Principal Platform Engineer - Authentication

The Platform Engineering team (R&D) builds and operates the foundational infrastructure that powers IFS Cloud. We're organised into platform teams – each led by a technical lead who sets direction and leads a squad of engineers.

The Identity & Access Management domain sits at the heart of IFS's platform. Every IFS product — IFS Cloud, Nexus / IFS.ai, Remote — depends on secure, reliable authentication. We're looking for a Domain Owner for Authentication: a hands-on technical leader who combines deep identity-management expertise with a platform-engineering, automation-first mindset.

This is a Principal-level Architect / Team Lead role. You'll own the Authentication subdomain end-to-end: strategy, architecture, delivery, and team health. You'll partner with the Authorization Domain Owner, your domain's Program Manager, and engineering leadership to drive the IFS-wide consolidation of identity providers — with Curity positioned as the single identity platform replacing Entra ID, Keycloak, and others across IFS.

We care about the quality of your experience, not just the years. A senior engineer with four years of deep, deliberate work on modern identity platforms is more interesting than someone with fifteen years of incidental exposure.

What you'll own

Architecture & Delivery

• Architect and evolve IFS's authentication stack: Curity (strategic IDP for Nexus today, IFS-wide tomorrow), Keycloak (IFS Cloud), and legacy IFSIM.
• Drive the multi-year Curity consolidation — replacing fragmented identity providers across IFS products and internal systems (Thor, time registration, internal tooling) with a single, coherent platform.
• Resolve known technical debt: Curity performance bottlenecks at scale, high-latency integration flows, disaster-recovery gaps, and the long tail of non-production-ready configuration.
• Define and evangelise authentication patterns across Nexus microservices, IFS Cloud, and federated customer identity providers.

Platform Engineering Mindset

• Treat identity infrastructure as a product with self-service, observability, and automation as first-class citizens.
• Replace ticket-driven identity work with declarative, GitOps-style configuration and well-documented platform capabilities.
• Partner with DevOps and SRE to improve monitoring, alerting, and DR posture for auth services deployed across Azure AKS clusters.

Technical Leadership

• Lead and mentor the AuthNCore squad, setting technical direction and raising the engineering bar.
• Own the overall quality of code output from the squad — coding standards, code review culture, test coverage, and engineering craftsmanship are yours to set and uphold.
• Work closely with your domain Program Manager to sequence and schedule delivery, balance project work against technical-debt reduction, and keep commitments realistic.
• Collaborate closely with the Authorization Domain Owner (who also sits in the Identity & Access Management domain) — authentication and authorization must work as one coherent offering.
• Work across product, engineering, security, and compliance to ensure authentication needs are embedded in every application and workflow.
• Champion modern standards (OAuth 2.0 / OIDC, SAML, mTLS, PKCE, JWT), stay ahead of evolving trends, and bring that perspective back into IFS's roadmap.

Strategy & Roadmapping

• Own the Authentication roadmap — aligning it with platform priorities, security goals, and customer requirements.
• Evaluate emerging technologies and vendors where relevant (without being fashion-driven).
• Contribute to broader platform strategy as part of the Identity & Access Management leadership group.

Must-have

• Deep, demonstrable experience with modern identity management — OAuth 2.0, OpenID Connect, SAML, JWT, PKCE, federated identity.
• Hands-on engineering work with one or more identity platforms at scale: Curity, Keycloak, Auth0, Okta, Ping, ForgeRock, or similar.
• Production experience on a major cloud — Azure preferred (AKS, Key Vault, Front Door, Entra ID); AWS/GCP transferable.
• Strong software engineering foundations (Java, Go, or similar server-side languages).
• Experience designing for multi-tenant SaaS: per-tenant isolation, key rotation, blue/green deployment, DR.
• Experience leading and mentoring engineers — either as a tech lead, principal, or hands-on engineering manager.

Nice-to-have

• Experience working in a platform-engineering model (internal developer platform, self-service capabilities).
• Exposure to observability tooling (Prometheus, Grafana, OpenTelemetry, Datadog, Splunk).
• Background in compliance-heavy environments (SOC 2, ISO 27001, FedRAMP).
• Familiarity with event-driven architectures (Kafka, NATS JetStream).
• Contributions to open-source identity projects or published writing / speaking on identity topics.

How you work

• Automation-first. If you find yourself doing the same thing twice, you're looking for how to codify it.
• Pragmatic. You balance ideal architecture with what's deliverable, and you know technical debt is a choice — you make that choice deliberately.
• Collaborative. Identity is a cross-cutting concern; you influence rather than mandate, and you build allies across engineering.
• Clear communicator. You can explain a nuanced security trade-off to a non-technical stakeholder and get them to the right decision.
• Team-focused. You grow the engineers around you. The squad's output is your output.

Why this role

• Genuine platform ownership. You aren't a cog — you own the subdomain and set direction.
• Strategic leverage. Curity consolidation is a multi-year, high-visibility programme. Your work shapes every IFS product.
• A team to build on. The AuthNCore squad has strong engineers and a clear mandate — but has also been through attrition. You'll stabilise it and grow it.
• Modern stack, real scale. Azure AKS, Curity, Kafka/NATS, MongoDB Atlas, OpenTelemetry — serving hundreds of customers across the IFS product suite.

We embrace flexibility and hybrid work opportunities to support diverse needs and lifestyles, while also valuing inclusive workplace experiences. By fostering a sense of community, we drive innovation, strengthen connections, and nurture belonging. Our commitment ensures you can work in a way that suits you best, while also engaging with colleagues to share ideas and build meaningful relationships.