IAM KeyCloak Secrets PKI Engineer (PID0647)

About The Position

Requirements

• Strong knowledge of authentication protocols including OIDC, OAuth2, SAML, Kerberos and LDAP
• Expertise with Keycloak deployment across VM, Kubernetes and optionally GCP
• Experience integrating Vault for secrets management
• Experience with Terraform, Helm and ArgoCD automation
• Expertise troubleshooting hybrid IAM flows
• Vault Fundamentals: hands-on experience deploying and managing Vault clusters in production including HA, Raft storage, seal/unseal (KMS/HSM) and PKI secrets engine operations
• PKI Secrets Engine: experience managing intermediates, role definitions, short-lived certificate issuance, CRLs and automated revocation, with ability to integrate PKI with applications and services
• Certificate Lifecycle Management: experience automating issuance and renewal via Vault Agent, API or CI/CD pipelines, including rotation policies, revocation and certificate policy SLOs
• Integration experience with enterprise systems including Kubernetes ingress, load balancers, VPN, S/MIME, databases, ACME, EST and revocation protocols
• Experience implementing RBAC, audit devices and HSM/KMS key protection
• Fluent English (C1 minimum)

Nice To Haves

• Experience with cloud services and their configuration
• Knowledge of IAM solutions based on OIDC such as Keycloak for auth backends
• Fluent German
• Experience working with Scrum and agile frameworks

Responsibilities

• Implementing RBAC/ABAC policies and multi-realm setups in Keycloak, mapping Kerberos/IPA identities and groups into realms, roles and clients
• Configuring SSO flows, MFA and identity federation across hybrid cloud and on-premises workloads
• Deploying Keycloak on VMs, Docker and Kubernetes (OpenShift and bare-metal), configuring OIDC, OAuth2, SAML and Kerberos/LDAP federation
• Deploying Keycloak on GKE with Helm/Operators, integrating with Google Identity and mapping Keycloak roles to GCP IAM roles
• Configuring HashiCorp Vault to secure Keycloak operational secrets, implementing dynamic secrets for DB backends and integrating Vault Agent/Sidecar injector for secret injection into Keycloak pods
• Deploying and operating Vault in production on Linux-based systems, including HA, Raft storage, seal/unseal mechanisms and HSM/KMS integration
• Managing Vault PKI operations including intermediates, issuing CAs, short-lived certificate issuance, CRL/OCSP integration and automated revocation
• Implementing ACME v2, EST for devices, AIA/CRL/OCSP publishing and RFC 5280 profiles
• Automating Keycloak and Vault deployment and configuration using Terraform, Helm and Ansible
• Integrating certificate and secret distribution into CI/CD pipelines (Jenkins, GitHub Actions, GitLab CI)
• Monitoring both platforms with Prometheus and Grafana and managing incident response for expired certificates, Vault unseal failures and IPA migration issues

Benefits

• Flexible working hours
• Freedom to choose your own projects
• Access to exciting projects in various industries
• Support in advancing your career
• Competitive pay
• Dedicated team to help you with any questions
• Work independently
• Utilise our strong network