Senior Customer Identity & Access Management (CIAM) Engineer

Senior Customer Identity & Access Management (CIAM) Engineer We are a purpose-driven, dynamic and sustainable pension plan that is an industry‑leading global investor with teams in Toronto, London, New York, Singapore, Sydney other major across North America and Europe.

Join us to accelerate your growth & development, prioritize wellness, build connections, and support the communities where we live and work.

What You’ll Do

Design & implement end‑to‑end CIAM capabilities, including SSO, MFA, identity lifecycle management, consent management, identity governance, and data privacy.

Serve as the technical lead for CIAM initiatives, guiding platform selection, customization, integration patterns, and reference architectures.

Implement advanced authentication: adaptive/risk‑based auth, identity proofing, and federation protocols (SAML 2.0, OIDC, OAuth 2.0).

Engineer and optimize Ping Identity solutions and related ecosystem products (e.g., PingFederate, PingAccess, PingOne, DaVinci).

Define secure user identity journeys and technical requirements in partnership with product, architecture, engineering, and security teams.

Embed identity controls into CI/CD pipelines and support DevSecOps practices across build, test, and release.

Produce detailed architecture documentation—sequence diagrams, data flow diagrams, and threat models—and maintain IAM policies and standards.

Troubleshoot and resolve IAM/CIAM incidents; drive performance tuning, capacity planning, and resilience improvements.

Collaborate with vendors (Ping Identity) and external partners to integrate third‑party systems and manage escalations.

Ensure alignment with regulatory and compliance frameworks (GDPR, CCPA, HIPAA, PCI‑DSS) and privacy‑by‑design principles.

Mentor developers and engineers on identity best practices, SDK usage, and secure integration patterns.

What You Bring

7+ years in Identity & Access Management with 2+ years focused on CIAM.

Expertise with Ping Identity (required) and experience across its suite (e.g., PingFederate, PingAccess, PingOne, DaVinci).

Handson with additional CIAM platforms (e.g., Okta/Auth0, ForgeRock, Azure AD B2C) and federation across heterogeneous environments.

Deep knowledge of standards and protocols: OAuth 2.0, OIDC, SAML 2.0, SCIM, JWT, and modern web security (TLS, cookies, CORS).

Strong understanding of directory services & identity stores: LDAP, Active Directory/Azure AD, and cloud directories.

Integration skills with RESTful APIs and event‑driven patterns; proficiency with JSON and secure token handling.

Automation skills: PowerShell and/or Python for provisioning, configuration, monitoring, and operational tasks.

Architecture & resiliency: design, test, and operate highly available/failover CIAM services in hybrid or multi‑cloud environments.

Networking fundamentals: DNS, HTTP/S, reverse proxies, and load balancers; ability to diagnose auth flows end‑to‑end.

Operational excellence: automate monitoring, backups, and recovery procedures (e.g., scripts or Terraform) to support resilience and DR.

Incident leadership: lead diagnostics and RCA documentation for IAM outages; implement long‑term corrective actions.

Collaboration: partner with security, infrastructure, cloud, and compliance teams to align IAM resiliency and risk posture.

Preferred Skills

Broad IAM exposure across enterprise platforms (e.g., SailPoint, CyberArk, ForgeRock, IBM Security Identity Manager).

Privileged Access Management (PAM) awareness and integration (e.g., CyberArk, BeyondTrust).

Identity Governance & Administration (IGA): RBAC/ABAC design, role mining, and access certification campaigns.

Zero Trust Architecture: applying ZTA principles across customer and workforce identity scenarios.

Cloud IAM expertise across AWS, Azure, and GCP for hybrid or multi‑cloud patterns.

API security: OAuth 2.0 for APIs, mTLS, and API gateway integration.

Fraud detection & risk‑based authentication: integrating risk scoring engines into CIAM flows.

Infrastructure as Code (IaC): Terraform or Ansible for repeatable IAM deployments.

DevSecOps integration: embedding identity controls in Jenkins, GitHub Actions, or Azure DevOps pipelines.

Advanced automation for IAM operations using Python and/or PowerShell.

Certifications: CISSP, CCSP, and/or vendor certifications (Ping Identity, Okta, ForgeRock).

Exposure to multiple CIAM products (e.g., Okta, Auth0, ForgeRock, Azure AD B2C) and migration/interop strategies.

Why Join Us?

Own impactful CIAM solutions that secure and delight millions of users.

Work with a high‑caliber Architecture, Cloud, and Security organization.

Access to ongoing learning, certifications, and career growth opportunities.

Competitive compensation, benefits, and a culture of innovation.

Equal Opportunity We are an equal opportunity employer and value diversity. All employment is decided on the basis of qualifications, merit, and business need.

We believe that time together in the office is important for OMERS and Oxford, the strength of our employees, and the work we do for our pension members. In delivering on our pension promise, keeping us connected to our work and each other, our flexible hybrid work guideline requires teams to come in to the office

1+

days

per week.

From hire to retire, we are an equal opportunity employer committed to an inclusive, barrier‑free recruitment and selection process that extends all the way through your employee experience. This sense of belonging and connection is cultivated up, down and across our global organization thanks to our vast network of Employee Resource Groups with executive leader sponsorship, our Purpose@Work committee and employee recognition programs.

#J-18808-Ljbffr