IAM Engineer

Company Description

Tradeweb is a global leader in electronic trading for rates, credit, equities, and money markets. As financial markets become increasingly interconnected, our technology enables efficient, multi-asset trading on a global scale. We serve more than 3,000 clients in more than 85 countries, including many of the world's largest banks, asset managers, hedge funds, insurers, corporations, and wealth managers.

Creative collaboration and sharp client focus have helped fuel our organic growth. We facilitated average daily trading volume (ADV) of more than $2.2 trillion over the past four fiscal quarters, topping $2.5 trillion in ADV for the first quarter of 2025.

Since our IPO in 2019, Tradeweb has completed four acquisitions and doubled our revenues - and 2024 was our 25th consecutive year of record revenues.

Tradeweb is a great place to work, recognized in 2024 by Forbes as one of America's Best Companies (2024) and by U.S. News & World Report as one of the Best Financial Services Companies to Work For .

Mission: Move first and never stop. Collaborate with clients to create and build solutions that drive efficiency, connectivity, and transparency in electronic trading.

Job Description:

To support our continued growth, we are seeking a results-driven Senior IAM Engineer to join our Identity & Access Management team. This role will engineer and support client identity and authentication capabilities for the products our clients use, delivering secure, scalable, and auditable access.

• Design, implement, and operate CIAM capabilities for client-facing applications, balancing security, scalability, and user experience.
• Build and support federated authentication and authorization using OIDC and OAuth 2.0 (and SAML where required), including client configuration, scopes, consent, redirect URI strategy, and token/claims design.
• Own client identity flows such as registration, login, account linking, progressive profiling, and self-service account recovery, including secure handling of email/phone verification.
• Implement strong authentication patterns for clients, including MFA, step-up authentication, risk-based/conditional access, and session management controls.
• Integrate applications using modern provisioning and identity lifecycle patterns such as JIT provisioning and SCIM where applicable to client/partner ecosystems.
• Define and enforce CIAM security standards: secure token lifetimes/refresh strategies, PKCE, key rotation/JWKS, secrets management, and protection against common auth attacks (replay, token theft, redirect abuse).
• Partner with product and engineering teams to standardize CIAM integration patterns and embed identity into application architecture (roles/permissions, fine-grained authorization, and least privilege).
• Troubleshoot complex production issues across the auth stack (tokens, redirects, cookies/sessions, upstream IdPs), drive root-cause analysis, and implement durable fixes.
• Instrument and monitor CIAM services and client auth journeys (logging, metrics, alerting), improving reliability, latency, and conversion while maintaining security.
• Produce and maintain technical documentation and runbooks for CIAM integrations and operational processes, supporting audits and incident response.
• Support compliance and risk requirements by enabling evidence collection and reporting around authentication events, policy enforcement, and access anomalies.

• Bachelor's degree in Information Systems, Computer Science, Cybersecurity, or a related field (or equivalent practical experience).
• 5+ years of experience in Identity and Access Management, with strong expertise in SSO and modern authentication for client-facing applications.
• Strong, hands-on experience with OIDC and OAuth 2.0 (and SAML where required), including token/claims design, scopes, PKCE, redirect URI strategy, and key management (JWKS, rotation).
• Experience designing and implementing end-to-end CIAM journeys: registration, login, account recovery, progressive profiling, and account linking.
• Experience implementing modern authentication controls such as MFA, step-up authentication, conditional/risk-based access, and secure session management.
• Working knowledge of user lifecycle automation patterns for client/partner ecosystems, including JIT provisioning and SCIM where applicable.
• Ability to troubleshoot complex identity issues across distributed systems (cookies/sessions, redirects, tokens, upstream IdPs), perform root-cause analysis, and drive durable remediation.
• Familiarity with security and compliance expectations in regulated environments (e.g., SOX, ISO 27001, NIST, GLBA) and how they influence authentication, logging, and access controls.
• Strong written and verbal communication skills, with the ability to translate between product, engineering, security, and compliance stakeholders.
• Experience producing clear technical documentation and diagrams (e.g., Confluence, Lucidchart/Visio), including integration runbooks, sequence flows, and configuration standards.
• Highly organized and detail-oriented, with the ability to manage multiple concurrent integrations and production support priorities.

• Proven experience leading or significantly contributing to enterprise-scale SSO/authentication initiatives, including rollout planning, migration/cutover strategies, and production hardening.
• Deep hands-on experience implementing and operating complex federation patterns, including custom OIDC/OAuth configurations (scopes, policies, claims), SAML metadata/certificate management, and advanced sign-in policies (conditional access, step-up/MFA).
• Experience designing and implementing authorization frameworks, including RBAC/ABAC, policy-based access control, permission modeling, and standards such as OAuth scopes, OIDC claims, and (where applicable) UMA or OPA-style policy engines.
• Strong proficiency in scripting or programming for IAM/SSO automation and troubleshooting, using languages such as Python or Go, as well as tools like SQL or PowerShell (e.g., log analysis, token/claim validation, configuration automation).