Identity Developer

Privia Health™ is a technology-driven, national physician enablement company that collaborates with medical groups, health plans, and health systems to optimize physician practices, improve patient experiences, and reward doctors for delivering high-value care in both in-person and virtual settings. The Privia Platform is led by top industry talent and exceptional physician leadership, and consists of scalable operations and end-to-end, cloud-based technology that reduces unnecessary healthcare costs, achieves better outcomes, and improves the health of patients and the well-being of providers

Overview of the Role: Reporting to the Director of Identity Management and Assurance, the IAM Engineer plays a critical role in the design, implementation, and continuous development of Privia’s identity platforms, with primary emphasis on our customer identity and access management (CIAM) ecosystem built on Ping One Advanced Identity Cloud  (ForgeRock) and secondary emphasis on SailPoint IdentityNow for workforce identity governance.

This role ensures the CIAM and IGA platforms meet Privia’s identity, security, and compliance needs. The IAM Engineer develops and maintains processes for authentication, authorization, governance, maintenance, and termination of user access for both workforce and non-workforce identities.

This position collaborates across departments to identify security gaps, optimize user lifecycle workflows, and strengthen overall identity posture. The IAM Engineer integrates the identity stack with systems such as Google Workspace, Workday, and other mission- and business-critical applications. They work with technical teams and business stakeholders to ensure identity workflows comply with security policies, industry standards, and best practices.

• Manage and perform onboarding integrations within SailPoint IdentityNow, ensuring provisioning and governance across multi-tiered enterprise applications.
• Serve as the technical project manager for IGA and CIAM implementation and expansion, overseeing deployment, upgrades, and continuous improvements.
• Develop and implement identity lifecycle management automations using scripting languages and APIs to streamline access provisioning and deprovisioning.
• Provide technical leadership and mentor Junior IAM engineers and other colleagues to maintain and enhance the IGA platform, ensuring scalability and security.
• Lead the design, development, and implementation of CIAM solution, namely Ping/Forgerock, collaborating with other engineers to enhance authentication and access management for external identities.
• Create and maintain multi-tiered technical documentation for IGA/CIAM processes and integrations to ensure clarity and compliance.
• Work cross-functionally with Cybersecurity, Compliance, IT, and Enterprise Application teams to align IAM/IGA initiatives with organizational security and business goals.

• 5+ years of experience designing and building complex IAM/IGA/CIAM implementations.
• 5+ years of hands-on experience with Ping Identity/ForgeRock in a CIAM engineering or architecture capacity.
• 3+ years of hands-on experience with SailPoint IdentityNow, including configuration and management.
• 5+ years of experience in user provisioning and lifecycle management, with a strong engineering perspective on designing and automating identity solutions.
• Experience integrating Workday with IAM, CIAM, or IGA systems, including lifecycle event automation derived from Workday data.
• Strong security skills across CIAM, IAM, and IGA domains.
• Must adhere to all HIPAA rules and regulations.
• Bachelor's Degree in Computer Science or a related field preferred.

CLOUD/SAAS

• Experience with user provisioning in cloud environments such as Google Workspace and Google Identity; familiarity with Google Cloud Platform is preferred.
• Strong understanding of access controls, authentication, and authorization models in cloud-based platforms.
• Experience working with Workday as a source of truth, including ingesting identity attributes, supporting hire/term data flows, and integrating Workday with an IGA platform for automated lifecycle management.

APPLICATION (Applications, Database, Interfaces)

• Understanding of securing a three-tier application architecture in the context of identity and access management.
• Knowledge of cloud-based security architecture, including multi-cloud environments and the differences between cloud-native applications and virtualized environments such as Citrix or VDI.
• Must have advanced experience with Ping Identity (ForgeRock) as a CIAM platform, including design, configuration, implementation, and integration.
• Experience with SailPoint IdentityNow strongly preferred as a supporting IGA platform for workforce lifecycle governance.
• Familiarity with Workday business processes, organizational structure, and worker data models to enable accurate identity creation, attribute mapping, and downstream provisioning.

AUTOMATION/SCRIPTING/INTEGRATION

• Experience with automation and scripting tools such as GAM (Google Apps Manager), Google Apps Script, Python, PowerShell, JavaScript, and other relevant languages to support identity lifecycle management.
• Proficiency in REST and SCIM APIs for automating user provisioning, deprovisioning, and access management across IAM, IGA, and CIAM solutions.
• Strong focus on automation, streamlining IAM processes, and identifying integration opportunities to enhance security and efficiency.

IGA/IAM/CIAM/PAM 

• Must have expertise in designing and implementing Ping Identity (ForgeRock), including authentication flows, customer identity lifecycle management, consent, and federation.
• Extensive experience with Identity Governance and Administration platforms, particularly SailPoint IdentityNow, including RBAC, ABAC, access certifications, and automated provisioning workflows.
• Proven ability to integrate CIAM/IAM/IGA solutions with SSO protocols such as SAML, OAuth, and OpenID Connect to enhance security while improving user experience.
• Strong background in defining and enforcing IAM policies, implementing fine-grained access controls, and managing identity lifecycle events (Joiner, Mover, Leaver) in enterprise environments.
• Skilled in leading IAM architecture discussions, providing strategic technical guidance, and driving best practices across complex SaaS and cloud ecosystems.

EHR/EMR (Preferred)

• Experience with application support for an EHR/EMR - athenaOne preferred.
• Knowledge in the creation, modification, and termination of user profiles within an EHR/EMR application.

Minimum Qualifications:

• 5+ years of experience designing and building complex IAM/IGA/CIAM implementations.
• 5+ years of hands-on experience with Ping Identity/ForgeRock in a CIAM engineering or architecture capacity.
• 3+ years of hands-on experience with SailPoint IdentityNow, including configuration and management.
• 5+ years of experience in user provisioning and lifecycle management, with a strong engineering perspective on designing and automating identity solutions.
• Experience integrating Workday with IAM, CIAM, or IGA systems, including lifecycle event automation derived from Workday data.
• Strong security skills across CIAM, IAM, and IGA domains.
• Must adhere to all HIPAA rules and regulations.

The salary range for this role is $112,000.00 to $125,000.00 in base pay and exclusive of any bonuses or benefits (medical, dental, vision, life, and pet insurance, 401K, paid time off, and other wellness programs). This role is also eligible for an annual bonus targeted at 15% . The base pay offered will be determined based on relevant factors such as experience, education, and geographic location.

All your information will be kept confidential according to EEO guidelines.

Technical Requirements (for remote workers only, not applicable for onsite/in office work):

In order to successfully work remotely, supporting our patients and providers, we require a minimum of 5 MBPS for Download Speed and 3 MBPS for the Upload Speed. This should be acquired prior to the start of your employment. The best measure of your internet speed is to use online speed tests like https://www.speedtest.net/. This gives you an update as to how fast data transfer is with your internet connection and if it meets the minimum speed requirements. Work with your internet provider if you have questions about your connection. Employees who regularly work from home offices are eligible for expense reimbursement to offset this cost.

Privia Health is committed to creating and fostering a work environment that allows and encourages you to bring your whole self to work. We understand that healthcare is local and we are better when our people are a reflection of the communities that we serve. Our goal is to encourage people to pursue all opportunities regardless of their age, color, national origin, physical or mental (dis)ability, race, religion, gender, sex, gender identity and/or expression, marital status, veteran status, or any other characteristic protected by federal, state or local law.