Senior Identity Engineer

About The Position

Requirements

• Programming experience in Python (or similar) and strong PowerShell skills for directory and application automation.
• Deep experience with Active Directory, Azure Active Directory / Entra ID, and hybrid identity architectures.
• Hands-on experience with SAML, OAuth 2.0, and OpenID Connect (OIDC), including token and claim design, scopes, consent, refresh and PKCE flows, and session management.
• Experience designing, operating, and decommissioning ADFS or similar platforms, including secure migration to modern authentication.
• Proven ability to onboard and maintain large numbers of enterprise applications, standardizing metadata, attribute mappings, and provisioning workflows.
• Experience with HRIS-driven JML processes, SCIM or API-based provisioning and deprovisioning, orphaned account controls, and access recertification support.
• Policy design, testing, rollout, and exception handling experience, including passwordless authentication approaches such as FIDO2 and passkeys.
• Exposure to regulated environments (e.g., HIPAA, SOC 2) and experience supporting audits.
• Experience using REST APIs or Microsoft Graph API for advanced automation and reporting.
• Bachelor's degree in Computer Science, Engineering, or a related field, or equivalent practical experience.
• Excellent written and oral communication skills.
• Strong critical thinking, analytical reasoning, and thought leadership skills.
• Ability to bridge engineering, product, security, and operations teams to align on goals and foster a culture of shared responsibility.
• Project management skills.

Responsibilities

• Operate and improve hybrid identity (on-prem Active Directory and Entra ID), directory synchronization, and domain/namespace hygiene; plan and execute a staged migration toward an Entra-first model.
• Lead deprecation of legacy authentication schemes (e.g., ADFS where appropriate), migrate applications to modern federation protocols (SAML, OAuth, OIDC), and document cutover and rollback procedures.
• Own intake and integration patterns for single sign-on (SSO) across enterprise and third-party applications; enforce standards for claims, groups, roles, and provisioning, and maintain a service catalog.
• Implement and maintain HR-driven joiner, mover, and leaver (JML) workflows using SCIM, APIs, or ETL processes, including authoritative source mapping, attribute governance, and automated access grants and revocations.
• Design role-based access control (RBAC) models and dynamic group strategies; codify least-privilege access patterns across directories, applications, and data.
• Engineer policies for device and user risk, network and location-based controls, and session management; manage authentication methods such as push notifications, TOTP, FIDO2, passkeys, and certificate-based authentication.
• Define the roadmap for passwordless authentication adoption, implement solutions for targeted populations, and track adoption, support needs, and exceptions.
• Build and maintain automation using Python and PowerShell for provisioning, policy enforcement, reporting, and configuration drift detection; manage scripts and runbooks in source control.
• Publish standards, reference integrations, and training materials for IT, HR, and application teams; provide office hours and targeted workshops.
• Maintain compliance in assigned required training and all training required by state/province or other regulating authorities as applicable to this role to ensure that Sunrise standards are always met.
• Perform other duties as assigned.

Benefits

• Medical, Dental, Vision, Life, and Disability Plans
• Retirement Savings Plans
• Employee Assistant Program / Discount Program
• Paid time off (PTO), sick time, and holiday pay
• myFlexPay offered to get paid within hours of a shift
• Tuition Reimbursement
• In addition to base compensation, Sunrise may offer discretionary and/or non-discretionary bonuses. The eligibility to receive such a bonus will depend on the employee's position, plan/program offered by Sunrise at the time, and required performance pursuant to the plan/program.