Apply on Employer Site

Kestra Financial · 1 day ago

Senior IAM Engineer

Tempe, AZ

Full-time

Onsite

Senior Level, Lead/Staff

8+ years exp

Kestra Financial is a leading provider of wealth management platforms for independent financial professionals. They are seeking a Senior IAM Engineer to assess current state, design target-state architectures, and implement Role-Based and Attribute-Based access models at enterprise scale, ensuring compliance with financial services regulations.

BankingConsultingFinanceFinancial Services

H1B Sponsor Likely

Responsibilities

Define RBAC/ABAC standards, pattern libraries, and guardrails; author architecture decision records (ADRs)

Drive role engineering (role discovery, consolidation, birthright access, SoD matrices) and ABAC policy design (attribute inventory, policy enforcement integration)

Maintain the IGA reference architecture spanning SailPoint, Okta, directories (AD/LDAP), HR/ERP, and cloud providers

Partner with AppSec and platform teams to externalize authorization using federation and standardized protocols (SAML 2.0, OIDC, OAuth 2.0; SCIM for provisioning)

Configure sources/authorities, connectors, aggregation & correlation rules, identity profiles, entitlement catalogs, lifecycle policies, workflows, access request, and certification campaigns in SailPoint; implement Okta connector patterns

Build monitoring/health checks, metrics, and dashboards for access governance KPIs; automate evidence collection

Define policies/standards for access control, attribute quality, identity proofing, certification cadence, and exception handling; ensure alignment with enterprise risk appetite

Support audits and regulatory examinations with defensible evidence, including certification results, SoD analyses, and access recertification trails

Mentor engineers and analysts; partner with business/application owners to onboard apps at scale under governance; establish repeatable app-onboarding playbooks (federation + provisioning + role modeling)

SailPoint (IdentityIQ Engineer/Architect or Identity Security Cloud) and/or Okta certifications; experience integrating SailPoint with Okta via connectors/APIs

Cloud IAM concepts (Azure AD/Entra ID, AWS IAM), and experience mapping ABAC to cloud entitlements/metadata

Financial-services experience with audit/regulatory expectations (e.g., access certification cadence, evidence, SoD rigor)

Qualification

SailPoint expertiseRBAC/ABAC designFederated identity protocolsCloud IAM conceptsAccess governance processesScripting language proficiencyFinancial-services experienceMentoring skills

Required

8+ years in IAM with 5+ years leading RBAC/ABAC design and enterprise deployment; demonstrable delivery of role mining/engineering and attribute-driven authorization

Hands-on SailPoint expertise (IdentityIQ or Identity Security Cloud/IdentityNow) across connectors, lifecycle automation, certifications, SoD, policy, and analytics; Okta SSO/MFA and federation patterns

Strong command of federated identity protocols and provisioning standards (SAML 2.0, OIDC, OAuth 2.0, SCIM)

Working knowledge of directory services (AD/LDAP), identity data modeling, and integration architectures; familiarity with crypto & tokenization fundamentals for identity

Experience establishing access governance processes (access reviews, recertifications, SoD, exception management) consistent with industry best practices

Proficiency in at least one scripting language (e.g., Beanshell/Java for IIQ, Python/PowerShell for automation), and SQL for identity analytics