Access and Identity Management¶
Architect of zero-trust security postures, automated identity lifecycle pipelines, and the hardened access controls required to safeguard production systems and cloud infrastructure.
Overview¶
Security-first infrastructure engineer focused on the end-to-end design and implementation of Access and Identity Management (AIM) architectures. I eliminate perimeter-based security paradigms by enforcing rigorous, programmatic identity boundaries. My approach treats authorization policies as code: building defensible directories, auditable token structures, and secure token delegation pipelines that move seamlessly from sandbox validation to production enforcement.
Directory Architecture & Provisioning¶
I design resilient directory structures that manage the full identity lifecycle from ingestion to offboarding. I configure and manage high-scale enterprise directory trees utilizing 389DS and JWT for unified account states. I have considerable expertise building API and Web authentication handlers around X509/PKI and a plethora of popular back end authentication services assuring both SSO and security posture.
Federated Authentication & Protocols¶
I build high-integrity identity federation interfaces using the ipsilon server stack to architect secure single sign-on bridges across hybrid infrastructure, linking open source systems with legacy Microsoft Active Directory (AD) realms and cloud-native Microsoft Entra ID environments. I deploy mod_auth_mellon with the underlying lasso library for SAML 2.0 federation, mod_auth_openidc for decoupled OpenID Connect and OAuth2 service engines, and mod_auth_gssapi alongside freeipa-server to govern cross-realm Kerberos trust boundaries without fragile synchronization scripts.
Identity Lifecycle & Automated PKI¶
I automate the orchestration of machine-to-machine trust, system identity lifecycle events, and certificate provisioning boundaries. I construct fully internal, hardened Public Key Infrastructures (PKI) using Step CA and softhsm cryptography abstractions, driving automated validation checks with Step CA. By offloading identity caching, host credential verification, and dynamic hbac rules natively to the System Security Services Daemons, I replace manual certificate rotation tasks with deterministic, secure, policy based automation.