Für unseren Kunden in Berlin suchen wir ab dem 05.01.2026 einen IAM KeyCloak Engineer (m/w/d) für die voraussichtliche Dauer bis Juni 2026 mit der Option auf Verlängerung.

Ihre Aufgaben:

- Implementation of RBAC/ABAC policies and multi-realm setups.

- Give recommendations on mapping Kerberos/IPA identities and groups into Keycloak realms, roles, and clients.

- Consulting on the configuration SSO flows, MFA, and identity federation

- Deployment of Keycloak on VMs, Docker, or Kubernetes (OpenShift or bare-metal K8s).

- Configuration of Keycloak for OIDC, OAuth2, SAML, Kerberos/LDAP federation.

- Providing integration with IPA/LDAP/AD for identity sync and federation.

- Give recommendations on securing Keycloak with TLS (Vault-issued or enterprise CA certificates)

- Deployment of Keycloak on GKE with Helm/Operators, handling Ingress, SSL termination, and HA scaling.

- Integratation of Keycloak with Google Identity as an IdP or broker.

- Mapping Keycloak roles to GCP IAM roles for workload access control.

- Configuration of multi-realm, multi-tenant setups for hybrid cloud and on-prem workloads

- Configuration of Vault for securing Keycloak’s operational secrets (DB passwords, admin credentials, service accounts).

- Implementation of dynamic secrets for Keycloak DB backends (e.g., Postgres via Vault).

- Integration of Vault Agent or Sidecar injector for secret injection into Keycloak pods (on GKE or K8s on-prem).

- Applying rotation policies to minimize secret sprawl and human error

- Deployment and automation of Keycloak and Vault with Terraform, Helm, or Ansible.

- Consulting on securing Keycloak with Vault-issued certificates and secrets.

- Use Keycloak REST API or Terraform provider to automate realm/client configuration.

- Integration of IAM + Vault into CI/CD pipelines for consistent app onboarding

- Troubleshooting of token flows, federation errors, and expired certs.

- Monitoring of both platforms with Prometheus, Grafana.

- Management of incident response: expired certs, Vault unseal failures, migration issues with IPA

Ihre Anforderungen:

- Experience in the usage of auth protocols (OIDC, OAuth2, SAML, Kerberos, LDAP).

- Experience with Keycloak deployment (VM, K8s, GCP optional).

- Experience with Vault integration for secret

- Experience with Terraform/Helm/ArgoCD automation.

- Expertise with Troubleshooting hybrid IAM flows.

- Experienced with auth/authz protocols, basic federation strategies and automation tools

- Language: Fluent English – C1

Preferred experience

- Experience with cloud services and their configuration

- Knowledge about IAM solutions based on OpenID Connect (OIDC), such as Keycloak, for auth backends

- Fluent in German

- Working with Scrum and general experience in agile frameworks