Remote identity engineers build and operate the identity and access management infrastructure that controls who can access what in the company's systems — designing the authentication systems, the authorisation frameworks, the SSO integrations, and the identity governance that determines whether the organisation's access controls are a security asset or a productivity burden. The role is where security engineering meets platform design.
What they do
Identity engineers design and implement the authentication infrastructure — the identity provider integrations (Okta, Azure AD, Ping Identity, Auth0), the SAML and OIDC federation protocols, the multi-factor authentication systems, and the passwordless authentication implementations that control how users and services authenticate to the company's applications and systems. They build the authorisation framework — the role-based access control (RBAC) model, the attribute-based access control (ABAC) policies, the OAuth 2.0 scopes and consent flows, and the permission management systems that determine what authenticated identities are permitted to do. They own the single sign-on (SSO) programme — the enterprise SSO configuration for the company's own employees, and the customer-facing SSO integration capability (SAML, SCIM, OIDC) that enterprise customers require for their users to authenticate through their corporate identity provider. They implement the SCIM (System for Cross-domain Identity Management) provisioning — the automated user provisioning and deprovisioning from the HR system or identity provider that ensures access rights are kept current as employees join, change roles, and leave. They govern the machine identity programme — the service accounts, the API keys, the service-to-service authentication (mTLS, JWT, service mesh identity), and the secrets management infrastructure that controls how software systems authenticate to each other. They manage identity security — the privileged access management, the just-in-time access provisioning, the access review programme, and the identity threat detection that identifies and responds to credential-based attacks.
Required skills
Identity protocol expertise — OIDC, OAuth 2.0, SAML 2.0, SCIM, and the identity provider APIs (Okta, Azure AD, Cognito, Auth0) — at the depth that allows both integration implementation and the debugging of the complex protocol-level issues that enterprise SSO configurations reliably produce. Directory and access management for the LDAP/Active Directory integration, the group-based access management, and the identity governance that makes access rights correct, auditable, and efficiently managed at scale. Security engineering for the threat model analysis, the credential security design, the token security, and the identity attack surface awareness that distinguishes identity engineering from identity administration. Software engineering for the authentication service development, the authorisation policy implementation, and the identity SDK integration that requires writing production-quality code in the identity infrastructure layer.
Nice-to-have skills
Zero trust architecture expertise for identity engineers at companies implementing zero trust network access (ZTNA) — the continuous authentication, the device trust integration, the network micro-segmentation, and the identity-centric access control that replaces perimeter-based security models. Privileged access management (PAM) expertise for identity engineers who own the privileged identity programme — the vault-based credential management (HashiCorp Vault, CyberArk, BeyondTrust), the session recording, and the just-in-time privileged access workflows that manage administrative credentials. Customer identity and access management (CIAM) expertise for identity engineers at companies building consumer or B2B SaaS products where the customer-facing identity experience (registration, login, MFA, SSO for enterprise customers) is a product feature rather than an internal IT function.
Remote work considerations
Identity engineering is highly compatible with remote work — authentication system development, authorisation framework design, SSO integration, SCIM provisioning, and identity security engineering are all async-executable. The enterprise SSO onboarding dimension — the customer SSO configuration assistance, the SAML metadata exchange, and the integration debugging that enterprise customers require — benefits from reliable async support documentation and the structured onboarding workflow that allows customers to configure SSO without requiring synchronous support calls for every integration. Remote identity engineers invest in the identity observability infrastructure (authentication success and failure metrics, token issuance patterns, access review dashboards) that surfaces identity security issues and access anomalies automatically. The on-call dimension — the authentication outages and SSO failures that affect the entire workforce and require rapid response — requires robust identity infrastructure architecture designed for high availability and the incident response runbooks that allow remote on-call engineers to diagnose and remediate authentication issues quickly.
Salary
Remote identity engineers earn $130,000–$200,000 USD in total compensation at mid-to-senior level in the US market, with senior identity engineers and principal IAM engineers at large technology companies reaching $210,000–$320,000+. European remote salaries range €85,000–€155,000. Enterprise SaaS companies where enterprise SSO and SCIM are table-stakes features for selling to corporate customers, financial services companies with regulatory identity and access management requirements, healthcare companies with HIPAA-compliant access control and audit logging obligations, government contractors with FedRAMP identity management requirements, and large technology companies implementing zero trust architecture across complex multi-cloud environments pay at the upper end.
Career progression
Security engineers with authentication focus, backend engineers who develop identity domain expertise, and platform engineers who specialise in access management infrastructure move into identity engineer roles. From identity engineer, the path runs to senior identity engineer, staff identity engineer, principal IAM engineer, and identity architect. Some identity engineers move into security architecture (carrying identity expertise into a broader security design role), into CIAM product management at identity platform companies, or into zero trust programme leadership where identity engineering expertise is the technical foundation.
Industries
Enterprise SaaS companies where enterprise SSO and SCIM provisioning are customer requirements for closing mid-market and enterprise deals, financial services companies with regulatory access management and privileged access audit requirements, healthcare companies with HIPAA-compliant identity and access management infrastructure, government and defence contractors with cleared-facility access control and FedRAMP identity requirements, large technology companies implementing zero trust network access, and identity platform companies (Okta, Azure AD, Auth0, Ping Identity) building the identity infrastructure that other companies depend on are the primary employers.
How to stand out
Demonstrating specific identity infrastructure outcomes with organisational impact — the enterprise SSO programme you built that reduced customer onboarding friction and was cited as a purchase accelerator in X enterprise deals, the zero trust identity implementation that replaced VPN access for X employees and reduced the blast radius of credential compromise incidents, the SCIM provisioning system that automated X employee access provisioning and reduced the access offboarding time from X days to Y hours — positions identity engineering as a measurable security and business enablement investment. Being specific about the identity stack you designed and operated (IdP, protocols, provisioning, MFA, PAM tooling) and the access scale you managed (employee count, application count, privileged account volume) shows the technical and programme scope the role requires. Remote identity engineers who demonstrate strong identity documentation practices — protocol flow diagrams, access model documentation, SCIM provisioning runbooks — show they can maintain identity infrastructure knowledge across distributed teams without relying on proximity-based tribal knowledge.
FAQ
What is the difference between authentication and authorisation? Authentication answers the question "who are you?" — it is the process of verifying that the entity claiming an identity (a user, a service, a device) is actually who they claim to be. Authorisation answers the question "what are you allowed to do?" — it is the process of determining what resources and actions an authenticated identity is permitted to access. Authentication typically happens first (the user logs in and their identity is verified) and produces an authenticated session or token; authorisation happens on every resource access decision (the system checks whether the authenticated identity has the permission to perform the requested action). Both are necessary: authentication without authorisation means any authenticated user can access everything; authorisation without authentication means the system cannot reliably determine who it is authorising. Identity engineers design and build both layers, and the quality of both determines the organisation's access security.
What is SCIM and why do enterprise customers require it? SCIM (System for Cross-domain Identity Management) is the protocol that automates the provisioning and deprovisioning of user accounts across systems — when an HR system adds an employee, SCIM pushes the new user to all connected applications; when an employee leaves, SCIM deactivates their access in every connected application automatically. Enterprise customers require SCIM because without it, access management is a manual process: each time an employee joins, changes roles, or leaves, IT administrators must manually update access in every SaaS tool the employee uses. At enterprises with hundreds or thousands of SaaS applications, manual provisioning is both operationally expensive and a security risk (delayed deprovisioning leaves access active for departed employees). Enterprise procurement teams typically include SCIM support as a requirement in security questionnaires, and its absence can block deals with larger customers who have automated identity governance requirements.
How do you design an authorisation model that scales with the company without becoming unmanageable? By choosing the right authorisation model for the company's access pattern complexity, and by building the policy management infrastructure before the authorisation logic becomes too complex to reason about. Simple, flat applications with homogeneous users work well with role-based access control (RBAC) — each user has a role, each role has permissions. Applications with complex, context-dependent access patterns (data ownership, geographic restrictions, time-based access, resource-level permissions) require attribute-based access control (ABAC) or a policy engine (Open Policy Agent, Casbin, AWS Cedar) that evaluates rich policy rules against request context. The authorisation design that scales: start with the simplest model that correctly expresses the access patterns (usually RBAC); add attributes and policy rules only when RBAC cannot express the required access logic; invest in a centralised policy engine rather than distributing authorisation logic across services; and build the policy testing infrastructure that validates authorisation decisions at scale before a policy change reaches production.