/risk assessments, and post-implementation reviews.- Maintain accurate runbooks, SOPs, diagrams, and operational documentation aligned to audit standards. Ping Identity (SSO, MFA, Federation):- Administer PingFederate, PingAccess, PingDirectory, and PingID/PingOne (as applicable).- Onboard and maintain OIDC/SAML integrations: configure IdP/SP connections, manage metadata, certificates, and key rotation.- Implement and tune MFA, adaptive policies, device trust, and conditional access.- Manage authentication policies, token lifecycles, attribute mapping, session management, and header-based access.- Promote configurations across environments; troubleshoot SSO issues end-to-end with application teams.- Ensure standards alignment and secure integration patterns for SAML 2.0, OIDC, and OAuth 2.0. SailPoint Identity Governance & Administration:- Operate SailPoint platforms: IdentityIQ and/or IdentityNow (Identity Security Cloud), including task scheduling, health checks, and upgrades.- Application onboarding and connector operations (e.g., AD/Entra ID, LDAP, Azure, Workday/SuccessFactors, ServiceNow, SAP, Oracle, databases, SaaS apps).- Manage identity lifecycle (joiner-mover-leaver), account aggregation, correlation, transforms/mappings, roles/access profiles, and policies.- Administer and support access request workflows, approval policies, birthright/access modeling, and role mining (as applicable).- Run access certification campaigns (setup, scheduling, execution, attestation evidence, remediation tracking).- Maintain and tune provisioning policies, entitlements, SoD policies/violations, and exception handling.- Troubleshoot provisioning and aggregation failures, queue backlogs, connector errors, rules, and workflow issues.- Develop and support SailPoint rules/workflows and automation: - IdentityIQ: BeanShell/Java rules, lifecycle manager workflows, task definitions, plugin/config promotion. - IdentityNow: sources, transforms, rules, lifecycle events, connectors, sp-config export/import, REST APIs.- Perform data quality checks, identity refreshes, cleanup jobs, and optimize performance and indexing. Security, Compliance, and Governance:- Enforce least privilege, SoD, and Zero Trust-aligned controls across SSO and IGA.- Integrate logs with SIEM for monitoring, alerting, and anomaly detection; define operational thresholds and playbooks.- Support audits (SOX/PCI/ISO/other): produce evidence, enable control testing, and remediate findings.- Manage certificate, key, and secret lifecycles and ensure secure configuration baselines. Automation and Continuous Improvement:- Automate routine tasks (app onboarding, cert renewals, config backups, campaign setups, rotation checks) using platform APIs and scripts.- Implement configuration-as-code and environment promotion where supported (Ping and SailPoint).- Define operational KPIs, measure performance, and drive improvements to reduce toil and improve reliability.- Partner with engineering/architecture to deliver enhancements without operational risk. Stakeholder Management:- Collaborate with application owners, security, infra, HRIS, and compliance teams to plan changes and onboard services.- Provide consultative guidance on integration patterns, controls, and IAM best practices.- Communicate incident status, risks, and service health to both technical and non-technical stakeholders. Required Qualifications:- 5–8 years in IAM operations/engineering with production ownership.- 3+ years administering Ping Identity (PingFederate, PingAccess, PingDirectory, PingID/PingOne).- 3+ years operating SailPoint (IdentityIQ and/or IdentityNow) in enterprise environments.- Strong grasp of SAML 2.0, OIDC, OAuth 2.0, JWT, token policies, and certificate management.- Experience with identity lifecycle, provisioning, access requests, and certification campaigns.- Windows/Linux administration, networking (DNS, TLS, proxies, load balancers), and directory services (AD/LDAP).- Scripting and APIs: PowerShell and either Python or Java; experience with REST/JSON. For IdentityIQ, BeanShell/Java; for IdentityNow, transforms and rules.- Experience with ITSM (e.g., ServiceNow), SIEM (e.g., Splunk), and monitoring (e.g., Datadog, Prometheus).- Solid understanding of ITIL processes and enterprise security practices. Preferred Qualifications:- Ping Identity certifications (PingFederate, PingAccess) and SailPoint certifications (IdentityIQ/IdentityNow).- Experience with SailPoint sp-config, plugin management (IIQ), connector tuning, and performance optimization.- Knowledge of Azure AD/Entra ID, AWS IAM, GCP IAM; SCIM provisioning and JIT patterns.- Exposure to CI/CD for IAM configs, Git-based versioning, and pipeline-driven deployments.- Familiarity with compliance frameworks (SOX, PCI-DSS, ISO 27001) and evidence management.- Experience integrating HR sources (Workday/SuccessFactors) and ERP apps (SAP/Oracle). Key Technologies:- Ping Identity: PingFederate, PingAccess, PingDirectory, PingID/PingOne, certificates/keystores.- SailPoint: IdentityIQ, IdentityNow (Identity Security Cloud), rules/workflows, connectors, transforms, sp-config, REST APIs.- Supporting: Active Directory/LDAP/Entra ID, HRIS (Workday/SuccessFactors), ServiceNow, SIEM, reverse proxies/load balancers, Git, scripting tools.