Im Rahmen eines innovativen Plattform Projektes im Energiesektor suchen wir im Auftrag unseres Kunden nach Unterstützung als Senior IAM Engineer (m/w/d) Keycloak, Vault & Devops Automation. Die Tätigkeit erfolgt weitestgehend Remote und nach Absprache ca. 1 mal im Monat für paar Tage am Stück in Frankfurt oder Berlin.

General Description

The IAM Service is responsible for the conception and designing of identity and access management (IAM) services for the platform. The primary goals are providing a scalable, secure, and federated access to applications, ensuring seamless integration across the hybrid cloud environment

Objective 1: Core Identity & Access Management (IAM).

Tasks:

• Strong knowledge of authentication protocols: LDAP, Kerberos, OIDC, OAuth 2.0, SAML 2.0, SCIM.

• Implement RBAC/ABAC policies and multi-realm setups.

• Proficiency in configuring SSO flows, MFA, and identity federation

Objective 2: Keycloak Integration (On-Prem + GCP).

Tasks:Deploy Keycloak on VMs, Docker, or Kubernetes.

• Configure Keycloak for OIDC, OAuth2, SAML (Kerberos/LDAP federation.)

• Integrate with IPA/LDAP/AD/ADFS/EntraId for identity sync and federation.

• Secure Keycloak with TLS

• Deploy Keycloak on GKE and on-prem with Helm/Operators, handling Ingress, SSL termination, and HA scaling.

• Integrate Keycloak with Google Identity as an IdP or broker.

• Map Keycloak roles to GCP IAM roles for workload access control.

• Configure multi-realm, multi-tenant setups for hybrid cloud and on-prem workloads

Objective 3: Keycloak Hashicorp integration

Tasks:

• Configure Vault for securing Keycloak’s operational secrets (DB passwords, admin credentials, service accounts).

• Use Vault PKI engine to issue and rotate TLS certs for Keycloak and dependent services.

• Implement dynamic secrets for Keycloak DB backends (e.g., Postgres via Vault).

• Integrate Vault Agent (VSO/ESO) or Sidecar injector for secret injection into Keycloak pods (on GKE or K8s on-prem).

• Apply rotation policies to minimize secret sprawl and human error.

Objective 4: Automation & DevOps.

Tasks:

• Deploy Keycloak and Vault with Terraform, Helm, ArgoCD.

• Secure Keycloak with Vault-issued certificates and secrets.

• Use Keycloak REST API or Terraform provider to automate realm/client configuration.

• Automate Keycloak + Vault with Terraform, Helm, or Ansible.

• Integrate IAM + Vault into CI/CD pipelines for consistent app onboarding

Objective 5: Troubleshooting & Monitoring.

Tasks:

• Troubleshoot token flows, federation errors, and expired certs.

• Monitor both platforms with Prometheus, Grafana.

• Handle incident response: expired certs, Vault unseal failures, migration issues with IPA.

Profile Requirements

The IAM engineer here should be able to Deploy and operate Keycloak across on-prem and hybrid cloud, integrating with

Vault for secrets. They must be fluent in auth/authz protocols, basic federation strategies and automation tools, while being hands-on in troubleshooting hybrid IAM and secrets management in real-world production environments.

Must-have experience

• Strong knowledge of auth protocols (OIDC, OAuth2, SAML, Kerberos, LDAP).

• Expertise with Keycloak deployment (VM, K8s, GCP optional).

• Experience with Vault integration for secrets

• Experience with Terraform/Helm/ArgoCD automation.

• Expertise with Troubleshooting hybrid IAM flows.

• Good to have - Resolve certificate/PKI-related errors in Keycloak with Vault integration.

Must-have language skills:

• Language: Fluent English – C1

Preferred experience

• Experience with cloud services and their configuration

• Knowledge about IAM solutions based on OpenID Connect (OIDC), such as Keycloak, for auth backends

• Fluent in German

• Working with Scrum and general experience in agile frameworks