TC_CS_IAM_AM_Forgerock

At EY, you’ll have the chance to build a career as unique as you are, with the global scale, support, inclusive culture and technology to become the best version of you. And we’re counting on your unique voice and perspective to help EY become even better, too. Join us and build an exceptional experience for yourself, and a better working world for all. 

The opportunity

We’re looking for Senior Consultant in the Technology Consulting team to work on various Identity and Access Management projects for our customers across the globe. Also, the professional shall need to report any identified risks within engagements and share any issues and updates with senior members of the team.
In line with EY’s commitment to quality, you’ll confirm that work is of the highest quality as per EY’s quality standards and is reviewed by the next-level reviewer. As an influential member of the team, you’ll help to create a positive learning culture, coach and counsel junior team members and help them to develop.

Your key responsibilities

•    Engage and contribute to the Identity & Access Management projects 
•    Work effectively as a technical lead, sharing responsibility, providing support, coaching juniors in team, maintaining communication and updating stakeholders team members on progress
•    Assists customer organizations with planning and implementing complex architecture solutions
•    Execute the engagement requirements, along with review of work done by junior team members 
•    Able to create, plan, and execute advanced IAM trainings and independently drive proof of concepts involving emerging IAM technologies
•    Use case design, Solution Requirements Specification, and mapping business requirements to technical requirements (Traceability Matrix).
•    Architecture Design (optimising the resources made available – servers and load sharing etc.).
•    Involvement in a successful pursuit of a potential client by being part of the RFP response team.
•    Should be implementing IAM engagements, including requirements gathering, analysis, design, development, and end-end deployment.
•    Develop and maintain productive working relationships with client personnel
•    Build strong internal relationships within EY Consulting Services and with other services across the organization
•    Help senior team members in performance reviews and contribute to performance feedback for staff/junior level team members 
•    Contribute to people related initiatives including recruiting and retaining IAM professionals
•    Maintain an educational program to continually develop personal skills by learning various IAM tools and latest skills
•    Automate the manual process in the IAM domain
•    Understand and follow workplace policies and procedures
•    Building a quality culture at GTH 
•    Manage the performance management for the direct reportee’s, as per the organization policies
•    Foster teamwork and lead by example
•    Training and mentoring of project resources
•    Participating in the organization-wide people initiatives

Technical Skills

•    Hands-on experience in end-to-end implementation of Single Sign On and MFA for enterprise and customer Identity and Access Management using either of the following industry leading products – Ping suite of products (PingFederate, Ping Access, PingONE), Okta, Auth0, ISAM, ForgeRock suite of products (OpenAM, OpenIDM, OpenDJ, OpenDS and ForgeRock Identity cloud).
•    Completed at least 2-3 implementations leveraging either of the products listed above or combination of above.
•    Strong understanding of access management fundamentals like Authentication, Authorization, MFA, SSO, Federation, and Directory Services concepts.
•    Good hands-on experience on SAML 2.0, OAuth 2.0, OIDC, WS-Fed protocols. 
•    Involved in end-to-end design and implementation of SSO architecture and designed various authentication, authorization, MFA and SSO use cases
•    Experience in migration from one tool to another, upgradation of above technologies, application onboarding leveraging tools listed above
•    Understanding of agile process
•    Have hands-on experience on any of cloud providers – Azure or AWS or GCP
•    Experience in scripting language - python, powershell, and bash
•    Source control tool -Git or Bitbucket
•    Hands-on Core Java development and debugging experience.
•    Skilled in mapping business requirements and coordinating in developing and implementing solution in line with the business requirements.
•    Experienced in creating Solution Requirements Specification, Design documents like HLD and LLD and mapping business requirements to technical requirements (Traceability Matrix), use case design etc
•    Good knowledge of information security, standards, and regulatory compliances.
•    Should be flexible to work on new technologies in this domain. 
•    Good troubleshooting experience in past engagements.

Ping Suite:

PingFederate:
•    Expertise in designing and implementing highly available and scalable PingFederate architectures
•    Installing PingFederate on cloud providers or using installing using docker and Kubernetes
•    Proficiency in integrating PingFederate with external identity providers (IdPs) and service providers (SPs) using custom protocols and connectors
•    Ability to architect and implement complex federation scenarios involving multiple trust relationships and federation standards
•    Experience in developing and implementing custom authentication (adapter, PCV or selectors) and authorization plugins for PingFederate
•    Strong understanding of SAML (Security Assertion Markup Language) and OAuth protocols
•    Experience on design and development of OGNL expressions
•    Proficiency in configuring and managing high-performance identity bridges to integrate diverse identity systems.
•    Expertise in troubleshooting complex issues related to SSO, federation, and attribute mapping in PingFederate deployments.
•    Ability to perform performance tuning and optimization of PingFederate configurations for large-scale environments.
•    Familiarity with integrating PingFederate with identity governance and user lifecycle management solutions
•    Experience in integrating PingFederate with cloud-based applications and platforms, including SaaS and PaaS
•    Proficiency in scripting and automation using PingFederate APIs and command-line tools for configuration and administration
•    Strong understanding of planning and execution to upgrade PingFederate
•    Experience in managing Certificate & Key Management
•    Should have knowledge of API security

PingAccess:
•    In-depth knowledge of web access management (WAM) concepts and architectures.
•    Expertise in configuring and managing policy-based access control using PingAccess.
•    Ability to design and implement complex access control rules and policies in PingAccess
•    Proficiency in integrating PingAccess with external identity providers (IdPs) and directory services
•    Experience in implementing secure reverse proxy and API gateway functionality using PingAccess
•    Knowledge of advanced features in PingAccess, such as dynamic authorization, fine-grained access control, and attribute-based access control (ABAC)
•    Ability to troubleshoot and resolve access-related issues in PingAccess deployments
•    Familiarity with integrating PingAccess with web application firewalls (WAFs) and other security infrastructure components.
•    Experience in implementing single sign-on (SSO) and session management for web applications using PingAccess
•    Proficiency in configuring and managing high-availability and load-balanced PingAccess deployments.
•    Knowledge of scripting and automation using PingAccess APIs and command-line tools for configuration and administration.
•    Protected APIs in PingAccess using OAuth protocol

PingOne:
•    Understanding of cloud-based identity and access management (IAM) solutions.
•    Strong understanding of SAML (Security Assertion Markup Language) and OAuth protocols
•    Proficiency in configuring and managing user identities and access policies in PingOne.
•    Proficiency in integrating PingOne with on-premises identity sources, such as Active Directory, LDAP, or HR systems
•    Proficiency in configuring and managing user attribute mapping and synchronization in PingOne
•    Ability to configure and manage user provisioning and deprovisioning processes in PingOne.
•    Ability to configure and manage advanced authentication methods, such as biometric authentication or hardware tokens.
•    Knowledge of integrating PingOne with third-party identity providers and social login platforms
•    Familiarity with configuring and managing user self-registration and self-service capabilities in PingOne
•    Knowledge of auditing and reporting capabilities in PingOne for compliance and governance requirements.
•    Experience in integrating PingOne with various cloud services – PingOne Risk, PingOne Authorize, or PingOne DaVinci
•    Understanding of identity lifecycle management and user role-based access control in PingOne.
•    Proficiency in configuring and managing security settings and policies in PingOne.
•    Experience in troubleshooting and resolving issues related to user authentication and access in PingOne deployments

PingOne Advanced Services:
•    Strong understanding of PingFederate and PingOne
•    Experience in migrating PingFederate or PingAccess from existing solution to PingOne Advanced services
•    Experience in onboarding application, creating adapter, PCV, ATM, or mapping Okta
•    Hands-on experience on Directory level integration with Okta for AD, LDAP, Azure AD, Oracle AD.
•    Good Understanding on IWA, SWA and Okta Workflows.
•    Hands-on experience on Okta APIs and good understanding of XML, HTML, CSS
•    Should be knowledge on Okta Access Gateway, Okta Advance Server Access and SCIM.
•    Hands-on experience on developing custom UI pages, branding and email template as per business needs. 
•    Should be knowledge on Okta Access Gateway, Okta Advance Server Access and SCIM.
•    Hands-on experience on developing custom UI pages, branding and email template as per business needs
•    Experience and knowledge on Okta classic engine and Okta Identity engine
•    Experience over integration of on-prem and legacy applications with Okta
•    Working knowledge on multi-factor authentication, Security Rules, Policies and Provisioning.
•    Hands-on experience in troubleshooting the issues related with Okta and any other AM specific tools
•    Basic AD and LDAP Functionality authentication, authorization.
•    Experience in Directory Integration with Okta.
•    Experience in troubleshooting the access related issue reported by application team.

ForgeRock Suite:

ForgeRock Access Management or OpenAM:

•    Very good understanding of information security concepts with in-depth knowledge of IAM solutions and latest trends with ForgeRock OpenAM, OpenDS and OpenIDM.
•    Application Onboarding experience on ForgeRock OpenAM using protocols such as OIDC1.0, OAuth2.0 and SAML2.0.
•    Customization of Authentication Nodes/Modules using JavaScript & Groovy Script.
•    Implementation of ForgeRock OpenAM functionalities using Admin Console and Amster scripts.
•    Customization of Attributes and modification of LDAP files in ForgeRock OpenDS.
•    Automation of ForgeRock AM implementation using backend scripts, Json files & Github repository.
•    Experience in installation, configurations, version upgrades and migration
•    Hands-on experience with Authentication Trees.
•    Knowledge/working experience on ForgeRock Identity cloud

ForgeRock IDM or OpenIDM:
•    Hands-On experience with customization of ForgeRock IDM, connector development, writing scripts and building of ForgeRock workflows
•    Connection to authorized sources/connection through installation/configuration of connectors to destination targets 
•    Hands-On experience with roles & assignments in IDM
•    Good conceptual and working knowledge around Workflow, Approval process, Certification process, Password policies
•    Hands-on expertise with customization by developing custom code using Java
•    Basic Java, J2EE, groovy scripting, JavaScript hands on development
•    Concept of reconciliation, live sync, attribute mapping
•    Ability to Install, Troubleshoot Configure: Directory Services, Application Server, Identity Tool and connector development
•    Knowledge/working experience on ForgeRock Identity cloud

Auth0:
•    Knowledge of Auth0 dashboard along with administration knowledge e.g. configure and manage advanced security features in Auth0, including multi-factor authentication (MFA), password policies, and brute-force protection.
•    Experience in Universal login page and customizing the text prompts and error messages.
•    Hands on experience in Multi factor authentication like WebAuthn with FIDO2 Biometric, Custom Send phone message action, Push notification.
•    Thorough understanding of Auth0 functionalities along with knowledge of features
•    Designing and implementing custom user flows using rules and actions within Auth0.
•    Develop database scripts when using custom database in Auth0
•    Hands-on experience with the Auth0 management APIs and knowledge of related technologies such as JavaScript, JSON, and REST APIs.
•    Implementation of protocols such as SAML, OAuth, and OpenID Connect on Auth0.
•    Knowledge of building web applications using the Express NodeJS framework
•    Knowledge of JavaScript testing frameworks such as Mocha, Chai, and Jest for unit testing and integration testing of Express applications.
•    Experience with using tools such as Postman and Swagger for API testing and documentation.
•    Develop solution in user migration from external system/store to Auth0 store using bulk import or trickle migration.
•    Ability to view and analyse logs and metrics in the Dashboard, including user activity, authentication success rates, and error messages.
•    Experience with customizing the look and feel of the Auth0 login page and other UI components, including the use of custom HTML, CSS, and JavaScript.
•    Knowledge of Auth0 deploy CLI and webtask 
•    Experience with using DevOps and automation tools such as Git, Jenkins, and Ansible to automate configuration and deployment of Auth0.
•    Developing custom script/solution using Auth0 APIs and NodeJS.
•    Understanding of Adaptive MFA and its policies.
•    Experience in using Real-time webtask logs to check the logs for troubleshooting.

ISAM:
•    Hands-on experience on IBM Security Access Manager or IBM Security Verify Access end-to-end implementation involving requirement gathering, designing, implementation, customization and testing.
•    Completed at least 2-3 implementations on ISAM products
•    Understanding and experience in different technology of ISAM/ISVA, CIAM, EIAM.
•    Implementation experience in Web Module, Federation Module and Advance Access control module of IBAM/ISVA, LDAP/AD, Application Integrations for SSO and multi-factor authentication
•    Working experience in application integration with header-based, SAML2.0, OIDC, OAuth2.0, WS-Fed protocols
•    Onboarding and offboarding applications on ISAM/ISVA appliance
•    Experience in social login and 3rd party identity provider integration with ISAM/ISVA.
•    Implementing Federated Single Sign-On using various open standards, particularly Security Assertion Markup Language (SAML) and OpenID.
•    OAuth protocol.
•    One-time password, Risk-based access and other Multi-Factor Authentication features of ISAM.
•    Java development such as development of custom security token service (STS) modules for custom Extended Authentication Interface (EAI) for ISAM, etc.
•    Representational State Transfer (REST)interfaces. JavaScript and XSL (Extensible Stylesheet Language), Hands on experience with Automation using IBM Ansible roles skills are a plus.

Good to have:

•    Good understanding of IGA and PAM concepts and technologies like SailPoint, Saviynt, CyberArk etc covering broader IAM domain. 
•    Very good understanding of information security concepts with in-depth knowledge of IAM solutions and latest trends.
•    Knowledge and understanding of customer Identity and Access Management (CIAM) solution along with Fine-grained authorization, Password less authentication, Orchestration, Decentralized identities etc
•    Understanding of latest technology such as Zero trust framework
•    Hands-on knowledge of any programming language Java or Python with good understanding of PowerShell.
•    Should be familiar with application servers such as Tomcat and IIS.
•    Should have had direct client experience, including working with client teams in an on-site or offshore mode.
•    Involvement in a pre-sales activity and helped in responding to RFP’s.

To qualify for the role, you must have

•    B. Tech./ B.E. with sound technical skills 
•    Strong command on verbal and written English language.
•    Experience in HTML, CSS and JavaScript.
•    Experience in Core Java, Python and JavaScript/Groovy Script.
•    Strong communication, presentation and interpersonal skills.
•    4-6 years of relevant Work Experience on above technologies

Certification:
•    Desirable to have certifications in security domain, such as CISSP and CISA or any IAM product specific certifications
•    Desirable to have product professional certifications like – Ping certifications – Level 1 to 4, ForgeRock AM (AM-100, AM-400, AM-410 or AM-421) ForgeRock IDM and ForgeRock Identity cloud certifications, Okta certifications etc

What working at EY offers

At EY, we’re dedicated to helping our clients, from start–ups to Fortune 500 companies — and the work we do with them is as varied as they are.
You get to work with inspiring and meaningful projects. Our focus is education and coaching alongside practical experience to ensure your personal development. We value our employees and you will be able to control your own development with an individual progression plan. You will quickly grow into a responsible role with challenging and stimulating assignments. Moreover, you will be part of an interdisciplinary environment that emphasizes high quality and knowledge exchange. Plus, we offer:

•    Support, coaching and feedback from some of the most engaging colleagues around
•    Opportunities to develop new skills and progress your career
•    The freedom and flexibility to handle your role in a way that’s right for you

EY | Building a better working world 

 
EY exists to build a better working world, helping to create long-term value for clients, people and society and build trust in the capital markets.  

 
Enabled by data and technology, diverse EY teams in over 150 countries provide trust through assurance and help clients grow, transform and operate.  

 
Working across assurance, consulting, law, strategy, tax and transactions, EY teams ask better questions to find new answers for the complex issues facing our world today.