ForgeRock Identity Engineer / Architect


ScrumLink, Inc.
Dice Job Match Scoreβ’
π§ Analyzing your skills...
Job Details
Skills
- API Integration (The Core of This Project)
- Java or Groovy for ForgeRock scripting Git and CI/CD pipeline integration for ForgeRock configuration management API testing tooling ΓΒ’ΓΒΓΒ Postman
- RestAssured
- or equivalent SAML debugging tools ΓΒ’ΓΒΓΒ SAML tracer
- browser developer tools for assertion inspection
- 4+ years hands-on ForgeRock Access Manager (AM) experience in production environments Proven experience configuring ForgeRock SAML 2.0 SP and IDP connections programmatically ΓΒ’ΓΒΓΒ not just through the admin console Deep knowledge of ForgeRock REST APIs ΓΒ’ΓΒΓΒ specifically the Identity Gateway and Access Manager API surface Experience writing ForgeRock Groovy or JavaScript scripted authentication nodes Hands-on experience with ForgeRock keystore management ΓΒ’ΓΒΓΒ importing
- rotating
- and validating X.509 certificates ForgeRock Certified Access Management Specialist or equivalent ΓΒ’ΓΒΓΒ preferred but not mandatory if hands-on experience is demonstrably strong
Summary
Location: VA,NJ,TX, atlanta, Colorado, Tampa ( Any VZ location)
Β
Β
Β
JOB TITLE
ForgeRock Identity Engineer / Architect Onshore Contract Β· 5 months
ABOUT THE ROLE
We are building a self-service federated SSO platform that will eliminate manual identity federation for enterprise B2B customers. At the heart of this platform sits ForgeRock β acting as the identity broker between customer IDPs (Okta, Microsoft Entra ID, PingIdentity, and others) and our two core applications.
This role is the most technically critical position in the delivery POD. You will own everything ForgeRock β from programmatic SP registration through SAML assertion validation to session token management and certificate lifecycle automation. You will work directly with the POD Lead / Solution Architect and be the hands-on ForgeRock expert the team depends on for every identity decision.
This is not a configuration role. You will be writing ForgeRock scripted authentication, designing REST API integrations, architecting multi-tenant federation at scale, and solving hard problems that have no documented answer.
WHAT YOU WILL OWN
Federation Architecture
- Design and implement the multi-tenant ForgeRock realm structure that isolates each customer company (CLE) while sharing a common identity broker
- Define and document the SP metadata template schema for programmatic SP connection registration
- Own the ForgeRock SP connection registry β the single source of truth for all customer federations
API Integration (The Core of This Project)
- Build and validate the ForgeRock REST API integration for API 1 β real-time Entity ID uniqueness check
- Architect and implement API 2 β programmatic SP connection creation from customer metadata including Entity ID, SSO binding URLs, SLO binding URLs, X.509 certificate storage, NameIDFormat, and WantAuthnRequestsSigned
- Design the API 3 activation mechanism β enabling the SP connection on a customer-selected date, triggered only after the LDAP batch job completion signal is received
- Ensure all three APIs are idempotent, authenticated via secrets manager, and handle ForgeRock unavailability gracefully
SAML / OIDC Protocol Depth
- Configure SAML 2.0 SP connections for all five IDP options β Okta, Microsoft Entra ID, PingIdentity, Other SAML, Other OIDC
- Implement SAML assertion validation β signature verification against X.509 certificates, assertion expiry enforcement, replay attack prevention
- Configure attribute mapping for dual-attribute assertions β extracting both User ID and Email Address per customer IDP
- Implement SP-initiated flow as the exclusive primary authentication path
Session Management
- Design and implement ForgeRock session token issuance on successful assertion validation
- Configure shared session token architecture so users authenticated in APP1 gain seamless access to APP2 without re-authentication
- Implement immediate session revocation capability for user deprovisioning events (Phase 2)
Break-Glass Fallback
- Design the SSO failure detection mechanism at the ForgeRock layer
- Implement the signal that triggers Break-Glass fallback to username and password when ForgeRock detects IDP unavailability, assertion failure, or timeout
Certificate Lifecycle Management
- Implement X.509 certificate storage in the ForgeRock keystore for each customer IDP
- Build the certificate expiry monitoring job β scanning all registered certificates and triggering alerts at 60, 30, 14, and 7 day thresholds
- Implement self-service certificate rotation β accepting a new certificate upload, validating it, updating the ForgeRock keystore via API, running a silent SAML validation test, and retiring the old certificate
- Build automated certificate rotation via metadata URL polling β daily comparison of live IDP metadata against stored certificate, automatic update when difference detected
- Supported for Okta, Microsoft Entra ID, and PingIdentity
SCIM Integration (Phase 2 Architecture)
- Design the SCIM /Users endpoint architecture for automated user deprovisioning
- Define the ForgeRock session revocation API contract for immediate session invalidation on deprovision events
- Ensure Phase 1 ForgeRock architecture is SCIM-ready without requiring structural rework in Phase 2
Existing Integration Migration
- Audit all existing manually configured ForgeRock SP connections
- Identify configuration gaps, non-standard attribute mappings, and certificate expiry risks
- Design and implement migration tooling β parallel run capability, cutover mechanism, and rollback capability
WHAT YOU MUST HAVE
ForgeRock β Non-Negotiable
- 4+ years hands-on ForgeRock Access Manager (AM) experience in production environments
- Proven experience configuring ForgeRock SAML 2.0 SP and IDP connections programmatically β not just through the admin console
- Deep knowledge of ForgeRock REST APIs β specifically the Identity Gateway and Access Manager API surface
- Experience writing ForgeRock Groovy or JavaScript scripted authentication nodes
- Hands-on experience with ForgeRock keystore management β importing, rotating, and validating X.509 certificates
- ForgeRock Certified Access Management Specialist or equivalent β preferred but not mandatory if hands-on experience is demonstrably strong
Identity Protocols
- Deep SAML 2.0 knowledge β not just conceptual. You must be able to read and debug raw SAML XML, understand assertion structure, validate signatures manually, and identify malformed assertions by inspection
- OIDC / OAuth 2.0 β authorization code flow, token validation, discovery endpoint
- Understanding of SP-initiated vs IDP-initiated flows and the security implications of each
- X.509 certificate management β formats, chains, expiry, rotation, keystore operations
- NameIDFormat variants and attribute mapping patterns across major IDPs
API and Integration
- REST API design and consumption β you will be both building and calling ForgeRock REST APIs
- Experience integrating ForgeRock with LDAP directories β reading user records, understanding directory schema
- Secrets management integration β AWS Secrets Manager, HashiCorp Vault, or equivalent
- Webhook design and event-driven integration patterns
Complementary Technical Skills
- Java or Groovy for ForgeRock scripting
- Git and CI/CD pipeline integration for ForgeRock configuration management
- API testing tooling β Postman, RestAssured, or equivalent
- SAML debugging tools β SAML tracer, browser developer tools for assertion inspection
NICE TO HAVE
- Experience with ForgeRock Identity Management (IDM) in addition to Access Manager (AM)
- Hands-on experience with SCIM 2.0 endpoint design and implementation
- Prior experience migrating manual ForgeRock SP connections to programmatic management
- Familiarity with Tableau or similar BI tools for SSO event schema design
- Experience with ForgeRock on cloud infrastructure β AWS, Google Cloud Platform, or Azure
- Knowledge of FedRAMP, SOC 2, or HIPAA compliance requirements as they relate to identity infrastructure
- Experience with Okta, Microsoft Entra ID, or PingIdentity from the IDP administration side β understanding how these IDPs generate metadata and manage SP connections helps enormously when debugging federation issues
Β
THE THREE QUESTIONS WE WILL ASK IN INTERVIEW
We use these to separate ForgeRock practitioners from ForgeRock administrators:
1. Walk me through how you would programmatically register a new SAML SP connection in ForgeRock AM using the REST API β what endpoints, what payload, what authentication, and what would you validate to confirm the connection is correctly registered?
2. A customer''s SSO breaks and the SAML assertion is reaching ForgeRock but authentication is failing. Walk me through your debugging process β what do you look at first, what tools do you use, and what are the five most common causes of assertion validation failure you have seen in production?
3. We have 40 existing manually configured ForgeRock SP connections in production. We are building a new programmatic management layer. How would you approach migrating those connections without causing an outage for any existing user?
If a candidate cannot answer all three in depth, they are not the right person for this project regardless of what their CV says.
WHAT MAKES THIS ROLE DIFFERENT
Most ForgeRock roles are maintenance and support β keeping existing federations running, occasional new customer onboarding. This role is building something from scratch.
You will be making architecture decisions that affect how every future customer federates. You will be writing the ForgeRock integration code that the entire self-service platform depends on. You will be the person who gets called when a customer''s SSO breaks in production.
If you want a role where you can configure ForgeRock through the admin console and call it a day, this is not it. If you want to build a programmatic identity platform that scales to hundreds of customers without manual intervention, this is exactly it.
- Dice Id: 10457621
- Position Id: Mike25648
- Posted 15 hours ago
Company Info
About ScrumLink, Inc.
Careers
Similar Jobs
It looks like there aren't any Similar Jobs for this job yet.
Search all similar jobs