Sr IAM Engineer

OverviewAbout PHOENIX PHOENIX Retail, LLC is a retail platform operating the Express and Bonobos brands worldwide.About ExpressExpress is a multichannel apparel brand dedicated to a design philosophy rooted in modern, confident and effortless style whether dressing for work, everyday or special occasions. Since its launch in 1980, the brand has embraced a design philosophy rooted in modern, confident and effortless style. Express ensures you look and feel your best, wherever life takes you. The Company operates over 400 retail and outlet stores in the United States and Puerto Rico, the express.com online store and the Express mobile app.About BonobosOur Bonobos menswear brand is known for being a style instigator and offering perfect-fit risks through our innovative retail model and personalized experience. Launched online in 2007 with its signature line of chinos, Bonobos now offers a variety of styles available to order online and to try on at any one of our 50 Guideshop locations and at www.bonobos.com. Our Guideshops are in-real-life stores that deliver one-on-one service and expert fit advice. Don't think traditional retail, Bonobos is something you haven't seen before.ResponsibilitiesThe Senior Identity & Access Management Engineer will architect, implement, and optimize enterprise-wide identity governance solutions with primary focus on Okta platform across corporate, multi-tenant, and disaster recovery environments. This role serves as a strategic technical leader working cross-functionally with security, compliance, and application teams to design and execute the IAM roadmap. The position requires deep expertise in identity lifecycle management, access governance, authentication protocols, and enterprise SSO/MFA implementations supporting complex, large-scale production environments.Key ResponsibilitiesLead enterprise Okta administration and governance across several integrated applications and services, including Universal Directory, lifecycle management, and advanced authentication policiesArchitect and implement identity federation solutions using SAML 2.0, OAuth 2.0, OIDC, and WS-Federation protocols for SaaS, PaaS, and on-premises applicationsLead enterprise Okta administration and governance across several integrated applications and services, including Universal Directory, lifecycle management, and advanced authentication policiesArchitect and implement identity federation solutions using SAML 2.0, OAuth 2.0, OIDC, and WS-Federation protocols for SaaS, PaaS, and on-premises applicationsDesign and manage Active Directory integration strategies, including Okta AD Agent deployment, directory synchronization, and delegated authentication architecturesOversee identity provisioning and deprovisioning workflows using Okta Lifecycle Management, SCIM protocols, and API-driven automation for seamless user lifecycle governanceLead SSO implementation projects for new application onboarding, including technical discovery, integration design, testing, and production deploymentDevelop and enforce adaptive MFA policies using Okta Verify, contextual access controls, and risk-based authentication frameworksManage Okta tenant architecture across multiple environments (production, DR, development) ensuring high availability and disaster recovery capabilitiesCollaborate with Security and Compliance teams on identity governance initiatives including access reviews, separation of duties, and privileged access managementDesign and implement API-driven automation using PowerShell, Python, and Okta APIs for identity operations, reporting, and integration workflowsLead technical troubleshooting of complex SSO, authentication, and authorization issues across heterogeneous enterprise environmentsPartner with application development teams to integrate modern authentication patterns and zero-trust architecture principlesMaintain and optimize Azure AD/Entra ID integration with Okta for hybrid identity scenariosDevelop comprehensive IAM documentation including architecture diagrams, integration guides, runbooks, and knowledge transfer materialsProvide strategic guidance on identity security best practices, threat mitigation, and compliance requirements (SOX, GDPR, SOC2)Required Experience & QualificationsEducation: Bachelor's Degree in Computer Science, Information Security, or equivalent professional experienceYears of Experience: 7-10+ years in identity and access management with enterprise-scale implementationsOkta Expertise: Minimum 3-5 years hands-on experience administering Okta platform including Universal Directory, SSO, MFA, Lifecycle Management, and API GatewayIdentity Protocols: Strong expertise in SAML, OAuth 2.0, OIDC, LDAP, SCIM, and Kerberos authentication protocolsActive Directory: 5+ years enterprise AD administration including forest design, group policy, domain trust relationships, and certificate servicesAutomation & Scripting: Advanced PowerShell scripting for identity automation; experience with Python, REST APIs, and CI/CD pipelines preferredCloud Identity: Experience with Azure AD/Entra ID, Microsoft 365 identity management, and hybrid identity architecturesCertifications: Okta Certified Professional or Okta Certified Administrator strongly preferred; additional certifications (CISSP, CISM, Azure certifications) a plusCritical Skills & AttributesStrategic thinking with ability to translate business requirements into scalable IAM architecture solutionsProven track record leading complex identity integration projects from conception through production deploymentStrong understanding of zero-trust security principles and identity-centric security frameworksExceptional problem-solving skills for complex authentication and authorization scenariosExperience with ITIL/ITSM frameworks and incident/change management processesExcellent documentation skills with ability to create technical architecture diagrams and process workflowsStrong communication skills to collaborate with diverse technical and non-technical stakeholdersAbility to mentor junior team members and provide technical leadershipFlexibility to support off-hours implementations and participate in on-call rotation for critical IAM servicesExperience with identity governance and administration (IGA) platforms a plus Closing If you would like to know more about the California Consumer Privacy Act click here.An equal opportunity employer, PHOENIX does not discriminate in recruiting, hiring or any other terms and conditions of employment hiring on the basis of any federal, state, or locally protected characteristic. PHOENIX only hires individuals authorized for employment in the United States. PHOENIX is committed to providing reasonable accommodation to individuals with disabilities. If you need an accommodation to search and apply for a job position due to a disability, please call 1-800-964-9793 and say 'Associate Relations' or send an e-mail to AssociateRelations@Express.com and let us know the nature of your request and your contact information.Notification to Agencies: Please note that PHOENIX does not accept unsolicited resumes or calls from third-party recruiters or employment agencies. In the absence of a signed Master Service Agreement and approval from HR to submit resumes for a specific requisition, PHOENIX will not consider or approve payment to any third-parties for hires made.