Apply on Employer Site

DOOR · 1 week ago

Systems Engineer-Privileged Access Management_1157

United States

Full-time

Remote

Senior Level, Lead/Staff

$165K/yr - $175K/yr

15+ years exp

LATCH LLC is a technical consulting firm providing services to the US Federal Government. They are seeking a Senior Systems Engineer to integrate and develop identity and access management solutions, focusing on Okta and privileged access management.

AppsArtificial Intelligence (AI)Smart HomeSoftware

No H1B

U.S. Citizen Only

Responsibilities

Designing and implementing identity federation, single sign-on (SSO) and multi-factor authentication (MFA) solutions, and privileged access management (PAM)

Implementing integrations with Okta and supporting related identity protocols

Supporting application onboarding for authentication and authorization

Implementing, sustaining, and troubleshooting PAM solutions within a larger ICAM ecosystem

Enhance and sustain Just in Time (JIT) Provisioning solutions and Privileged Access Management (PAM) for USPTO’s enterprise identity environment, spanning Okta, Active Directory, USAccess, and integrated identity systems

Implement, refine, and troubleshoot the implementation of PAM and JIT policies, including attribute mapping, profile transformations, directory writes, federation-based triggers, and downstream provisioning updates

Build and maintain Okta Workflows, inline hooks, and API-driven automations to support real-time identity lifecycle events (creation, update, disablement, deprovisioning)

Collaborate with Senior ICAM Engineers to maintain secure, scalable identity federation and single sign-on (SSO) patterns that align with enterprise identity architecture

Create, modify, and publish APIs that support PAM, JIT provisioning, SCIM synchronization, and identity attribute orchestration across the enterprise

Support application onboarding efforts, ensuring each app is integrated with JIT, OIDC, OAuth2, or SAML as appropriate

Design and maintain attribute schemas, group rule logic, and directory synchronization patterns supporting real-time access decisions

Conduct deep troubleshooting of provisioning failures, federation issues, JIT edge cases, and identity attribute conflicts using Okta System Logs, AD event logs, and custom instrumentation

Partner with Enterprise Security, Directory Services, and Identity Governance teams to ensure JIT provisioning aligns with Zero Trust and identity assurance requirements

Produce high-quality technical artifacts, including ICAM diagrams, provisioning flows, SOPs, runbooks, and integration documentation

Mentor junior identity engineers on JIT provisioning best practices, secure attribute handling, and Okta-centered automation strategies

Participate in Agile ceremonies, contributing to backlog refinement, sprint planning, and iterative delivery of identity enhancements

Qualification

IdentityAccess ManagementPrivileged Access ManagementOktaOIDCSAMLOAuth 2.0APIsAgileZero Trust PrinciplesTechnical Documentation

Required

Minimum 5+ years of Identity and Access Management (IAM) engineering experience supporting enterprise identity platforms

Minimum 15 years of experience in an IT position, such as systems administration, systems engineering, development, or identity management

Direct, hands-on experience designing, implementing, and troubleshooting privileged access management (PAM) solutions and Just in Time (JIT) Provisioning solutions in Okta or a comparable enterprise IdP (mandatory)

Strong hands-on expertise with OIDC, including authorization flows, token handling, claims, and advanced configuration

Solid experience with authentication protocols SAML and OAuth 2.0, including advanced troubleshooting

Proven, hands-on experience with Okta Workflows, including subflows, error handling, API connectors, and lifecycle automation

Experience working with and developing APIs using modern tools and languages; ability to build or modify API-based automation to support JIT

Experience in Agile or DevOps environments with CI/CD workflows supporting identity integrations

Ability to write clear, concise technical documentation, diagrams, and system integration artifacts

5+ years of relevant experience with Okta

3+ years of relevant experience with privileged access management

10+ years of relevant experience with systems engineering

15+ years of relevant experience in IT fields

Bachelor's degree in Computer Science, Information Systems, or a related field OR no degree with 13+ years of directly relevant systems and development experience

Preferred

Experience implementing PAM, JIT, or SCIM provisioning for federated user populations (internal + external)

Familiarity with cloud identity integration on AWS, Azure/Entra ID, or similar platforms

Working knowledge of Infrastructure as Code tools such as Terraform, especially the Okta provider

Experience supporting ICAM efforts in federal or regulated environments

Understanding of Zero Trust principles, identity lifecycle frameworks, and identity governance patterns

Familiarity with directory services (Active Directory, LDAP), group policy interactions, and directory write-back logic

Experience designing or enhancing complex JIT provisioning flows involving multiple authoritative sources, multi-directory propagation, or real-time attribute resolution

Expertise in integrating Okta Inline Hooks (Token, Registration, SAML Assertion, Event) to augment JIT logic, including supporting serverless hook infrastructure (AWS Lambda or Azure Functions)

Advanced proficiency implementing configuration-as-code for Okta (Terraform, CI/CD pipelines) to automate deployment of JIT logic, Workflows, and identity configurations

Experience integrating Okta event logs with SIEM platforms (Splunk preferred) to build provisioning dashboards, identity analytics, or automated remediation

Demonstrated ability to troubleshoot race conditions, attribute collisions, or inconsistent identity states in federated JIT environments