AI Summary
We are looking for an IAM PKI Engineer to join our internal platform team. The role involves designing, implementing, and operating Identity & Access Management services. Key responsibilities include implementing and maintaining Keycloak deployments and integrating Keycloak with IPA/LDAP/AD for identity sync.
Key Highlights
Implement and maintain Keycloak deployments
Configure RBAC/ABAC policies and multi-realm setups
Integrate Keycloak with IPA/LDAP/AD for identity sync
Key Responsibilities
Implement and maintain Keycloak deployments on VMs, Kubernetes, and Docker
Configure RBAC/ABAC policies, multi-realm, and multi-tenant setups
Integrate Keycloak with IPA/LDAP/AD for identity sync
Technical Skills Required
Benefits & Perks
Remote work
Nice to Have
Experience deploying Keycloak on GCP/GKE
Knowledge of advanced PKI topics
Fluent in German
Experience working in Scrum or other agile frameworks
Job Description
IAM KeyCloak Secrets PKI Engineer
🏛️ About The Role
Weare looking for an IAM PKI Engineer to join its internal platform team. In this role, you will design, implement and operate Identity & Access Management services — including Keycloak, HashiCorp Vault and PKI infrastructure — working closely with the EDP IAM team in an agile, sprint-based delivery environment.
🛠️ Key Responsibilities
- Implement and maintain Keycloak deployments on VMs, Kubernetes (OpenShift, bare-metal, GKE) and Docker, including OIDC, OAuth2, SAML and Kerberos/LDAP federation.
- Configure RBAC/ABAC policies, multi-realm and multi-tenant setups across hybrid cloud and on-prem workloads.
- Integrate Keycloak with IPA/LDAP/AD for identity sync, and with Google Identity as an IdP or broker.
- Deploy and operate HashiCorp Vault in production on Linux-based systems, including HA clusters, Raft storage, seal/unseal mechanisms (Shamir, HSM, cloud KMS).
- Configure Vault for securing Keycloak operational secrets, implementing dynamic secrets and secret rotation policies.
- Set up and manage the Vault PKI secrets engine: internal CAs, intermediates, short-lived certificate issuance, CRL/OCSP, and automated revocation.
- Integrate PKI with enterprise services such as Kubernetes ingress controllers, load balancers, web servers and VPNs.
- Automate deployment and configuration of Keycloak and Vault using Terraform, Helm and/or Ansible, following IaC and GitOps practices.
- Work on CI/CD integration (GitHub Actions, GitLab CI, Jenkins) for certificate and secret distribution.
- Monitor both platforms with Prometheus and Grafana; handle incident response for expired certificates, Vault unseal failures and IPA migration issues.
Interested in remote work opportunities in Devops? Discover Devops Remote Jobs featuring exclusive positions from top companies that offer flexible work arrangements.
- Bachelor's or Master's degree in Computer Science, Information Security, Systems Engineering or a related field.
- In the absence of a degree in a relevant field, demonstrated equivalent professional experience of at least 6 years will be accepted.
- Strong hands-on knowledge of authentication and authorisation protocols: OIDC, OAuth2, SAML, Kerberos and LDAP.
- Proven experience deploying and managing Keycloak on VM and/or Kubernetes environments.
- Demonstrated experience with HashiCorp Vault in production: HA clusters, Raft storage, seal/unseal configuration (KMS/HSM) and PKI secrets engine operations.
- Experience managing PKI infrastructure: intermediate CAs, role definitions, short-lived certificate issuance, CRLs and automated revocation.
- Experience automating certificate lifecycle management via Vault Agent, API or CI/CD pipelines, including rotation policies and revocation.
- Experience integrating PKI with enterprise systems (Kubernetes ingress, load balancers, VPN, S/MIME, databases).
- Hands-on experience with Terraform, Helm and/or ArgoCD for infrastructure automation.
- Experience with Prometheus and Grafana for monitoring; ability to troubleshoot unseal, auth and CRL issues and perform backup & restore.
Browse our curated collection of remote jobs across all categories and industries, featuring positions from top companies worldwide.
- Experience deploying Keycloak on GCP/GKE, including integration with Google Identity and mapping Keycloak roles to GCP IAM roles.
- Knowledge of advanced PKI topics: ACME v2 (DNS-01 + EAB), EST for devices, AIA/CRL/OCSP publishing and stapling, RFC 5280 profiles, SAN encoding and RA delegation.
- Experience with RBAC, audit devices, HSM/KMS for key protection and security compliance practices.
- Familiarity with post-quantum cryptography (PQC) pilots.
- Fluent in German.
- Experience working in Scrum or other agile frameworks.
- Fluent English (written and spoken).
- Remote - Occasional travel required.
- Full-Time
Similar Jobs
Explore other opportunities that match your interests
Visa Sponsorship
Relocation
Remote
Job Type
Full-time
Experience Level
Mid-Senior level
TMC
Portugal
Visa Sponsorship
Relocation
Remote
Job Type
Full-time
Experience Level
Mid-Senior level
ebp global
Portugal
Cloud Engineer - AWS Infrastructure
••••••
••••••
••••••
Job Type
••••••
Experience Level
••••••
FP Markets (First Prudential M...
Portugal