Renata
Back to jobs
A

Identity Fabric Principal

ARHS
Warsaw, Masovian Voivodeship, PolandPosted 2 weeks ago
Full-timehybridMid-Senior Level

Job Description

  •  Define and maintain modern authentication standards for applications and APIs (OAuth2/OIDC/SAML), including reference architectures.
  • Support project teams in implementing and troubleshooting auth flows (Auth Code + PKCE, Device Code, Client Credentials, OBO), including edge cases and production incidents.
  • Review and harden token/session configurations (lifetimes, refresh behaviour, session controls) and advise on mitigations for common auth threats (replay, token theft).
  • Design and standardize claims/attributes strategy (least-privilege claims, normalization across IdPs, group/role overage handling) for scalable integrations.
  • Define API access models and permission strategy (scopes vs roles, delegated vs app permissions) and govern consent patterns (admin/incremental) for least privilege and auditability.
  • Configure and operate federation integrations (IdP/SP), including metadata management, planned rollovers, and resolving common SSO issues.
  • Design risk-based access controls and step-up patterns aligned to application sensitivity, using Conditional Access and appropriate MFA/authentication strength.
  • Deliver Entra ID tenant-level configurations and operational posture improvements (baseline configuration, governance touchpoints, operational practices).
  • Design and guide external identity onboarding patterns (Entra External ID CIAM/B2B/B2C), balancing UX, security controls, and supportability.
  • Build, tune and safely roll out Conditional Access / Identity Protection policies (exclusions, break-glass, staged deployment, monitoring and rollback approach).
  • Implement and operate Entra ID Governance capabilities (access packages, entitlement management, access reviews, lifecycle workflows) in alignment with delivery timelines.
  • Provide application onboarding and integration support (Enterprise Apps, App Registrations, service principals, managed identities), including troubleshooting and configuration reviews.
  • Support hybrid identity dependencies involving AD DS (directory design impacts, group structures, delegation models) and advise on sustainable hybrid patterns.
  • Operate and troubleshoot AD FS where still required, and contribute to modernization roadmaps toward cloud-native federation patterns.
  • Develop and maintain PowerShell automation for identity operations (Graph PowerShell and relevant modules): reporting, bulk changes, baseline checks, and repeatable tasks with robust logging.
  • Provide scripted operational support for AD DS/AD FS (user/group lifecycle tasks, reporting, troubleshooting accelerators) within governance and access boundaries.
  • Participate in SailPoint-based IGA delivery (IdentityIQ/IdentityNow): requirements translation, design validation, and alignment of governance outcomes with Microsoft identity patterns.
  •  Implement IGA processes end-to-end (JML, access requests/approvals, certifications/reviews, SoD, role/entitlement modeling) and integrate with delivery/operations.
  • Design and improve provisioning and lifecycle integrations (SCIM, authoritative sources, reconciliation, JIT vs managed provisioning), ensuring clean offboarding and access governance.
  • Bachelor's degree plus 10 years of IT experience.
  • Good knowledge of English equal to B2 according to CERF levels.
  • Modern auth standards: solid understanding of OAuth 2.0, OpenID Connect and SAML, including typical enterprise use cases (apps, APIs, federation).
  • Token & session security: knowledge of token/session lifecycles (issuance, validation, lifetimes, refresh tokens), plus common risks and mitigations.
  • API permissions & consent: understanding and practical application of scopes vs roles, delegated vs application permissions, and admin/incremental consent models.
  • Entra External ID patterns: practical knowledge of CIAM/B2B/B2C onboarding patterns and UX vs security trade-offs.
  • Hybrid identity foundations (AD DS): solid understanding of domains/forests, trusts, OU/GPO, delegation and how AD DS impacts hybrid identity.
  • SailPoint IGA exposure: practical experience with SailPoint IdentityIQ and/or IdentityNow concepts, delivery model and outcomes.
  • Provisioning & lifecycle integrations: experience with SCIM, authoritative sources, reconciliation, and JIT vs managed provisioning trade-offs.
  • GDPR/EUDPR + AI readiness: ability to apply privacy-by-design in IAM (minimisation, purpose, retention, token/claim hygiene, auditability) and extend governance to AI/agent access where required.
  • Flow implementation & troubleshooting: ability to implement and debug Auth Code + PKCE, Device Code, Client Credentials and OBO flows in real applications.
  • Claims & identity context: ability to design claim sets, mapping/normalization across IdPs, least-privilege claims, and handle group/role overage patterns.
  • Federation operations: experience configuring IdP/SP integrations, metadata management, rollover planning, and resolving common SSO failures.
  • Assurance & risk-based access: capability to apply step-up patterns, MFA trust models, phishing-resistant readiness, and Conditional Access alignment to sensitivity.
  • Microsoft Entra ID delivery: hands-on experience with Entra ID tenant configuration, authentication posture, and operational governance.
  • Conditional Access & Identity Protection: experience designing/tuning CA policies, MFA enforcement, risk signals, exclusions/break glass, and safe rollout practices.
  • Entra ID Governance: working capability with access packages, entitlement management, access reviews, and lifecycle workflows in delivery contexts.
  • App integration engineering: strong experience with Enterprise Apps, App Registrations, service principals, managed identities, and integration support.
  • Federation legacy (AD FS): ability to operate/troubleshoot AD FS (claims rules, relying parties) and contribute to modernization planning.
  • PowerShell automation (Entra/M365): ability to automate reporting and bulk ops using Microsoft Graph PowerShell and relevant modules with reliable logging.
  • PowerShell (AD DS/AD FS): capability to script user/group operations and operational reporting/troubleshooting within governance constraints.
  • IGA process delivery: ability to implement JML, access requests/approvals, certifications/reviews, SoD concepts, and role/entitlement
About ARHS
Identity Fabric Principal at ARHS | Renata