Key skills
IdentityAccess ManagementAuthentication protocols - OAuth 2.0Authentication protocols - OIDCAuthentication protocols - SAMLKeycloakRelationship-Based Access Control (ReBAC)Topaz/OPAAuthorization policy designDistributed services developmentAPI designService decompositionTesting strategiesCI/CDKubernetesSecurity-sensitive environment experienceAIIAMOAuthSAMLSSO
About this role
SimSpace is an AI Proving Ground focused on enhancing cybersecurity through innovative solutions. They are seeking a Staff Software Engineer specializing in Identity & Access Management to lead the architecture and technical strategy for IAM across their platform, ensuring secure and scalable access systems.
Responsibilities:
- Define and own the technical architecture for authentication and authorization across the SimSpace platform, ensuring systems are secure, scalable, and maintainable
- Lead the design and development of Keycloak-based identity infrastructure, including federation, SSO, token management, and multi-tenant identity flows — multi-tenancy is a core architectural concern and experience designing systems with strong tenant isolation is highly valued
- Design and build the authorization layer for the SimSpace platform — including policy enforcement using a Relationship-Based Access Control (ReBAC) model (currently implemented with Topaz/OPA), authorization services, and the software infrastructure needed to deliver consistent, fine-grained access control across platform services. An understanding of ReBAC and how it differs from RBAC and ABAC models is essential
- Design and build new services that extend and augment the IAM stack — including directory services, user management services, and other components that integrate with or enhance Keycloak and Topaz
- Establish and evangelize cross-team authn/authz standards, providing technical guidance to engineering teams consuming IAM services to ensure correct and secure integration patterns
- Partner with technical leaders across the organization to translate business and security requirements into clear technical roadmaps and executable implementation plans
- Lead project scoping and estimation for new initiatives — breaking down ambiguous requirements into well-defined work, producing credible SWAGs early in the process, and driving planning that the team can execute against with confidence
- Identify and drive resolution of systemic technical risk, performance bottlenecks, and security gaps within the IAM stack
- Actively contribute to architectural review processes, raising the quality bar across the broader engineering organization
- Mentor and grow senior engineers on the IAM team, sharing deep expertise in software design, identity protocols, and security patterns
Requirements:
- Experienced Staff or Senior Software Engineer with a strong background in building platform or infrastructure services, with meaningful exposure to identity and access management concepts
- Proven ability to design, build, and ship production-grade distributed services — comfortable owning the full software development lifecycle from architecture through delivery
- Solid understanding of authentication protocols (OAuth 2.0, OIDC, SAML) and authorization patterns, with enough hands-on experience to make sound engineering decisions around identity systems
- Demonstrated ability to drive technical standards and architectural decisions across multiple teams, balancing idealism with pragmatic delivery
- Strong project scoping and estimation instincts — able to SWAG a new initiative quickly, break it into meaningful milestones, and produce plans that are realistic without being over-engineered
- Strong communicator who can translate complex security and identity concepts for both technical and non-technical audiences
- Proficient in modern software engineering practices: API design, service decomposition, testing strategies, and CI/CD
- Experience with Kubernetes and modern container-based infrastructure as the environment in which these services operate
- Comfortable operating with ambiguity — at the Staff level, the roadmap isn't always fully defined, and this role is expected to help shape it
- Experience working in security-sensitive or compliance-driven environments (DoD, FedRAMP, SOC 2, or similar) is a strong plus
- Experience with Keycloak or comparable identity providers is a plus; willingness to develop deep expertise in Keycloak, Topaz/OPA, and adjacent technologies is essential