Xylem is seeking a Senior Software Developer to help drive the architecture and evolution of its enterprise Customer Identity and Access Management platform. In this role you will contribute to a transition toward a modern Policy-as-Code authorization model, participate in an active dual-domain identity migration, and work within and evolve a hybrid RBAC/ABAC authorization model serving a global portfolio of customer-facing digital products. About the Role As Senior Software Developer, you will be a key technical contributor on a production IAM platform serving multiple internal engineering teams and end-customer organizations worldwide. This role is about contributing to a transition, not inheriting a steady state. The platform is actively evolving toward a modern Policy-as-Code architecture, decoupling authorization logic from application code, thinning JWT payloads, and enforcing Zero Trust principles at the gateway layer. You will help shape the roadmap and build the technical foundation the team executes against. That said, you will be operating within a production enterprise identity platform at scale. What You'll Drive Architectural Evolution and Policy-as-Code Direction Contribute to the platform's evolution toward a thin-token, policy-as-code authorization model where JWTs carry identity context rather than encoded permissions and a dedicated policy engine becomes the authoritative evaluation layer. This is an active direction, not a completed migration. You will help scope the roadmap, sequence the work, and support consuming teams through the transition. Participate in an active dual-domain migration for the identity platform, including reverse proxy configuration, dynamic issuer handling, and ensuring downstream resource servers can validate tokens across both issuer values without regression. Authorization Model Development Work within and evolve a hybrid RBAC/ABAC authorization model built around a user, role, customer, and application authorization tuple, including platform-defined baseline roles, customer-scoped composite roles, and application-defined custom role patterns. Help identify and address security misconfigurations in how consuming teams integrate with the platform, ensuring authorization is evaluated against customer context, not flat role presence in a token. Developer Experience and Integration Enablement Contribute to Golden Path integration patterns for the engineering teams building on top of the platform, covering OAuth2/OIDC client registration, PKCE, identity provider hints, step-up authentication, redirect URI strategy, and token validation for Angular and React applications. Platform Operations Console Help drive an internal operations and governance UI from its current prototype state to production. The tool serves platform operators, security engineers, and compliance teams across modules including application management, role management, user management, customer hierarchy, MFA configuration, enterprise SSO federation, authorization policy authoring, and audit logs. The goal is reducing manual, ticket-based admin work. Security, Compliance and Risk Contribute to technical controls mapped to SOC2 CC6 and NIST 800-53 in alignment with Zero Trust principles. Support business-risk framing of architectural decisions and technical debt for leadership audiences, covering compliance exposure, audit risk, and real-time access control gaps. What You Bring Required 3 years in software engineering with demonstrated experience in complex, multi-team platform environments Strong hands-on proficiency with Java and Spring Boot in a production microservice context Solid understanding of software development lifecycle practices including CI/CD, code review, testing strategy, and release management Foundational understanding of security principles 1 authentication, authorization, token-based identity, and secure API design Experience working with or integrating against an identity provider (Keycloak, Okta, Auth0, Entra ID, or similar) Familiarity with OAuth 2.0 and OIDC concepts including authorization code flow, PKCE, and JWT structure Ability to communicate technical decisions clearly to both engineering peers and non-technical stakeholders Strongly Preferred Hands-on experience with Keycloak or a comparable open-source identity provider, including realm configuration, client scopes, protocol mappers, IdP federation, and the Admin REST API Experience with a production authorization policy engine and a point of view on decoupling policy from application code Experience designing IAM for multi-tenant SaaS, including JWT size constraints, token claim strategy, and downstream performance tradeoffs Practical experience with API gateway security and policy enforcement at the edge SAML 2.0 federation and enterprise SSO integration with providers such as Microsoft Entra ID or Okta SOC2 Type II audit preparation and NIST 800-53 control mapping Familiarity with NIST 800-207 Zero Trust Architecture principles Nice to Have Experience with TOTP enforcement and MFA patterns for privileged access Reverse proxy configuration for multi-domain identity routing Frontend prototyping experience for operator tooling (Angular or React) Experience writing authorization policy expressions against principal and resource attributes Integration testing experience for auth flows Prior work on developer-facing platforms, including writing integration guides and reviewing PRs for auth correctness Why This Role This is not a commodity IAM deployment. It is a purpose-built platform with a nuanced authorization model that has real compliance and security implications across Xylem's entire digital portfolio. The person in this role will be contributing to architectural decisions that affect how dozens of engineering teams authenticate users, enforce fine-grained access, and satisfy audit requirements for a global water technology company.