Role: IAM Operations Consultant (Ping Identity & SailPoint)
Location: Plano, TX (Hybrid)
Fulltime
Role Summary:
Key Responsibilities:
Service Operations:
- Own day-to-day operations for Ping Identity and SailPoint platforms, ensuring availability, performance, and security SLAs.
- Proactively monitor platform health, perform routine checks, capacity planning, backups, and schedule/execute maintenance, patching, and upgrades.
- Triage and resolve incidents, service requests, and problems; lead root cause analysis and implement permanent fixes.
- Execute changes via CAB with clear runbooks, rollback plans, impact/risk assessments, and post-implementation reviews.
- Maintain accurate runbooks, SOPs, diagrams, and operational documentation aligned to audit standards.
Ping Identity (SSO, MFA, Federation):
- Administer PingFederate, PingAccess, PingDirectory, and PingID/PingOne (as applicable).
- Onboard and maintain OIDC/SAML integrations: configure IdP/SP connections, manage metadata, certificates, and key rotation.
- Implement and tune MFA, adaptive policies, device trust, and conditional access.
- Manage authentication policies, token lifecycles, attribute mapping, session management, and header-based access.
- Promote configurations across environments; troubleshoot SSO issues end-to-end with application teams.
- Ensure standards alignment and secure integration patterns for SAML 2.0, OIDC, and OAuth 2.0.
SailPoint Identity Governance & Administration:
- Operate SailPoint platforms: IdentityIQ and/or IdentityNow (Identity Security Cloud), including task scheduling, health checks, and upgrades.
- Application onboarding and connector operations (e.g., AD/Entra ID, LDAP, Azure, Workday/SuccessFactors, ServiceNow, SAP, Oracle, databases, SaaS apps).
- Manage identity lifecycle (joiner-mover-leaver), account aggregation, correlation, transforms/mappings, roles/access profiles, and policies.
- Administer and support access request workflows, approval policies, birthright/access modeling, and role mining (as applicable).
- Run access certification campaigns (setup, scheduling, execution, attestation evidence, remediation tracking).
- Maintain and tune provisioning policies, entitlements, SoD policies/violations, and exception handling.
- Troubleshoot provisioning and aggregation failures, queue backlogs, connector errors, rules, and workflow issues.
- Develop and support SailPoint rules/workflows and automation:
- IdentityIQ: BeanShell/Java rules, lifecycle manager workflows, task definitions, plugin/config promotion.
- IdentityNow: sources, transforms, rules, lifecycle events, connectors, sp-config export/import, REST APIs.
- Perform data quality checks, identity refreshes, cleanup jobs, and optimize performance and indexing.
Security, Compliance, and Governance:
- Enforce least privilege, SoD, and Zero Trust-aligned controls across SSO and IGA.
- Integrate logs with SIEM for monitoring, alerting, and anomaly detection; define operational thresholds and playbooks.
- Support audits (SOX/PCI/ISO/other): produce evidence, enable control testing, and remediate findings.
- Manage certificate, key, and secret lifecycles and ensure secure configuration baselines.
Automation and Continuous Improvement:
- Automate routine tasks (app onboarding, cert renewals, config backups, campaign setups, rotation checks) using platform APIs and scripts.
- Implement configuration-as-code and environment promotion where supported (Ping and SailPoint).
- Define operational KPIs, measure performance, and drive improvements to reduce toil and improve reliability.
- Partner with engineering/architecture to deliver enhancements without operational risk.
Stakeholder Management:
- Collaborate with application owners, security, infra, HRIS, and compliance teams to plan changes and onboard services.
- Provide consultative guidance on integration patterns, controls, and IAM best practices.
- Communicate incident status, risks, and service health to both technical and non-technical stakeholders.
Required Qualifications:
- 5–8 years in IAM operations/engineering with production ownership.
- 3+ years administering Ping Identity (PingFederate, PingAccess, PingDirectory, PingID/PingOne).
- 3+ years operating SailPoint (IdentityIQ and/or IdentityNow) in enterprise environments.
- Strong grasp of SAML 2.0, OIDC, OAuth 2.0, JWT, token policies, and certificate management.
- Experience with identity lifecycle, provisioning, access requests, and certification campaigns.
- Windows/Linux administration, networking (DNS, TLS, proxies, load balancers), and directory services (AD/LDAP).
- Scripting and APIs: PowerShell and either Python or Java; experience with REST/JSON. For IdentityIQ, BeanShell/Java; for IdentityNow, transforms and rules.
- Experience with ITSM (e.g., ServiceNow), SIEM (e.g., Splunk), and monitoring (e.g., Datadog, Prometheus).
- Solid understanding of ITIL processes and enterprise security practices.
Preferred Qualifications:
- Ping Identity certifications (PingFederate, PingAccess) and SailPoint certifications (IdentityIQ/IdentityNow).
- Experience with SailPoint sp-config, plugin management (IIQ), connector tuning, and performance optimization.
- Knowledge of Azure AD/Entra ID, AWS IAM, Google Cloud Platform IAM; SCIM provisioning and JIT patterns.
- Exposure to CI/CD for IAM configs, Git-based versioning, and pipeline-driven deployments.
- Familiarity with compliance frameworks (SOX, PCI-DSS, ISO 27001) and evidence management.
- Experience integrating HR sources (Workday/SuccessFactors) and ERP apps (SAP/Oracle).
Key Technologies:
- Ping Identity: PingFederate, PingAccess, PingDirectory, PingID/PingOne, certificates/keystores.
- SailPoint: IdentityIQ, IdentityNow (Identity Security Cloud), rules/workflows, connectors, transforms, sp-config, REST APIs.
- Supporting: Active Directory/LDAP/Entra ID, HRIS (Workday/SuccessFactors), ServiceNow, SIEM, reverse proxies/load balancers, Git, scripting tools.
Never miss an opportunity! Create an alert based on the job you applied for.
