simspace-corporation - Staff Software Engineer, Identity & Access Management

• In this position, you'll own the architecture and technical strategy for the IAM stack, partnering with engineering teams across the organization to establish authn/authz standards and ensure consistent, secure access patterns throughout the SimSpace platform. The focus is on software engineering leadership — designing and building the services that underpin identity and access management at SimSpace, solving hard problems, and raising the engineering bar across the team. Specifically, this position will be responsible for: • Identity Provider architecture and service development built on Keycloak • Authorization policy design and enforcement using a Relationship-Based Access Control (ReBAC) model implemented in Topaz/OPA • Design and development of IAM-adjacent services including directory services, user management, and other platform integrations that augment the core identity stack • Cross-team authn/authz standards, patterns, and platform integrations • WHAT WILL YOU BE DOING AS A STAFF SOFTWARE ENGINEER, IAM AT SIMSPACE? • Define and own the technical architecture for authentication and authorization across the SimSpace platform, ensuring systems are secure, scalable, and maintainable. • Lead the design and development of Keycloak-based identity infrastructure, including federation, SSO, token management, and multi-tenant identity flows — multi-tenancy is a core architectural concern and experience designing systems with strong tenant isolation is highly valued. • Design and build the authorization layer for the SimSpace platform — including policy enforcement using a Relationship-Based Access Control (ReBAC) model (currently implemented with Topaz/OPA), authorization services, and the software infrastructure needed to deliver consistent, fine-grained access control across platform services. An understanding of ReBAC and how it differs from RBAC and ABAC models is essential. • Design and build new services that extend and augment the IAM stack — including directory services, user management services, and other components that integrate with or enhance Keycloak and Topaz. • Establish and evangelize cross-team authn/authz standards, providing technical guidance to engineering teams consuming IAM services to ensure correct and secure integration patterns. • Partner with technical leaders across the organization to translate business and security requirements into clear technical roadmaps and executable implementation plans. • Lead project scoping and estimation for new initiatives — breaking down ambiguous requirements into well-defined work, producing credible SWAGs early in the process, and driving planning that the team can execute against with confidence. • Identify and drive resolution of systemic technical risk, performance bottlenecks, and security gaps within the IAM stack. • Actively contribute to architectural review processes, raising the quality bar across the broader engineering organization. • Mentor and grow senior engineers on the IAM team, sharing deep expertise in software design, identity protocols, and security patterns. • Experienced Staff or Senior Software Engineer with a strong background in building platform or infrastructure services, with meaningful exposure to identity and access management concepts. • Proven ability to design, build, and ship production-grade distributed services — comfortable owning the full software development lifecycle from architecture through delivery. • Solid understanding of authentication protocols (OAuth 2.0, OIDC, SAML) and authorization patterns, with enough hands-on experience to make sound engineering decisions around identity systems. • Experience with Keycloak or comparable identity providers is a plus; willingness to develop deep expertise in Keycloak, Topaz/OPA, and adjacent technologies is essential. • Demonstrated ability to drive technical standards and architectural decisions across multiple teams, balancing idealism with pragmatic delivery. • Strong project scoping and estimation instincts — able to SWAG a new initiative quickly, break it into meaningful milestones, and produce plans that are realistic without being over-engineered. Contributes actively to quarterly planning cycles, helping the team arrive at commitments that are grounded in technical reality. • Strong communicator who can translate complex security and identity concepts for both technical and non-technical audiences. • Proficient in modern software engineering practices: API design, service decomposition, testing strategies, and CI/CD. • Experience with Kubernetes and modern container-based infrastructure as the environment in which these services operate. Comfort with self-hosted, on-premises infrastructure is a strong plus — SimSpace operates its own data centers and candidates should be prepared for the operational realities that come with that. • Experience working in security-sensitive or compliance-driven environments (DoD, FedRAMP, SOC 2, or similar) is a strong plus. • We’re proud to offer a competitive and comprehensive package designed to support your well-being, growth, and success: