IAM Engineer

Vitol is an energy and commodities company with revenues of $331 billion in 2024; its primary business is the trading and distribution of energy products globally – it trades over seven million barrels per day of crude oil and products and, at any time, has 250 ships transporting its cargoes.

Vitol’s clients include national oil companies, multinationals, leading industrial companies and utilities. Founded in Rotterdam in 1966, today Vitol serves clients from some 40 offices worldwide and is invested in energy assets globally including 24mM3 of storage, 850kbpd of refining capacity, and 10,000 service stations. To date, we have committed over $2.5 billion of capital to renewable projects and are identifying and developing low-carbon opportunities around the world.

Job Description

As our IAM Engineer - Modern Authentication specialist, you will own / maintain the technical configuration of our Entra ID tenant with a primary focus on modernizing our authentication systems, as part of a wider Identity & Access Management strategy / project roadmap. Join our growing IAM team to have a hands-on key role on Authentication/Authorization topics, securing application onboarding & systems configuration hardening (ex: conditional access / adaptative MFA), designing, implementing & maintaining a robust, scalable framework to ensure a frictionless end-user experience.

Access Management & Governance: Define, implement, and maintain Role-Based Access Control (RBAC) and Attribute-Based Access Control (ABAC) models across Vitol identity platforms, including on-prem AD, Entra ID and AWS. Partner with Security, Infrastructure, Cloud and Development teams to establish consistent access control standards across platforms and applications. Support the design and management of access models for applications, APIs, service accounts, cloud platforms and workload identities.

System and Application Integration: Integrate external and internal applications with Vitol's identity providers for Single Sign-On (SSO) using SAML, OAuth, and OIDC protocols. Lead engagement and workshops with application development teams to support integration. Advise developers on secure authentication and authorization flows, including tokens, claims, scopes, roles, secrets, certificates and redirect URIs.

Development Team Enablement: Work with Development teams to embed IAM best practices into shared libraries, frameworks, SDKs, templates and reference architectures. Help define reusable authentication and authorization components for Vitol applications. Ensure internal libraries support least privilege, secure token validation, secure session management, claims-based authorization, secretless authentication and modern federation patterns. Act as an IAM subject matter expert, helping teams choose the right protocol and identity architecture.

Identity Lifecycle Management: Ensure secure provisioning and de-provisioning of user accounts within the "joiner, mover, leaver" (JML) process.

Policy Enforcement: Implement, maintain and enforce identity security policies, including Multi-Factor Authentication (MFA), Conditional Access and least privileges. Help ensure policies are consistently applied across users, applications and platforms, while balancing security requirements with business usability.

Troubleshooting & Support: Provide Tier 3 support for identity-related incidents, including authentication, authorization, SSO, federation and access issues. Work with infrastructure, security, cloud and application teams to diagnose root causes and implement effective resolutions.

Automation: Utilize scripting (e.g., PowerShell, Python) and APIs/SCIM to automate identity lifecycle and access management workflows. Improve operational efficiency by reducing manual tasks, standardising processes and supporting scalable IAM operations.

IAM as a service: Create and own the documentation of "IAM as a service"; Define onboarding processes, integration patterns and standard operating procedures for IAM services; Provide clear guidance to application teams on how to consume IAM services securely and efficiently.

Qualifications

Bachelor's degree in Information Security, Computer Science, or a related field - equivalent professional experience will also be considered.
4/5+ years in IAM / Authentication / Security engineering
Deep knowledge of IAM standards and protocols: SAML, OIDC, OAuth2, SCIM, LDAP, PKI basics, and modern auth patterns
Experience onboarding and supporting SaaS, web, mobile, and API applications & systems with standards/protocols mentioned above into IAM solutions
Strong understanding of cloud identity patterns (esp. AWS & Azure), hybrid identity, and Zero Trust
Ability to communicate architecture decisions clearly to technical and non-technical stakeholders
Hands-on experiences / proven expertise as an Identity Security Engineer (& administrative experience with privileged roles) of following tools/modules/platforms:

Microsoft Cloud environment

• Core Microsoft Identity: deep expertise in Entra ID, Entra Connect / Cloud Sync, and Graph API
• Identity Governance: deployment and management of PIM, Access Reviews, and Entitlement Management
• Advanced configuration of Identity Protection (user/sign-in risk), Risk-based Conditional Access, and Microsoft Defender for Identity (MDI)

EntraID Workload Identities

Collaboration cross-tenant / multi-tenant organizations

ADFS / PTA / PHS

• Intune & endpoint integration
• Azure Key Vault & other Azure managed services

AWS Cloud Environment

AWS IAM Users, Groups, Roles & Policies Management

AWS Organizations & Service Control Policies (SCPs)

AWS IAM Identity Center (SSO) & Federation

Least-Privilege Enforcement & Access Analysis

Secrets Management & Temporary Credentials

AWS KMS for secure credential and key management.

Modern Authentication Deployment

• Methods / Passwordless technologies: Windows Hello for Business, FIDO2 security keys, Microsoft Authenticator, Certificate-based Auth
• Protocols: OAuth 2.0, OpenID Connect, SAML 2.0
• Hardware: YubiKeys, TPM-based biometrics, Passkeys
• SSPR / self-service tools, AAD Password Protection
• Application management: app registration, Entreprise App, managed identity, ServicePrincipal…
• Dashboard creation: PowerBI / Workbook Azure
• Scripting: Powershell / Python / etc
• Develop custom scripts from scratch and optimize existing codebase to automate identity workflows and system administration

Directories: Active Directory

• ADDS & AD authentication services (NTLM / Kerberos)
• 3-tier model & delegation model for AD services
• FSMO roles, GPO management, AD backup/restore…
• Certifications: one or more of the following would be held by the candidate: SC-300, AZ-500, MS-500

Good knowledge of

Principles & technical mechanisms of identity & access management, Privileged Access Management

Cloud/IaC: AWS/Azure/GCP IAM, Terraform, CI/CD

Observability/Security: SIEM, EDR integrations, centralized logging

Additional Information

Personal Characteristics

• A self-motivated individual who thrives on seeing the results of their work make an impact
• Strong communication skills, both verbally and in writing
• Proven ability to be flexible, work hard, and a sense for the art of the possible
• Methodical, organized and with an attention to detail - in general, in experimental design, and in code!
• Willingness to share their knowledge and learn from others
• An interest in learning about the commodities space
• Resourceful, able to think creatively and adapt in a dynamic environment
• Team player, with an open non-political style and a high level of integrity
• What we offer
• Competitive salary and benefits package
• Real-world impacts on a truly global scale
• Entrepreneurial environment within a flat hierarchy, where great ideas come to life quickly
• Close collaboration with various teams and stakeholders across our key regions (eg. London, Singapore, Houston, Geneva)
• A highly motivated MIS organization comprised of experienced individuals with a supportive attitude and great team spirit