SENIOR SYSTEMS ENGINEER (JIT + PAM)

Job Category: Engineering
Job Types: Full Time
Job Locations: Remote
Security Clearance: Public Trust

Requisition ID: 1157

COMPANY OVERVIEW

Lalaith Astor Technical Consulting House (LATCH) provides technical consulting services to the US Federal Government. We provide dependable high-quality solutions as well as innovative architecture, engineering, and functional designs. Our core values enable us to bring unique viewpoints as we approach our work such as understanding and adopting the client’s mission; delivering technical solutions that are aligned to client goals, objectives, and budgets; empowering clients through systems engineering and technical assistance (SETA) services; and producing high quality, value-driven work products.

At LATCH, you’ll work with clients and a leadership team that empowers our people to think audaciously, welcomes differences, and encourages pride in our work while exposing and solving emerging challenges to meet impactful commitments.

JOB SUMMARY

LATCH is seeking a Senior Systems Engineer to provide hands-on expertise in integrating with Okta, developing Okta Workflows, working with APIs, and developing secure, standards-based identity and access management solutions. This position reports to the IAM Team Lead and is a key role in a fast-paced, Agile engineering team.

responsibilities and duties

Job responsibilities and duties will include, but are not limited to, the following:

  • Designing and implementing identity federation, single sign-on (SSO) and multi-factor authentication (MFA) solutions, and privileged access management (PAM).
  • Implementing integrations with Okta and supporting related identity protocols.
  • Supporting application onboarding for authentication and authorization.
  • Implementing, sustaining, and troubleshooting PAM solutions within a larger ICAM ecosystem.
  • Enhance and sustain Just in Time (JIT) Provisioning solutions and Privileged Access Management (PAM) for USPTO’s enterprise identity environment, spanning Okta, Active Directory, USAccess, and integrated identity systems.
  • Implement, refine, and troubleshoot the implementation of PAM and JIT policies, including attribute mapping, profile transformations, directory writes, federation-based triggers, and downstream provisioning updates.
  • Build and maintain Okta Workflows, inline hooks, and API-driven automations to support real-time identity lifecycle events (creation, update, disablement, deprovisioning).
  • Collaborate with Senior ICAM Engineers to maintain secure, scalable identity federation and single sign-on (SSO) patterns that align with enterprise identity architecture.
  • Create, modify, and publish APIs that support PAM, JIT provisioning, SCIM synchronization, and identity attribute orchestration across the enterprise.
  • Support application onboarding efforts, ensuring each app is integrated with JIT, OIDC, OAuth2, or SAML as appropriate.
  • Design and maintain attribute schemas, group rule logic, and directory synchronization patterns supporting real-time access decisions.
  • Conduct deep troubleshooting of provisioning failures, federation issues, JIT edge cases, and identity attribute conflicts using Okta System Logs, AD event logs, and custom instrumentation.
  • Partner with Enterprise Security, Directory Services, and Identity Governance teams to ensure JIT provisioning aligns with Zero Trust and identity assurance requirements.
  • Produce high-quality technical artifacts, including ICAM diagrams, provisioning flows, SOPs, runbooks, and integration documentation.
  • Mentor junior identity engineers on JIT provisioning best practices, secure attribute handling, and Okta-centered automation strategies.
  • Participate in Agile ceremonies, contributing to backlog refinement, sprint planning, and iterative delivery of identity enhancements.
required qualifications and skills

The selected candidate must have the following qualifications and skills:

  • Minimum 5+ years of Identity and Access Management (IAM) engineering experience supporting enterprise identity platforms.
  • Minimum 15 years of experience in an IT position, such as systems administration, systems engineering, development, or identity management.
  • Direct, hands-on experience designing, implementing, and troubleshooting privileged access management (PAM) solutions and Just in Time (JIT) Provisioning solutions in Okta or a comparable enterprise IdP (mandatory).
  • Strong hands-on expertise with OIDC, including authorization flows, token handling, claims, and advanced configuration.
  • Solid experience with authentication protocols SAML and OAuth 2.0, including advanced troubleshooting.
  • Proven, hands-on experience with Okta Workflows, including subflows, error handling, API connectors, and lifecycle automation.
  • Experience working with and developing APIs using modern tools and languages; ability to build or modify API-based automation to support JIT.
  • Experience in Agile or DevOps environments with CI/CD workflows supporting identity integrations.
  • Ability to write clear, concise technical documentation, diagrams, and system integration artifacts.
Desired qualifications and skills

It is desirable that the candidate has the following qualifications and skills:

  • Experience implementing PAM, JIT, or SCIM provisioning for federated user populations (internal + external).
  • Familiarity with cloud identity integration on AWS, Azure/Entra ID, or similar platforms.
  • Working knowledge of Infrastructure as Code tools such as Terraform, especially the Okta provider.
  • Experience supporting ICAM efforts in federal or regulated environments.
  • Understanding of Zero Trust principles, identity lifecycle frameworks, and identity governance patterns.
  • Familiarity with directory services (Active Directory, LDAP), group policy interactions, and directory write-back logic.
Bonus points for

Not required or needed, but these are the items that would help us choose between two equally top-ranked candidates:

  • Experience designing or enhancing complex JIT provisioning flows involving multiple authoritative sources, multi-directory propagation, or real-time attribute resolution.
  • Expertise in integrating Okta Inline Hooks (Token, Registration, SAML Assertion, Event) to augment JIT logic, including supporting serverless hook infrastructure (AWS Lambda or Azure Functions).
  • Advanced proficiency implementing configuration-as-code for Okta (Terraform, CI/CD pipelines) to automate deployment of JIT logic, Workflows, and identity configurations.
  • Experience integrating Okta event logs with SIEM platforms (Splunk preferred) to build provisioning dashboards, identity analytics, or automated remediation.
  • Demonstrated ability to troubleshoot race conditions, attribute collisions, or inconsistent identity states in federated JIT environments.
required experience
  • 5+ years of relevant experience with Okta.
  • 3+ years of relevant experience with privileged access management.
  • 10+ years of relevant experience with systems engineering.
  • 15+ years of relevant experience in IT fields.
  • Bachelor’s degree in Computer Science, Information Systems, or a related field OR no degree with 13+ years of directly relevant systems and development experience.
Salary

$165,000 – $175,000

Benefits
  • 401(k)
  • 401(k) Matching
  • Dental Insurance
  • Health Insurance
  • Paid Time Off
  • Parental Leave
  • Professional Development Assistance
  • Referral Program
  • Vision Insurance
EDUCATION

Bachelor’s Degree preferred.

Work location

Remote; Within USA

eeo statement

LATCH is an Equal Opportunity Employer.

All qualified applicants will receive consideration for employment without regard to race, color, religion, gender, sexual orientation, gender identity, marital status, age, national origin, protected veteran status, or disability.

Apply for this position

Allowed Type(s): .pdf, .doc, .docx