Staff Software Engineer

Senior Staff Software Engineer – Identity & Access Management Platform

Required Qualifications

• 12+ years of software engineering experience with significant experience building distributed systems, platform services, or security infrastructure.
• Deep expertise in Identity and Access Management (IAM), authentication, authorization, federation, and access governance.
• Strong hands-on experience with OAuth 2.0, OpenID Connect (OIDC), SAML, JWTs, MFA, enterprise SSO, and delegated authorization patterns.
• Demonstrated experience implementing, operating, extending, or integrating enterprise IAM platforms such as Zitadel, Keycloak, Authentik, ForgeRock, Ping Identity, Okta, Auth0, or equivalent solutions.
• Experience building identity platforms by leveraging and extending open-source technologies rather than developing IAM systems entirely from scratch.
• Strong understanding of multi-tenant SaaS architectures, tenant isolation, delegated administration, and B2B/B2B2B identity models.
• Experience designing and implementing RBAC, ABAC, policy-based authorization, entitlement management, and access governance solutions.
• Experience building and operating secure API platforms, service-to-service authentication, and machine identity systems.
• Strong software engineering skills with modern backend technologies, cloud-native architectures, and infrastructure automation.
• Experience designing highly available, scalable, and secure distributed systems.
• Proven track record of leading large cross-functional technical initiatives while remaining deeply hands-on in architecture, implementation, and operational ownership.

Preferred Qualifications

• Direct experience implementing or operating Zitadel or similar in a production environment.
• Experience integrating IAM platforms with enterprise identity providers including Microsoft Entra ID, Okta, Google Workspace, Ping Identity, and Active Directory.
• Experience with policy engines and policy-as-code frameworks such as Open Policy Agent (OPA), Cedar, or similar technologies.
• Experience with machine identity lifecycle management, secrets management, certificate management, and workload identities.
• Experience designing audit, compliance, governance, and entitlement review systems.
• Familiarity with compliance frameworks such as SOC 2, ISO 27001, HIPAA, PCI-DSS, NIST, or FedRAMP.

Responsibilities:

Technical Leadership

• Define the long-term architecture and technical roadmap for the IAM platform.
• Lead identity, authentication, authorization, and access governance initiatives spanning multiple products and engineering teams.
• Establish standards, reference architectures, and best practices for identity and access management across the organization.
• Drive platform adoption and migration strategies for existing products and services.

Hands-On Engineering 

• Design, implement, and operate core IAM platform services.
• Build integrations between identity providers, API gateways, authorization systems, secrets management platforms, and SaaS products.
• Develop services supporting user lifecycle management, machine identity management, delegated administration, access reviews, and compliance reporting.
• Implement secure token exchange, service-to-service authentication, and federated identity workflows.
• Build APIs, automation, and self-service capabilities for onboarding, provisioning, and access governance.
• Troubleshoot and resolve complex scalability, reliability, and security challenges across the platform.

Security & Governance

• Design authorization models supporting RBAC, ABAC, delegated administration, and multi-tenant environments.
• Define controls for least privilege, separation of duties, credential management, and privilege escalation prevention.
• Ensure complete auditability of access grants, modifications, reviews, and revocations.
• Partner with security and compliance teams to meet regulatory and customer requirements.