About the role
Role: ForgeRock Identity Engineer / Architect
Location: VA, NJ, TX, Atlanta, Colorado, Tampa
About the Role
Join a high-impact POD building a self-service federated SSO platform. You’ll be the hands-on ForgeRock expert designing and engineering a scalable identity broker integrating with Okta, Microsoft Entra ID, PingIdentity, and more. This is a build-from-scratch, code-heavy role—not admin/config.
Key Responsibilities
- Design multi-tenant ForgeRock AM federation architecture
- Build REST APIs for programmatic SAML SP connection lifecycle (create/validate/activate)
- Implement SAML/OIDC flows, assertion validation, and secure session management across apps
- Develop scripted authentication (Groovy/JS) and automate certificate lifecycle (monitoring & rotation)
- Enable break-glass fallback, ensure high availability, and prepare SCIM-ready architecture
- Migrate existing manual SP connections to automated framework
Must Have
- 4+ years hands-on ForgeRock Access Manager (AM)
- Strong SAML 2.0 (debugging raw assertions), OIDC/OAuth 2.0
- Experience with ForgeRock REST APIs, scripted nodes, and keystore/X.509 management
- API design & integrations, LDAP, secrets management (AWS/Vault)
- Coding: Java/Groovy + CI/CD, API testing, SAML debugging tools
Nice to Have
- ForgeRock IDM, SCIM 2.0, cloud (AWS/Azure/GCP)
- Experience with Okta / Entra / Ping as IDP
- Migration of manual SP setups to programmatic model
Why This Role?
You’ll define the identity architecture powering hundreds of future customers—owning critical decisions, building automation, and solving complex, real-world federation challenges.