IAM Engineer

Company Description

JOB DESCRIPTION

Tradeweb Markets is a world leader in the evolution of electronic trading. A fintech company serving approximately 2,500 clients – including the world’s largest banks, asset managers, hedge funds, insurance companies, wealth managers and retail clients -- in more than 65 countries across the globe. Since our first trade in 1998, we have helped transform and electronify the fixed income markets. Tradeweb is a culture built on innovation, creativity and collaboration. Through a combination of very talented and driven people, innovative products and solutions, cutting-edge technology, market data, and a vast network of clients, we continue to work together to improve the way financial markets trade.

Mission: Move first and never stop. Collaborate with clients to create and build solutions that drive efficiency, connectivity, and transparency in electronic trading.

Tradeweb Markets LLC ("Tradeweb") is proud to be an EEO Minorities/Females/Protected Veterans/Disabled/Affirmative Action Employer.

https://www.dol.gov/ofccp/regs/compliance/posters/pdf/eeopost.pdf

Group Details:

To support our continued growth, we are seeking a results-driven Senior IAM Engineer to join our Identity & Access Management team. This role will engineer and support client identity and authentication capabilities for the products our clients use, delivering secure, scalable, and auditable access.

The ideal candidate will design, implement, and troubleshoot client authentication and federation integrations using SAML 2.0, OIDC, and OAuth 2.0, including hands-on details such as claims/token design, JWKS and key rotation, session management, and secure integration patterns.

You will partner closely with product and engineering teams to standardize authentication and authorization approaches, implement conditional access and MFA/step-up authentication, and support JIT/SCIM provisioning where applicable. You will drive reliability improvements, resolve complex federation issues, and ensure solutions meet security and compliance requirements. Financial services experience and familiarity with SOX/GLBA/FFIEC are strongly preferred.

Job Responsibilities:

• Design, implement, and operate CIAM capabilities for client-facing applications, balancing security, scalability, and user experience.
• Build and support federated authentication and authorization using OIDC and OAuth 2.0 (and SAML where required), including client configuration, scopes, consent, redirect URI strategy, and token/claims design.
• Own client identity flows such as registration, login, account linking, progressive profiling, and self-service account recovery, including secure handling of email/phone verification.
• Implement strong authentication patterns for clients, including MFA, step-up authentication, risk-based/conditional access, and session management controls.
• Integrate applications using modern provisioning and identity lifecycle patterns such as JIT provisioning and SCIM where applicable to client/partner ecosystems.
• Define and enforce CIAM security standards: secure token lifetimes/refresh strategies, PKCE, key rotation/JWKS, secrets management, and protection against common auth attacks (replay, token theft, redirect abuse).
• Partner with product and engineering teams to standardize CIAM integration patterns and embed identity into application architecture (roles/permissions, fine-grained authorization, and least privilege).
• Troubleshoot complex production issues across the auth stack (tokens, redirects, cookies/sessions, upstream IdPs), drive root-cause analysis, and implement durable fixes.
• Instrument and monitor CIAM services and client auth journeys (logging, metrics, alerting), improving reliability, latency, and conversion while maintaining security.
• Produce and maintain technical documentation and runbooks for CIAM integrations and operational processes, supporting audits and incident response.
• Support compliance and risk requirements by enabling evidence collection and reporting around authentication events, policy enforcement, and access anomalies.
  
  

• Bachelor’s degree in Information Systems, Computer Science, Cybersecurity, or a related field (or equivalent practical experience).
• 5+ years of experience in Identity and Access Management, with strong expertise in SSO and modern authentication for client-facing applications.
• Strong, hands-on experience with OIDC and OAuth 2.0 (and SAML where required), including token/claims design, scopes, PKCE, redirect URI strategy, and key management (JWKS, rotation).
• Experience designing and implementing end-to-end CIAM journeys: registration, login, account recovery, progressive profiling, and account linking.
• Experience implementing modern authentication controls such as MFA, step-up authentication, conditional/risk-based access, and secure session management.
• Working knowledge of user lifecycle automation patterns for client/partner ecosystems, including JIT provisioning and SCIM where applicable.
• Ability to troubleshoot complex identity issues across distributed systems (cookies/sessions, redirects, tokens, upstream IdPs), perform root-cause analysis, and drive durable remediation.
• Familiarity with security and compliance expectations in regulated environments (e.g., SOX, ISO 27001, NIST, GLBA) and how they influence authentication, logging, and access controls.
• Strong written and verbal communication skills, with the ability to translate between product, engineering, security, and compliance stakeholders.
• Experience producing clear technical documentation and diagrams (e.g., Confluence, Lucidchart/Visio), including integration runbooks, sequence flows, and configuration standards.
• Highly organized and detail-oriented, with the ability to manage multiple concurrent integrations and production support priorities.
  
  

• Proven experience leading or significantly contributing to enterprise-scale SSO/authentication initiatives, including rollout planning, migration/cutover strategies, and production hardening.
• Deep hands-on experience implementing and operating complex federation patterns, including custom OIDC/OAuth configurations (scopes, policies, claims), SAML metadata/certificate management, and advanced sign-in policies (conditional access, step-up/MFA).
• Experience designing and implementing authorization frameworks, including RBAC/ABAC, policy-based access control, permission modeling, and standards such as OAuth scopes, OIDC claims, and (where applicable) UMA or OPA-style policy engines.
• Strong proficiency in scripting or programming for IAM/SSO automation and troubleshooting, using languages such as Python or Go, as well as tools like SQL or PowerShell (e.g., log analysis, token/claim validation, configuration automation).