Senior IAM Engineer

About PHOENIX

PHOENIXRetail LLC is a retail platform operating the Express and Bonobos brands worldwide. Express is a multichannel apparel brand dedicated to a design philosophy rooted in modern confident and effortless stylewhether dressing for work everyday or special occasions. Bonobos is a menswear brand known for being pioneers of exceptional fit and a personalized innovative retail model. Customers can experience our brands in over 400 Express retail and Express Factory Outlet stores 50 Bonobos Guideshops and online at.

About Express

Express is a multichannel apparel brand dedicated to creating confidence and inspiring self-expression. Since its launch in 1980 the brand has embraced a design philosophy rooted in modern confident and effortless style. Whether dressing for work everyday or special occasions Express ensures you look and feel your best wherever life takes you.

The Company operates over 400 retail and outlet stores in the United States and Puerto Rico the store and the Express mobile app.

The Senior Identity & Access Management Engineer will architect implement and optimize enterprise-wide identity governance solutions with primary focus on Okta platform across corporate multi-tenant and disaster recovery environments. This role serves as a strategic technical leader working cross-functionally with security compliance and application teams to design and execute the IAM roadmap. The position requires deep expertise in identity lifecycle management access governance authentication protocols and enterprise SSO/MFA implementations supporting complex large-scale production environments.

KEY RESPONSIBILITIES

• Lead enterprise Okta administration and governance across several integrated applications and services including Universal Directory lifecycle management and advanced authentication policies
• Architect and implement identity federation solutions using SAML 2.0 OAuth 2.0 OIDC and WS-Federation protocols for SaaS PaaS and on-premises applications
• Lead enterprise Okta administration and governance across several integrated applications and services including Universal Directory lifecycle management and advanced authentication policies
• Architect and implement identity federation solutions using SAML 2.0 OAuth 2.0 OIDC and WS-Federation protocols for SaaS PaaS and on-premises applications
• Design and manage Active Directory integration strategies including Okta AD Agent deployment directory synchronization and delegated authentication architectures
• Oversee identity provisioning and deprovisioning workflows using Okta Lifecycle Management SCIM protocols and API-driven automation for seamless user lifecycle governance
• Lead SSO implementation projects for new application onboarding including technical discovery integration design testing and production deployment
• Develop and enforce adaptive MFA policies using Okta Verify contextual access controls and risk-based authentication frameworks
• Manage Okta tenant architecture across multiple environments (production DR development) ensuring high availability and disaster recovery capabilities
• Collaborate with Security and Compliance teams on identity governance initiatives including access reviews separation of duties and privileged access management
• Design and implement API-driven automation using PowerShell Python and Okta APIs for identity operations reporting and integration workflows
• Lead technical troubleshooting of complex SSO authentication and authorization issues across heterogeneous enterprise environments
• Partner with application development teams to integrate modern authentication patterns and zero-trust architecture principles
• Maintain and optimize Azure AD/Entra ID integration with Okta for hybrid identity scenarios
• Develop comprehensive IAM documentation including architecture diagrams integration guides runbooks and knowledge transfer materials
• Provide strategic guidance on identity security best practices threat mitigation and compliance requirements (SOX GDPR SOC2)

REQUIRED EXPERIENCE & QUALIFICATIONS

• Education: Bachelors Degree in Computer Science Information Security or equivalent professional experience
• Years of Experience: 7-10 years in identity and access management with enterprise-scale implementations
• Okta Expertise: Minimum 3-5 years hands-on experience administering Okta platform including Universal Directory SSO MFA Lifecycle Management and API Gateway
• Identity Protocols: Strong expertise in SAML OAuth 2.0 OIDC LDAP SCIM and Kerberos authentication protocols
• Active Directory: 5 years enterprise AD administration including forest design group policy domain trust relationships and certificate services
• Automation & Scripting: Advanced PowerShell scripting for identity automation; experience with Python REST APIs and CI/CD pipelines preferred
• Cloud Identity: Experience with Azure AD/Entra ID Microsoft 365 identity management and hybrid identity architectures
• Certifications: Okta Certified Professional or Okta Certified Administrator strongly preferred; additional certifications (CISSP CISM Azure certifications) a plus

CRITICAL SKILLS & ATTRIBUTES

• Strategic thinking with ability to translate business requirements into scalable IAM architecture solutions
• Proven track record leading complex identity integration projects from conception through production deployment
• Strong understanding of zero-trust security principles and identity-centric security frameworks
• Exceptional problem-solving skills for complex authentication and authorization scenarios
• Experience with ITIL/ITSM frameworks and incident/change management processes
• Excellent documentation skills with ability to create technical architecture diagrams and process workflows
• Strong communication skills to collaborate with diverse technical and non-technical stakeholders
• Ability to mentor junior team members and provide technical leadership
• Flexibility to support off-hours implementations and participate in on-call rotation for critical IAM services
• Experience with identity governance and administration (IGA) platforms a plus

If you would like to know more about the California Consumer Privacy Act clickhere.

An equal opportunity employer PHOENIX does not discriminate in recruiting hiring or any other terms and conditions of employment hiring on the basis of any federal state or locally protected characteristic. PHOENIXonly hires individuals authorized for employment in the United States. PHOENIX is committed to providing reasonable accommodation to individuals with disabilities. If you need an accommodation to search and apply for a job position due to a disability please call 1- and say Associate Relations orsend an e-mail toand let us know the nature of your request and your contact information.

Notification to Agencies: Please note that PHOENIX does not accept unsolicited resumes or calls from third-party recruiters or employment the absence of a signed Master Service Agreement and approval from HR to submit resumes for a specific requisition PHOENIX will not consider or approve payment to any third-parties for hires made.