IAM Engineer (m/f/d)

For our client I am looking for an IAM Engineer (m/f/d) for a remote project & Frankfurt.



General Description

The IAM Service is responsible for the conception and designing of identity and access management (IAM) services for the EDP platform. The primary goals are providing a scalable, secure, and federated access to applications, ensuring seamless integration across the hybrid cloud environment



Scope of Work

The Contractor shall not be subject to any instructions from the Client and/or its vicarious agents in the performance of the services it has assumed. Performance-related instructions that are necessary for the proper performance of the contract and compliance with project-related time specifications are not considered instructions in the above sense.



Objective 1: Core Identity & Access Management (IAM).

Tasks:

• Implementation of RBAC/ABAC policies and multi-realm setups.

• Give recommendations on mapping Kerberos/IPA identities and groups into Keycloak realms, roles, and clients.

• Consulting on the configuration SSO flows, MFA, and identity federation



Objective 2: Keycloak Integration (On-Prem + GCP).

Tasks:

• Deployment of Keycloak on VMs, Docker, or Kubernetes (OpenShift or bare-metal K8s).

• Configuration of Keycloak for OIDC, OAuth2, SAML, Kerberos/LDAP federation.

• Providing integration with IPA/LDAP/AD for identity sync and federation.

• Give recommendations on securing Keycloak with TLS (Vault-issued or enterprise CA certificates)

• Deployment of Keycloak on GKE with Helm/Operators, handling Ingress, SSL termination, and HA scaling.

• Integratation of Keycloak with Google Identity as an IdP or broker.

• Mapping Keycloak roles to GCP IAM roles for workload access control.

• Configuration of multi-realm, multi-tenant setups for hybrid cloud and on-prem workloads



Objective 3: KeyCloak Hashicorp integration

Tasks:

• Configuration of Vault for securing Keycloak’s operational secrets (DB passwords, admin credentials, service accounts).

• Consulting on the use of Vault PKI engine to issue and rotate TLS certs for Keycloak and dependent services.

• Implementation of dynamic secrets for Keycloak DB backends (e.g., Postgres via Vault).

• Integration of Vault Agent or Sidecar injector for secret injection into Keycloak pods (on GKE or K8s on-prem).

• Applying rotation policies to minimize secret sprawl and human error.



Objective 4: Automation & DevOps.

Tasks:

• Deployment and automation of Keycloak and Vault with Terraform, Helm, or Ansible.

• Consulting on securing Keycloak with Vault-issued certificates and secrets.

• Use Keycloak REST API or Terraform provider to automate realm/client configuration.

• Integration of IAM + Vault into CI/CD pipelines for consistent app onboarding



Objective 5: Troubleshooting & Monitoring.

Tasks:

• Troubleshooting of token flows, federation errors, and expired certs.

• Monitoring of both platforms with Prometheus, Grafana.

• Management of incident response: expired certs, Vault unseal failures, migration issues with IPA.



Requirements must have, are mandatory and must all be listed in the projects!

• Experience in usage of auth protocols (OIDC, OAuth2, SAML, Kerberos, LDAP).

• Experience with Keycloak deployment across on-prem and hybrid cloud, integrating with Vault for secrets and PKI (VM, K8s, GCP optional).

• Experience with Vault integration for secrets and PKI.

• Experience with Terraform/Helm automation.

• Experience with Troubleshooting hybrid IAM flows.



Must-have language skills:

• Language: Fluent English – C1



Preferred experience

• Experience with cloud services and their configuration

• Knowledge about IAM solutions based on OpenID Connect (OIDC), such as Keycloak, for auth backends

• Fluent in German

• Working with Scrum and general experience in agile frameworks

• Good to have - Resolve certificate/PKI-related errors in Keycloak with Vault integration



Period - from: 20.10.2025 -31.12.2025

Remote 50%, 50% on site in Frankfurt or Berlin

hourly rate. 70€ allin

I look forward to receiving your profile, including availability