Identity Fabric Principle for IAM Services - EU Security Clearance required (Warsaw) – Frontex
The White Team•Capon Bridge, WV
•Hybrid
About The Position
This is a long-term mission for an advanced level IAM Engineer at Frontex Headquarters in Warsaw. The role requires a strong understanding of modern authentication standards, token and session security, API permissions, hybrid identity foundations, and practical experience with identity governance and lifecycle management. The primary focus will be on Microsoft Entra ID and Entra External ID, with a need for pragmatic modernization of existing services and a strong emphasis on automation, compliance, and future-proofing for AI/agent identities. The position requires EU (PSC) Confidential / EU Confidential security clearance and candidates must be based within two hours of Warsaw.
Requirements
- EU (PSC) SECURITY CLEARANCE REQUIRED TO BE ELIGIBLE (Confidential / EU Confidential).
- Minimum level of education: Level 6.
- Minimum English language skills: B2.
- Minimum IT relevant experience: 10 years (8 years in relevant IAM roles).
- Modern authentication standards: solid understanding of OAuth 2.0, OpenID Connect, and SAML, including typical enterprise use cases (applications, APIs, federation).
- Token & session security: knowledge of token/session lifecycles (issuance, validation, lifetimes, refresh tokens), plus common risks and mitigations.
- API permissions & consent: understanding and practical application of scopes vs roles, delegated vs application permissions, and admin/incremental consent models.
- Entra External ID patterns: practical knowledge of CIAM/B2B/B2C onboarding patterns and UX vs security trade-offs.
- Hybrid identity foundations (AD DS): solid understanding of domains/forests, trusts, OU/GPO, delegation, and how AD DS impacts hybrid identity.
- SailPoint IGA exposure: practical experience with SailPoint IdentityIQ and/or IdentityNow concepts, delivery model, and outcomes.
- Provisioning & lifecycle integrations: experience with SCIM, authoritative sources, reconciliation, and JIT vs managed provisioning trade-offs.
- GDPR/EUDPR + AI readiness: ability to apply privacy-by-design in IAM (minimisation, purpose, retention, token/claim hygiene, auditability) and extend governance to AI/agent access where required.
- Microsoft-first delivery: primary focus on Entra ID / Entra External ID with consistent integration patterns for enterprise applications and APIs.
- Hybrid environment readiness: ability to operate with AD DS/AD FS dependencies and modernize pragmatically without disrupting services.
- Automation-by-default: preference for repeatable delivery via PowerShell and controlled processes (CI/CD and/or ITSM where applicable).
- Compliance-oriented design: ability to design/operate IAM controls aligned with GDPR/EUDPR and internal audit expectations (traceability and evidence).
- IGA alignment: capability to deliver governance outcomes with SailPoint and align them with Microsoft identity patterns.
- Future-proofing: readiness to cover AI/agent identities and access controls using least privilege and clear governance.
Nice To Haves
- Candidates must be based within two hours of Warsaw.
Responsibilities
- Define and maintain modern authentication and federation standards for applications and APIs (OAuth2, OIDC, SAML), including reference architectures and enterprise integration patterns.
- Support implementation and troubleshooting of authentication flows (Auth Code + PKCE, Device Code, Client Credentials, OBO), including production incidents and edge cases.
- Design and govern secure identity models, including claims/attributes strategy, API permission models (scopes vs roles, delegated vs application permissions), and consent governance.
- Configure, operate, and troubleshoot federation and identity integrations (IdP/SP), including metadata management, SSO issues, and AD FS operations with migration support to cloud-native approaches.
- Design and implement secure access controls, including Conditional Access, MFA, risk-based access, step-up authentication, and Identity Protection policies with safe rollout practices.
- Deliver and operate Microsoft Entra ID environments, including tenant configuration, enterprise applications, app registrations, service principals, managed identities, and governance improvements.
- Design and implement identity governance and lifecycle management processes, including Entra ID Governance (access packages, access reviews, entitlement management) and end-to-end IGA processes (JML, SoD, certifications).
- Design and implement provisioning and lifecycle integration models (SCIM, authoritative sources, reconciliation, JIT vs managed provisioning) and ensure clean identity lifecycle management.
- Provide hybrid identity support and modernization guidance involving AD DS and AD FS, ensuring sustainable architecture and minimal service disruption.
- Ensure automation, compliance, and scalability through PowerShell-based identity operations, GDPR/EUDPR-aligned IAM design, and integration with SailPoint IGA and governance frameworks (including AI/agent identity considerations).
Benefits
- The rate offered depends on the candidate’s level, in accordance with the Frontex’s public grading system.
Stand Out From the Crowd
Upload your resume and get instant feedback on how well it matches this job.
Upload and Match Resume
What This Job Offers
Job Type
Full-time
Career Level
Senior
Education Level
Associate degree
