Description

Department Overview

The Identity Services team within the University of Virginia (UVA) Information Technology Services (ITS) designs, operates, and evolves the University’s core identity and access management (IAM) ecosystem. These services provide the foundation for secure authentication, authorization, and access governance across UVA’s academic, research, and administrative systems, supporting the University’s mission of teaching, research, and public service.

Identity Services operates in a complex higher-education environment that emphasizes federated trust, shared governance, and community-driven standards. Our work aligns closely with Internet2 and InCommon best practices to deliver scalable, sustainable identity solutions.

Position Summary

The University of Virginia seeks an Identity Services Engineer to serve as a senior individual contributor within the Identity Services team. This role is critical to the secure operation, integration, and continuous improvement of UVA’s enterprise IAM platforms.

The Identity Services Engineer provides deep, hands-on technical expertise across identity governance, authentication, authorization, and access lifecycle services. This position is well-suited for an experienced IAM practitioner who values technical ownership, operational excellence, and alignment with higher-education IAM architectures, without expectations of people management.

Apply at: https://jobs.virginia.edu/us/en/job/R0079927/Identity-Services-Engineer

Responsibilities

Identity & Access Management Engineering

• Design, configure, customize, and support enterprise IAM platforms, including Grouper, Fischer Identity, Shibboleth Identity Provider, and Delinea PAM.
• Implement and maintain group- and attribute-based access models (RBAC, ABAC, PBAC) that support institutional policy, delegated administration, and least-privilege access.
• Serve as a senior technical contributor for Grouper, including attestation workflows, GSH templates, ABAC implementations, and integration patterns.
• Support identity governance and lifecycle processes using Fischer Identity, including integrations with authoritative sources and downstream systems.
• Operate and troubleshoot federated authentication and single sign-on services using SAML, OIDC, and OAuth2, aligned with InCommon trust frameworks.
• Integrate IAM services with LDAP registries, Active Directory, databases, and enterprise applications.

Security, Compliance, & Operations

• Support and integrate privileged access management workflows using Delinea.
• Diagnose and resolve complex IAM issues spanning directories, authentication flows, access policies, and application integrations.
• Contribute to secure-by-design IAM architectures that support regulatory and contractual requirements, including FERPA, HIPAA, PCI-DSS, and research data protections.

Collaboration & Service Integration

• Partner with application teams, infrastructure groups, and security stakeholders to onboard services and improve access consistency.
• Contribute to testing, change management, and promotion of updates across development, QA, and production environments.
• Maintain clear technical documentation for configurations, customizations, and operational procedures.
• Participate in a shared on-call rotation, supported by strong documentation and team practices.

Minimum Qualifications

• Five or more years of professional experience supporting or engineering identity and access management systems.
• Hands-on experience with one or more IAM platforms commonly used in higher education, such as Grouper, Shibboleth, Fischer Identity, or Microsoft Entra ID.
• Strong understanding of IAM concepts, including authentication, authorization, access lifecycle management, and identity governance.
• Experience working with LDAP directories and/or Active Directory in production environments.
• Proficiency with Linux-based systems and the ability to troubleshoot integrated, distributed services.

Preferred Qualifications

• Familiarity with the InCommon Trusted Access Platform (TAP) and community-driven IAM architectures, including meaningful hands-on experience with Grouper and Shibboleth.
• Experience operating federated identity services in a research or academic context.
• Experience integrating IAM platforms with ERP, LMS, research, or administrative systems.
• Exposure to containerized deployments such as Docker Swarm or Kubernetes.
• Experience with CI/CD pipelines or configuration-as-code approaches.
• Experience with privileged access management tools or workflows.
• Identity-related certifications (e.g., IDPro, IMI) or active participation in the higher-education IAM community.
  
  

Essential Skills

• Ability to independently analyze and resolve complex technical problems.
• Strong written and verbal communication skills, particularly for documenting systems and collaborating across teams.

Physical Demands

• This role is primarily sedentary, involving extensive use of desktop computers.

Requirements

Minimum Qualifications

• Five or more years of professional experience supporting or engineering identity and access management systems.
• Hands-on experience with one or more IAM platforms commonly used in higher education, such as Grouper, Shibboleth, Fischer Identity, or Microsoft Entra ID.
• Strong understanding of IAM concepts, including authentication, authorization, access lifecycle management, and identity governance.
• Experience working with LDAP directories and/or Active Directory in production environments.
• Proficiency with Linux-based systems and the ability to troubleshoot integrated, distributed services.

Preferred Qualifications

• Familiarity with the InCommon Trusted Access Platform (TAP) and community-driven IAM architectures, including meaningful hands-on experience with Grouper and Shibboleth.
• Experience operating federated identity services in a research or academic context.
• Experience integrating IAM platforms with ERP, LMS, research, or administrative systems.
• Exposure to containerized deployments such as Docker Swarm or Kubernetes.
• Experience with CI/CD pipelines or configuration-as-code approaches.
• Experience with privileged access management tools or workflows.
• Identity-related certifications (e.g., IDPro, IMI) or active participation in the higher-education IAM community.