Senior IAM Engineer Ping Identity Expert
Resume:
Subhash Y
Senior IAM Engineer
***********@*****.***
Senior IAM Engineer with 11+ years of experience designing and delivering secure, scalable authentication and federation solutions across cloud and onprem environments. Strong handson expertise with PingFederate, PingID, PingAccess, and modern MFA/SSO frameworks, including SAML, OAuth, and OIDC. Skilled in building and troubleshooting complex SSO integrations, creating authentication and access policies, and engineering reliable federation services for hightraffic applications. Experienced in scripting and automation to streamline identity operations, improve configuration consistency, and reduce manual effort. Known for clear communication, strong problemsolving skills, and the ability to partner effectively with crossfunctional teams while supporting evolving IAM and Zero Trust security practices.
KEY AREAS OF PROVEN SUCCESS:
Ping Identity Architecture & Engineering: Designed, deployed, and operated enterprise identity platforms using PingFederate, PingAccess, PingID, PingDirectory, and PingOne, enabling secure authentication across workforce, partner, and customer applications.
Federation & Application Integration: Integrated 150+ applications using SAML, OAuth 2.0, and OpenID Connect, including IdP/SP configuration, attribute mapping, certificate management, and secure federation with internal and external identity providers.
OAuth, OIDC, and API Security: Designed OAuth authorization flows and token services, enabling secure API access using JWT tokens, authorization servers, and API gateway integrations.
SSO & Modern Authentication: Delivered scalable Single Sign-On and authentication solutions across enterprise and cloud environments, improving login reliability and user experience.
PingAccess API Protection: Secured web and API applications using PingAccess with reverse proxy policies, JWT validation, and fine-grained access control.
Passwordless & MFA Implementation: Implemented passwordless authentication using FIDO2, WebAuthn, PingID, and Okta FastPass, strengthening security and reducing reliance on traditional credentials.
Legacy Authentication Modernization: Led migration of legacy authentication platforms such as SiteMinder and OpenAM to PingFederate, improving security, scalability, and operational efficiency.
Directory & Identity Integration: Integrated Ping Identity platforms with Active Directory, LDAP, and Entra ID to enable secure authentication and centralized identity management.
High Availability & Platform Reliability: Designed and supported highly available PingFederate and PingAccess environments using clustering, load balancing, and cloud infrastructure to ensure continuous authentication services.
Identity Automation & DevOps: Automated identity provisioning, federation configuration, and operational tasks using REST APIs, JavaScript, Python, PowerShell, and CI/CD pipelines, reducing manual effort and improving consistency.
Cloud Identity & Infrastructure: Deployed and managed identity platforms in AWS and Azure environments, supporting secure authentication for cloud-native and distributed applications.
Privileged Access & Identity Security: Implemented and supported CyberArk Privilege Cloud and secrets management solutions to secure privileged accounts and eliminate hard-coded credentials.
Zero Trust Identity Architecture: Designed adaptive authentication, risk-based access policies, and contextual access controls aligned with Zero Trust security principles.
Monitoring, Troubleshooting & Incident Resolution: Provided advanced troubleshooting and L3 support for authentication, federation, and identity platform issues, improving reliability and reducing incident resolution time.
Architecture Leadership & Cross-Team Collaboration: Partnered with security, cloud, and application teams to design secure identity solutions, onboard applications, and establish enterprise IAM standards.
Enterprise Password Manager Migration: Led migration from LastPass to 1Password, securely transferring vaults, shared credentials, and access policies for enterprise users, improving credential security, strengthening access controls, and ensuring zero downtime during the transition.
TECHNICAL SKILLS:
Methodologies
Agile/Scrum, Waterfall, SDLC
Identity & Federation Platforms
PingFederate 9.x–11.x, PingAccess 5.x–6.x, PingID, PingOne, Azure AD / Entra ID, Auth0, CA SiteMinder (legacy), Okta (Classic & Identity Engine)
Access Management & Zero Trust
PingAccess, Okta Access Gateway, Device Trust, Conditional Access, Secure Proxy, Web Agents
Multi-Factor & Passwordless Authentication
Okta FastPass, Okta Verify, PingID, DUO, FIDO2/WebAuthn, YubiKey, Biometric Authentication
Identity Governance & Lifecycle
Okta IGA, Lifecycle Management (JML), SCIM Provisioning, RBAC, SoD Controls, CIAM
Threat Detection & Adaptive Security
Okta ThreatInsight, Identity Threat Protection (ITP), Behavior Detection, Risk Scoring, Adaptive MFA
Automation & Workflows
Okta Workflows, Okta REST APIs, SCIM 2.0, PowerShell, Bash, Python, Automation Scripts, Slack/Email Alerts, ServiceNow Ticketing
Authentication Protocols
SAML 2.0, OIDC, Oauth 2.0, Token Validation
Web & Application Servers
IIS, Apache, Tomcat, Jboss, Java, REST API
Directory Servers
Active Directory, Entra ID, LDAP, PingDirectory, Sun ONE Directory, CA Directory, Directory Sync & Proxy
Operating Systems
RHEL, UNIX (Solaris, AIX), Windows Server (2000–2019)
Cloud & Infrastructure
Amazon Web Services, Azure AD / Entra ID, Terraform, Ansible, Docker, Kubernetes
Databases
MS SQL Server, MySQL, Oracle, DB2
EDUCATION:
•Masters in electrical and computer Networks Dec-2015
•Bachelor of Technology, Electrical and Electronics Engineering. May-2011
Training/Certifications:
•AWS Certified solutions architect and associate May-2020
WORK EXPERIENCE:
Exelixis – Oakland, CA
Sr. IAM Engineer August 2023 – Present
Responsibilities:
•Rolled out passwordless authentication using FIDO2, WebAuthn, and PingID, improving login success rates by 25% and reducing MFA friction across the workforce.
•Migrated applications from legacy MFA to passwordless flows, cutting authenticationrelated helpdesk tickets by 30%.
•Delivered 40+ new SAML/OIDC integrations using PingFederate, improving onboarding speed and reducing manual configuration work.
•Managed PingFederate as the enterprise SSO platform, supporting hightraffic authentication flows and improving reliability through targeted performance tuning.
•Designed and maintained PingOne configurations (applications, identity mappings, sessions), increasing onboarding efficiency by 35%.
•Built secure SP/IdP connections with external partners using SAML 2.0, OAuth 2.0, and OIDC, strengthening federation security and reducing integration issues.
•Created adaptive authentication and access policies using device posture, network context, and risk signals, reducing unauthorized access attempts by 20%.
•Protected web and API applications using PingAccess (JWT validation, reverse proxy, ACLs), improving API security posture.
•Automated provisioning, access reviews, and MFA enrollment using JavaScript, PowerShell, and Ping APIs, reducing manual IAM workload by 60%.
•Automated SAML/OIDC deployments using Ping APIs, eliminating 90% of manual configuration errors and improving deployment consistency.
•Built custom adapters, handlers, and scripts to support complex authentication scenarios, increasing integration success rates by 25%.
•Developed certificate, token, and session management processes that reduced integration failures by 20%.
•Provided daily operational support for PingFederate, PingID, PingAccess, LDAP, and federation services, maintaining 99.9% platform uptime.
•Troubleshot authentication, certificate, and token issues across multiple identity platforms, reducing recurring incidents by 35%.
•Integrated Ping logs with Splunk, improving troubleshooting speed by 40% and enhancing visibility into authentication flows.
•Designed and deployed PingFederate, PingAccess, and PingDirectory clusters using Kubernetes and Helm on AWS/Azure, reducing deployment time by 50%.
•Built HA/DR strategies for Ping Identity components using containerized and cloudnative tooling, reducing outage risk by 40%.
•Managed PingDirectory, LDAP, AD, and OUD environments (schema updates, replication, HA tuning), improving directory sync reliability by 30%.
•Created architecture diagrams, runbooks, and integration guides that reduced onboarding time for new engineers by 50%.
•Partnered with security, cloud, and application teams to design scalable identity architectures aligned with Zero Trust principles.
•Integrated identity systems with ServiceNow for access requests and incident workflows, improving operational efficiency.
First Republic Bank – SFO, CA
Sr. IAM Engineer – PingFederate August 2018 – July 2023
Responsibilities:
•Delivered enterprise SSO and MFA solutions using PingFederate, PingAccess, and PingID, securing authentication for over 100 critical banking applications.
•Onboarded 150+ applications into PingFederate, configuring IdP/SP connections, attribute mappings, authentication policies, and certificate trust relationships, improving onboarding efficiency by 20%.
•Designed and implemented OAuth 2.0 and OpenID Connect authorization flows, including Authorization Code and Client Credentials, enabling secure access for web, mobile, and API-based applications.
•Integrated PingFederate with API gateways to issue and validate JWT tokens, modernizing API authentication and reducing reliance on legacy authentication systems by 50%.
•Built advanced authentication flows using Kerberos, X.509 certificates, IWA, and custom adapters, reducing authentication failures by 20% and improving user experience.
•Enabled step-up authentication using PingID integrated with Citrix and CyberArk, strengthening privileged access security and reducing unauthorized access risk by 35%.
•Installed, upgraded, and maintained PingFederate and PingAccess clusters with high availability architecture, improving platform stability and reducing authentication incidents by 30%.
•Integrated PingFederate with legacy SiteMinder infrastructure, enabling seamless migration to modern authentication architecture with zero downtime.
•Configured Hardware Security Modules (HSM) for PingFederate to secure cryptographic keys and strengthen token signing security.
•Migrated legacy web access management integrations to PingAccess, implementing secure access policies and improving application security posture.
•Architected secure federation with external partners and third-party vendors using PingFederate, establishing trusted IdP/SP relationships, improving partner onboarding speed by 30%, and enabling secure access to banking applications and APIs.
•Automated certificate renewals, environment maintenance, and deployment tasks using Python and Bash, saving over 10 hours per week in manual effort.
•Developed OGNL attribute mappings and token transformation logic, improving integration flexibility and reducing need for custom application code by 25%.
•Integrated PingFederate and PingAccess logging with Splunk, improving authentication visibility and reducing incident resolution time by 45%.
•Troubleshot complex authentication, federation, certificate, and token issues, improving authentication reliability and reducing recurring incidents.
•Developed architecture diagrams, authentication flow documentation, and onboarding standards, reducing onboarding and troubleshooting time by 40%.
•Owned PingFederate federation platform reliability, proactively tuning authentication policies, token settings, and certificate configurations, reducing authentication incidents and improving overall SSO platform stability.
•Provided architectural guidance to application teams and security engineers, ensuring secure integration and alignment with enterprise identity standards.
•Partnered with security and infrastructure teams to implement Zero Trust authentication architecture across enterprise systems.
•Supported enterprise identity platform with high availability and reliability, ensuring secure and uninterrupted authentication services.
AT&T – Atlanta, GA
Sr. IAM/PingFederate Engineer Jan 2016 – July 2018
Responsibilities:
•Implemented enterprise SSO and federation solutions using PingFederate, PingAccess, and PingDirectory, enabling secure authentication for internal and partner applications.
•Designed and configured SAML 2.0 federation integrations, establishing secure trust relationships with external identity providers and partner systems.
•Integrated applications with PingFederate using IdP and SP configurations, enabling secure authentication and improving user access reliability.
•Deployed and managed PingFederate, PingAccess, and PingDirectory infrastructure, ensuring high availability and performance across clustered environments.
•Implemented OAuth 2.0 and OpenID Connect authentication flows to support secure access for web and mobile applications.
•Configured PingAccess policies and reverse proxy integrations to protect enterprise applications and enforce access control.
•Integrated PingFederate with LDAP directories including Active Directory and PingDirectory, enabling centralized identity authentication and synchronization.
•Supported migration of legacy authentication systems to Ping Identity solutions, improving security and modernizing authentication architecture.
•Automated identity provisioning, authentication workflows, and administrative tasks using JavaScript, PowerShell, and scripting tools, improving operational efficiency.
•Deployed Ping Identity components using Kubernetes and Helm, improving deployment scalability and reducing environment setup time.
•Designed high availability and disaster recovery strategies for Ping Identity infrastructure, improving system reliability and uptime.
•Provided troubleshooting and operational support for authentication, federation, and directory services, ensuring secure and reliable access.
•Collaborated with application and infrastructure teams to design and implement secure identity integration solutions.
•Developed technical documentation and integration guides to support onboarding and operational support.
•Maintained and supported enterprise identity platforms, ensuring secure authentication and continuous service availability.
Nucleus Corp Inc – Hyderabad, India
System Security Admin Sep 2012 – June 2014
Responsibilities:
•Supported daytoday identity operations in Active Directory, including creating new user accounts, updating group memberships, modifying access, unlocking accounts, and processing deprovisioning requests.
•Worked closely with platform and application owners to troubleshoot login issues, connection failures, and authentication errors, improving overall access reliability for end users.
•Performed regular audits of user accounts, access privileges, and activity logs to identify security risks, orphaned accounts, and policy violations.
•Updated and enforced basic security policies such as password rules, account lockout settings, and access control standards to maintain a secure environment.
•Acted as the primary contact for ticket analysis, helping reduce backlog, identify recurring issues, and improve service-level performance.
•Resolved RADIUS authentication issues and supported integrations with VPN and network devices to ensure stable authentication flows.
•Managed privilege-level access requests, processed approvals, and ensured proper role-based access control across systems.
•Onboarded new user accounts and access profiles, supporting organizational growth while maintaining consistent security practices.
•Monitored Vault and related security servers to ensure availability and timely detection of issues (early exposure to privileged access concepts).
•Created clear procedures, runbooks, and user awareness materials that reduced support tickets and improved resolution times.
•Supported endpoint security tools, antivirus deployments, and vulnerability remediation efforts across user workstations and servers.
•Participated in basic security incident response activities, assisting with initial triage and coordinating with senior security engineers when needed.
•Collaborated with infrastructure and networking teams to resolve authentication problems, directory sync issues, and general access-related incidents.
Contact this candidate