Senior Customer Identity & Access Management (CIAM) Engineer

Choose a workplace that empowers your impact. 

Join a global workplace where employees thrive. One that embraces diversity of thought, expertise and experience. A place where you can personalize your employee journey to be — and deliver — your best.  

We are a purpose-driven, dynamic and sustainable pension plan. An industry leading global investor with teams in Toronto to London, New York, Singapore, Sydney and other major cities across North America and Europe. We embody the values of our 640,000 members, placing their best interests at the heart of everything we do.

Join us to accelerate your growth & development, prioritize wellness, build connections, and support the communities where we live and work.

Don’t just work anywhere — come build tomorrow together with us.

Know someone at OMERS or Oxford Properties? Great! If you're referred, have them submit your name through Workday first. Then, watch for a unique link in your email to apply.

We are looking for a Senior Customer Identity & Access Management (CIAM) Engineer to design, implement, and optimize secure, scalable identity solutions that protect our customers and digital assets. You will play a key role in delivering secure and seamless customer experiences across our digital platforms while aligning with regulatory standards and industry best practices. You will collaborate closely with Architecture, DevOps, Cloud, Security, and Compliance teams to enable trust and security at every interaction.

What You’ll Do

• Design & implement end-to-end CIAM capabilities, including SSO, MFA, identity lifecycle management, consent management, identity governance, and data privacy.

• Serve as the technical lead for CIAM initiatives, guiding platform selection, customization, integration patterns, and reference architectures.

• Implement advanced authentication: adaptive/risk-based auth, identity proofing, and federation protocols (SAML 2.0, OIDC, OAuth 2.0).

• Engineer and optimize Ping Identity solutions and related ecosystem products (e.g., PingFederate, PingAccess, PingOne, DaVinci).

• Define secure user identity journeys and technical requirements in partnership with product, architecture, engineering, and security teams.

• Embed identity controls into CI/CD pipelines and support DevSecOps practices across build, test, and release.

• Produce detailed architecture documentation—sequence diagrams, data flow diagrams, and threat models—and maintain IAM policies and standards.

• Troubleshoot and resolve IAM/CIAM incidents; drive performance tuning, capacity planning, and resilience improvements.

• Collaborate with vendors (Ping Identity) and external partners to integrate third‑party systems and manage escalations.

• Ensure alignment with regulatory and compliance frameworks (GDPR, CCPA, HIPAA, PCI‑DSS) and privacy-by-design principles.

• Mentor developers and engineers on identity best practices, SDK usage, and secure integration patterns.

What You Bring

• 7+ years in Identity & Access Management with 2+ years focused on CIAM.

• Expertise with Ping Identity (required) and experience across its suite (e.g., PingFederate, PingAccess, PingOne, DaVinci).

• Hands-on with additional CIAM platforms (e.g., Okta/Auth0, ForgeRock, Azure AD B2C) and federation across heterogeneous environments.

• Deep knowledge of standards and protocols: OAuth 2.0, OIDC, SAML 2.0, SCIM, JWT, and modern web security (TLS, cookies, CORS).

• Strong understanding of directory services & identity stores: LDAP, Active Directory/Azure AD, and cloud directories.

• Integration skills with RESTful APIs and event-driven patterns; proficiency with JSON and secure token handling.

• Automation skills: PowerShell and/or Python for provisioning, configuration, monitoring, and operational tasks.

• Architecture & resiliency: design, test, and operate highly available/failover CIAM services in hybrid or multi‑cloud environments.

• Networking fundamentals: DNS, HTTP/S, reverse proxies, and load balancers; ability to diagnose auth flows end‑to‑end.

• Operational excellence: automate monitoring, backups, and recovery procedures (e.g., scripts or Terraform) to support resilience and DR.

• Incident leadership: lead diagnostics and RCA documentation for IAM outages; implement long‑term corrective actions.

• Collaboration: partner with security, infrastructure, cloud, and compliance teams to align IAM resiliency and risk posture.

Preferred Skills

• Broad IAM exposure across enterprise platforms (e.g., SailPoint, CyberArk, ForgeRock, IBM Security Identity Manager).

• Privileged Access Management (PAM) awareness and integration (e.g., CyberArk, BeyondTrust).

• Identity Governance & Administration (IGA): RBAC/ABAC design, role mining, and access certification campaigns.

• Zero Trust Architecture: applying ZTA principles across customer and workforce identity scenarios.

• Cloud IAM expertise across AWS, Azure, and GCP for hybrid or multi‑cloud patterns.

• API security: OAuth 2.0 for APIs, mTLS, and API gateway integration.

• Fraud detection & risk-based authentication: integrating risk scoring engines into CIAM flows.

• Infrastructure as Code (IaC): Terraform or Ansible for repeatable IAM deployments.

• DevSecOps integration: embedding identity controls in Jenkins, GitHub Actions, or Azure DevOps pipelines.

• Advanced automation for IAM operations using Python and/or PowerShell.

• Certifications: CISSP, CCSP, and/or vendor certifications (Ping Identity, Okta, ForgeRock).

• Exposure to multiple CIAM products (e.g., Okta, Auth0, ForgeRock, Azure AD B2C) and migration/interop strategies.

Why Join Us?

• Own impactful CIAM solutions that secure and delight millions of users.

• Work with a high‑caliber Architecture, Cloud, and Security organization.

• Access to ongoing learning, certifications, and career growth opportunities.

• Competitive compensation, benefits, and a culture of innovation.

Equal Opportunity

We are an equal opportunity employer and value diversity. All employment is decided on the basis of qualifications, merit, and business need.

We believe that time together in the office is important for OMERS and Oxford, the strength of our employees, and the work we do for our pension members. In delivering on our pension promise, keeping us connected to our work and each other, our flexible hybrid work guideline requires teams to come in to the office 1+ days per week. 

You may also be eligible to receive an annual Incentive Award pursuant to our Short-term Incentive plan and our Long-Term Incentive plan (if applicable), and to participate in our group benefits and retirement plans – details on these elements of compensation are included within OMERS & Oxford offer letters.

As one of Canada’s largest defined benefit pension plans, our people-first culture is at its best when our workforce reflects the communities where we live and work — and the members we proudly serve.

From hire to retire, we are an equal opportunity employer committed to an inclusive, barrier-free recruitment and selection process that extends all the way through your employee experience. This sense of belonging and connection is cultivated up, down and across our global organization thanks to our vast network of Employee Resource Groups with executive leader sponsorship, our Purpose@Work committee and employee recognition programs.

Note: OMERS uses artificial intelligence tools to assist in the recruitment process.