Identity and Access Management Specialist
IMPORTANT NOTICE REGARDING APPLICATION DEADLINE\: please note that the deadline for applications is indicated in local time as per the time zone of the applicant’s location.
This post is a limited-term fixed-term post.
1. Organizational Context
- Organizational Setting
The post is located in the Systems Management and Integration Section, IT Technical Division, ICT Department, Administrative and Management Sector.
The primary responsibility of the Section is to provide efficient and cost-effective ICT platforms for the hosting of business systems that fulfill the business and technical requirements. This entails the provision of system resilience and availability, ongoing system consolidation, the use of standardized solutions and a progressive move towards integrated ICT architectures for sustainability to accommodate WIPO’s fee-generating services that almost exclusively rely on such systems to receive and process information online. The Section ensures that business systems can be used as integrated services and meet the business requirements as a whole, regardless of the intricacies and interdependencies of the underlying technical systems.
- Purpose Statement
The incumbent is responsible for designing, deploying and ensuring efficient operations of an enterprise-wide Identity and Access Management (IAM) platform with the goal of progressively integrating applications with enterprise IAM capabilities with focus on security, convergence and reuse of capabilities.
- Reporting Lines
The incumbent reports to the Head of the Systems Management and Integration Section.
2. Duties and Responsibilities
The incumbent will perform the following principal duties\:
a. Carry out the design, implementation and operations of a highly available and robust enterprise IAM platform supporting WIPO's internally and externally hosted business applications and online systems. Ensure deployment and continued enforcement of IAM policies, assist in integrating business applications and resolve integration and system issues.
b. Integrate cloud-based applications such as SaaS and WIPO-developed workflows and mobile apps for access control via standard Identity Federation protocols within WIPO enterprise IAM platform including hybrid solutions.
c. Implement standard IAM solutions to application developers and business architects. Assist developers on the integration of Internet facing and internal business applications into the standard IAM stacks to meet current and future requirements of the business for User Authentication and Access Control.
d. Implement business requirements for secure and ease of use application access via Single Sign On (SSO) solutions including strong authentication and modern authentication methods for internal users.
e. Develop and implement processes for IAM-related auditing, reporting on access rights and user access management for recertification and verification of continued access. Perform security administration on various IAM platforms and systems, ensuring access is granted in accordance with the information security policies, established standards and procedures.
f. Maintain an enterprise data dictionary of directory attributes, usage requirements, owners and synchronization processes. Ensure coherent use of LDAP groups and dynamic groups. Take the lead in consolidating current solutions.
g. Maintain ICT Service Continuity measures for IAM services and propose improvements in accordance with business continuity requirements. Collaborate with the Security and Information Assurance Division during the design, development and implementation of enterprise IAM capabilities in order to gain reasonable assurance of operational processes and controls in compliance with information security policies and standards. Propose solutions to enhance operational security.
h. Perform other duties as required.
Advanced university degree, preferably in Computer Science, Engineering or related discipline. A first-level university degree plus two years of relevant experience in addition to the experience requested below may be acceptable in lieu of the advanced university degree.
Forgerock Certified OpenAM Specialist.
AWS cloud certified practitioner.
Specialized training or certification in one or more leading IAM product suites.
Security certifications such as CISSP, CCSP, SABSA, etc.
Microsoft Certified Identity and Access Administrator Associate.
AWS cloud certified Solution Architect Associate.
At least seven years of professional work experience in the design, deployment and operations related to large scale, enterprise-level IAM platforms, and in the integration of business applications with IAM systems for authentication and access control.
Proven track record in implementing highly secure IAM solutions, as well as experience with IAM platforms administration, support and configuration of highly available critical IAM environments.
Experience with using Directory services, LDAP and in particular the Microsoft Active Directory environment.
Solid and proven experience with Forgerock OpenAM\: OIDC profiles, policies, securing OpenAM, policy agent configuration, Federation (SAML2, WSFED, OIDC), Custom Adapters (java), Forgerock Docker, OpenAM amster, Custom Authentication modules (java and nodes), Trees and Nodes, monitor logs and notifications, and debug issues.
Solid and proven experience with Forgerock OpenAM administration and support\: monitoring, troubleshooting, supporting and fixing incidents, supporting a mix of production and development environments and deployments, performing and planning patches and upgrades.
Good experience with OpenLDAP directory management as well as OpenDJ (directory Core Token Service), disabling users using custom scripts, group membership and monitoring (replication, status, weekly restarts).
Comfortable with Linux server administration.
Hands-on programming experience in at least one application development platform (Java/Linux and/or .NET/Windows).
Experience with multiple SSL gateways and reverse proxy services, VPN, Cloud Access Security Brokers, Encryption gateways, Apache/Tomcat basic authentication and experience with other IAM/IAG Platforms such as Sailpoint.
Excellent knowledge of written and spoken English.
Knowledge of French or other UN languages.
Job Related Competencies (Essential)
Excellent technical knowledge of application integration with IAM systems.
Expert knowledge of at least three of the following technologies\:
Authentication/Authorization (Multifactor, AD, Kerberos, LDAP, fine and coarse-grained authorization); Access Provisioning; Access Management (RBAC, Cloud SSO, Federation); Web technologies (SSL, reverse proxies, Web SSO, web security-SAML, WS-federation, REST); Public Key Infrastructure (PKI).
Excellent analytical skills and the ability to document IAM platforms and processes, as well as related operating and risk management procedures.
Ability to clearly explain complex issues and communicate with technical actors and business area representatives.
Proven ability to work as part of diverse technical teams in a cross-cultural environment.
Understanding of internet security technology and concepts.
Service orientation and attention to quality.
Ability to work under pressure and successfully prioritize tasks in order to manage multiple commitments and deadlines.
Excellent communication and interpersonal skills, with the ability to influence others without always relying on the line-of-command.
Job Related Competencies (Desirable)
Knowledge of PRINCE 2 project management methodology.
Knowledge of Enterprise Architecture concepts.
Knowledge of ITIL Service Management methodology.
Knowledge of managing and configuring web and application servers - Apache, Tomcat, Jboss, and others.
Knowledge and/or experience in security architecture principles and models like SABSA.
Knowledge of Networking and Information Security concepts.
4. Organizational Competencies
- Communicating effectively.
- Showing team spirit.
- Demonstrating integrity.
- Valuing diversity.
- Producing results.
- Showing service orientation.
- Seeing the big picture.
- Seeking change and innovation.
- Developing yourself and others.
Mobility\: WIPO staff members are international civil servants subject to the authority of the Director General and may be assigned to any activities, office or duty station of the Organization. Accordingly, the selected candidate may be required to move from time to time to new functions and/or to another duty station.
Total annual salary consists of a net annual salary (net of taxes and before medical insurance and pension fund deductions) in US dollars and a post adjustment. Please note that this estimate is for information only. The post adjustment multiplier (cost of living allowance) is variable and subject to change (increase or decrease) without notice. The figures quoted below are based on the March 2022 rate of 81.7%
Salaries and allowances are paid in Swiss francs at the official rate of exchange of the United Nations.
Please refer to WIPO’s Staff Regulation and Rules for detailed information concerning salaries, benefits and allowances.
Initial fixed-term appointment of two years, renewable subject to satisfactory performance and other applicable conditions. The selected candidate will be subject to an overall term of five years with no possibility of renewal beyond that term. This is not applicable to WIPO staff members on fixed-term, continuing or permanent appointments, who were recruited following a competition under Staff Regulation 4.10 (“Appointment Boards”).
This vacancy announcement may be used to fill other posts at the same grade with similar functions in accordance with Staff Rule 4.9.5.
Applications from qualified women as well as from qualified nationals of unrepresented Member States of WIPO and underrepresented geographical regions are encouraged. Please click on the following links for the list of unrepresented Member States and the list of underrepresented regions and the WIPO Member States in these regions.
The Organization reserves the right to make an appointment at a grade lower than that advertised.
By completing an application, candidates understand that any willful misrepresentation made on this web site, or on any other documents submitted to WIPO during the application, may result in disqualification from the recruitment process, or termination of employment with WIPO at a later date, if that employment resulted from such willful misrepresentations.
In the event that your candidature is shortlisted, you will be required to provide, in advance, a scanned copy of an identification and of the degree(s)/diploma(s)/certificate(s) required for this position. WIPO only considers higher educational qualifications obtained from an institution accredited/recognized in the World Higher Education Database (WHED), a list updated by the International Association of Universities (IAU) / United Nations Educational, Scientific and Cultural Organization (UNESCO). The list can be accessed through the link\: http\://www.whed.net/. Some professional certificates may not appear in the WHED and these will be reviewed individually.
Additional testing/interviewing may be used as a form of screening. Initial appointment is subject to satisfactory professional references.
Additional background checks may be required.