Senior IAM Engineer

Overview

About PHOENIX

PHOENIX Retail, LLC is a retail platform operating the Express and Bonobos brands worldwide. Express is a multichannel apparel brand dedicated to a design philosophy rooted in modern, confident and effortless style whether dressing for work, everyday or special occasions. Bonobos is a menswear brand known for being pioneers of exceptional fit and a personalized, innovative retail model. Customers can experience our brands in over 400 Express retail and Express Factory Outlet stores, 50 Bonobos Guide shops, and online at

About Express

Express is a multichannel apparel brand dedicated to creating confidence and inspiring self-expression. Since its launch in 1980, the brand has embraced a design philosophy rooted in modern, confident and effortless style. Whether dressing for work, everyday or special occasions, Express ensures you look and feel your best, wherever life takes you.

The Company operates over 400 retail and outlet stores in the United States and Puerto Rico, the express.comonline store and the Express mobile app.

The Senior Identity & Access Management Engineer will architect, implement, and optimize enterprise-wide identity governance solutions with primary focus on Okta platform across corporate, multi-tenant, and disaster recovery environments. This role serves as a strategic technical leader working cross-functionally with security, compliance, and application teams to design and execute the IAM roadmap. The position requires deep expertise in identity lifecycle management, access governance, authentication protocols, and enterprise SSO/MFA implementations supporting complex, large-scale production environments.

KEY RESPONSIBILITIES

• Lead enterprise Okta administration and governance across several integrated applications and services, including Universal Directory, lifecycle management, and advanced authentication policies
• Architect and implement identity federation solutions using SAML 2.0, OAuth 2.0, OIDC, and WS-Federation protocols for SaaS, PaaS, and on-premises applications
• Lead enterprise Okta administration and governance across several integrated applications and services, including Universal Directory, lifecycle management, and advanced authentication policies
• Architect and implement identity federation solutions using SAML 2.0, OAuth 2.0, OIDC, and WS-Federation protocols for SaaS, PaaS, and on-premises applications
• Design and manage Active Directory integration strategies, including Okta AD Agent deployment, directory synchronization, and delegated authentication architectures
• Oversee identity provisioning and deprovisioning workflows using Okta Lifecycle Management, SCIM protocols, and API-driven automation for seamless user lifecycle governance
• Lead SSO implementation projects for new application onboarding, including technical discovery, integration design, testing, and production deployment
• Develop and enforce adaptive MFA policies using Okta Verify, contextual access controls, and risk-based authentication frameworks
• Manage Okta tenant architecture across multiple environments (production, DR, development) ensuring high availability and disaster recovery capabilities
• Collaborate with Security and Compliance teams on identity governance initiatives including access reviews, separation of duties, and privileged access management
• Design and implement API-driven automation using Power Shell, Python, and Okta APIs for identity operations, reporting, and integration workflows
• Lead technical troubleshooting of complex SSO, authentication, and authorization issues across heterogeneous enterprise environments
• Partner with application development teams to integrate modern authentication patterns and zero-trust architecture principles
• Maintain and optimize Azure AD/Entra n with Okta for hybrid identity scenarios
• Develop comprehensive IAM documentation including architecture diagrams, integration guides, runbooks, and knowledge transfer materials
• Provide strategic guidance on identity security best practices, threat mitigation, and compliance requirements (SOX, GDPR, SOC2)

REQUIRED EXPERIENCE & QUALIFICATIONS

• Education: Bachelor's Degree in Computer Science, Information Security, or equivalent professional experience
• Years of
  
  Experience:
  
  7-10+ years in identity and access management with enterprise-scale implementations
• Okta Expertise: Minimum 3-5 years hands‑on experience administering Okta platform including Universal Directory, SSO, MFA, Lifecycle Management, and API Gateway
• Identity Protocols: Strong expertise in SAML, OAuth 2.0, OIDC, LDAP, SCIM, and Kerberos authentication protocols
• Active Directory: 5+ years enterprise AD administration including forest design, group policy, domain trust relationships, and certificate services
• Automation & Scripting: Advanced Power Shell scripting for identity automation; experience with Python, REST APIs, and CI/CD pipelines preferred
• Cloud Identity: Experience with Azure AD/Entra , Microsoft 365 identity management, and hybrid identity…