Job Description

As a Principal Identity Architect, you will lead and drive Epsilon's identity modernization program-moving the organization from legacy SAML and long-lived credential patterns toward a modern, OAuth 2.1 / OpenID Connect (OIDC)-first approach. You will design and implement secure token flows, machine identity patterns, and integration standards that work across multi-cloud and multi-platform environments, while guiding others to deliver against the same bar.

In this role, you partner with Security, Cloud Engineering, Platform, Application, and Data teams to migrate service accounts and API keys toward scoped, ephemeral machine identities; apply enterprise standards for OAuth applications and token usage; and support emerging requirements in non-human and AI-assisted authentication. You bring practical rigor to authorization server integrations, token scopes, claims usage, and lateral-movement risk reduction-helping teams adopt identity patterns that are secure, repeatable, and developer-friendly.

You will also lead identity observability and governance improvements-building the logging, integration health, and visibility needed to manage human and machine identity activity at scale. You mentor peer architects and engineers, delegate work across the identity team and partner groups, and remain hands-on enough to unblock complex integrations and set the technical example. Your work directly improves security posture, developer velocity, audit readiness, and the organization's ability to adopt cloud-native workloads safely.

This role is ideal for a hands-on technical leader with strong OAuth/OIDC experience who can drive initiatives end-to-end, develop others, and translate architecture direction into working integrations, documented patterns, and accountable delivery across teams.

Responsibilities

Identity Architecture & Protocol Design:

• Lead implementation and adoption of enterprise identity standards with an OIDC-first posture-driving migration away from SAML and legacy authentication patterns toward modern OAuth 2.0 / 2.1 and OpenID Connect flows.
• Design and review secure token flows including authorization code with PKCE (required), client credentials (M2M), and delegated authorization patterns; identify and remediate deprecated implicit flows and other OAuth 2.1 anti-patterns.
• Ensure correct separation of ID token vs. access token usage-authorization data is not embedded in ID tokens and access tokens are scoped, time-bound, and used appropriately at resource servers.
• Apply sound authorization models spanning scopes, claims, audience, and token lifetime-reducing risk from token leakage, replay, and lateral movement across shared authorization servers.
• Assess integration designs for centralized authorization server risks, token scope exposure, and cross-application trust boundaries; recommend API management and federation patterns where appropriate.

Machine & Non-Human Identity (NHI):

• Drive the transition from long-lived service accounts and API keys to machine identities using OAuth client credentials, API service applications, and cloud-native workload identity patterns.
• Help establish non-human identity as a distinct identity category with governance, traceability, and entitlement scoping appropriate to each use case.
• Design and implement non-interactive M2M authentication patterns for service-to-service, batch, and platform workloads across common integration points (e.g., APIs, data pipelines, messaging platforms).
• Partner with application and platform teams on service account migration, secrets reduction, and policy-driven runtime identity models; delegate and coordinate implementation work as appropriate.

Emerging Identity Use Cases:

• Support identity integration patterns for AI-assisted and automated workloads, including delegated human context via standard OIDC flows where applicable.
• Contribute to monitoring and logging approaches that help teams distinguish routine machine activity from anomalous authentication behavior.
• Stay current on evolving identity requirements for agentic workloads and recommend practical adoption paths aligned to enterprise standards.

Identity Platform & Integration Engineering:

• Build and maintain identity integration capabilities across authorization servers, API gateways / API management, and reusable implementation patterns.
• Implement multi-account identity patterns that support developer self-service, automation, and reliable token-based access without over-scoped or long-lived credentials.
• Partner with Cloud Engineering on workload identity integration across AWS, GCP, and/or Azure (e.g., IAM roles, workload identity federation, managed identities).
• Troubleshoot complex authentication and authorization issues across hybrid and multi-cloud environments.

Security, Zero Trust & Governance:

• Apply Zero Trust principles-least privilege, scoped access, and policy enforcement through tokens, scopes, and authorization boundaries.
• Partner with Security on identity-related logging, SIEM integration, audit requirements, and compliance for authentication and authorization events.
• Support governance for OAuth application registration, client credential issuance, scope approval, and entitlement review.
• Lead architecture reviews for identity integrations and enforce enterprise standards during implementation.

Integration Modernization & Standards:

• Drive SAML 1 OIDC migration work and legacy auth modernization across internal platforms, SaaS integrations, and custom applications.
• Create and maintain documented, reusable guides for OAuth applications, M2M integrations, service account migrations, and developer onboarding.
• Influence engineering teams through design reviews, standards documentation, working sessions, and cross-functional working groups.
• Evaluate emerging identity capabilities and recommend practical adoption aligned to business and security outcomes.

Leadership, Mentoring & Delivery:

• Lead and drive identity modernization initiatives-prioritize work, set direction for workstreams, and ensure progress against enterprise goals.
• Mentor peer architects, identity engineers, and partner-team engineers on OAuth/OIDC best practices, secure integration patterns, and architectural decision-making.
• Delegate and coordinate implementation tasks across the identity team and partner groups-clear ownership, follow-through, and quality without requiring hands-on execution of every detail.
• Break down complex programs into actionable work packages; guide others through migrations, integrations, and standards adoption.
• Improve identity observability-authentication event streams, token lifecycle metrics, integration health, and operational visibility for critical identity services.
• Lead incident response and root-cause analysis for authentication, authorization, and token-related issues; mentor others through complex fixing.
• Participate in on-call rotation and provide after-hours support for critical identity platform incidents as required.
• Additional responsibilities as assigned.

Qualifications

What you'll bring with you:

• 7+ years of experience in identity and access management, security engineering, or platform/integration roles, with 3+ years hands-on with OAuth 2.0 / OpenID Connect in production environments.
• Solid, practical expertise in OAuth 2.0 / 2.1 and OpenID Connect-including authorization code + PKCE, client credentials, token refresh, and common enterprise integration patterns.
• Working understanding of ID token vs. access token separation, scope design, claims usage, token lifetime management, and common security risks including replay, leakage, and over-scoped tokens.
• Experience implementing machine identity (M2M) patterns-OAuth client credentials, API service applications, and/or cloud workload identities in place of long-lived API keys or service accounts.
• Experience modernizing identity integrations-SAML or legacy auth to OIDC migrations, or greenfield OIDC implementations following enterprise standards.
• Ability to design and deliver reliable identity integrations at scale-multi-application IdP deployments, API management integration, and patterns that development teams can reuse.
• Demonstrated ability to lead technical initiatives, mentor peers and engineers, and delegate work while maintaining quality and security standards.
• Working knowledge of cloud-native identity in at least one major platform (AWS, GCP, or Azure)-IAM, workload identity federation, managed identities, and secrets management integration.
• Experience with identity logging and troubleshooting-authentication event analysis and operational support for production identity services.
• Strong communication and influence skills-ability to partner with Security, Engineering, and application teams; produce clear documentation and diagrams; and drive adoption across diverse teams.
• Demonstrated success in security-conscious or regulated environments with documentation, least-privilege practices, and structured change management.
• Self-directed with strong prioritization skills; comfortable operating in complex, multi-stakeholder enterprise contexts.

Why you might stand out from other talent:

• Deeper experience with non-human identity governance-API identities, application identities, machine workloads, and entitlement lifecycle management.
• Hands-on work with agentic / AI identity patterns or high-velocity delegated authorization use cases.
• Experience integrating identity with API gateways, data platform access controls (e.g., Kafka, Ranger), or service-to-service security at scale.
• Familiarity with workload identity standards (SPIFFE/SPIRE) or policy engines (OPA, Cedar) for authorization beyond token scopes.
• Experience building or significantly extending identity platform capabilities-not only configuring individual application integrations.
• Background with enterprise IdP platforms (e.g., Okta, Azure AD / Entra ID, Auth0, Ping) across multiple applications and environments.
• Track record leading cross-team identity programs with measurable delivery against migration, standards, or platform goals.
• Contributions to standards, migration playbooks, or cross-team initiatives that improved security posture or developer experience.
• Relevant certifications (e.g., CISSP, cloud security specialty) or equivalent demonstrated expertise.
• Scripting or automation skills (Python, Bash, or similar) for identity operations, validation, or integration tooling.

Click here to view how Epsilon transforms marketing with 1 View, 1 Vision, 1 Voice.

Additional Information