Xylem is a Fortune 500 global water solutions company dedicated to advancing sustainable impact and empowering the people who make water work every day. As a leading water technology company with 23,000 employees operating in over 150 countries, Xylem is at the forefront of addressing the world's most critical water challenges. We invite passionate individuals to join our team, dedicated to exceeding customer expectations through innovative and sustainable solutions.

Xylem is seeking a Senior Software Developer to help drive the architecture and evolution of its enterprise Customer Identity and Access Management platform. In this role you will contribute to a transition toward a modern Policy-as-Code authorization model, participate in an active dual-domain identity migration, and work within and evolve a hybrid RBAC/ABAC authorization model serving a global portfolio of customer-facing digital products.

About the Role

As Senior Software Developer, you will be a key technical contributor on a production IAM platform serving multiple internal engineering teams and end-customer organizations worldwide.

This role is about contributing to a transition, not inheriting a steady state. The platform is actively evolving toward a modern Policy-as-Code architecture, decoupling authorization logic from application code, thinning JWT payloads, and enforcing Zero Trust principles at the gateway layer. You will help shape the roadmap and build the technical foundation the team executes against. That said, you will be operating within a production enterprise identity platform at scale.

What You'll Drive

Architectural Evolution and Policy-as-Code Direction

Contribute to the platform's evolution toward a thin-token, policy-as-code authorization model where JWTs carry identity context rather than encoded permissions and a dedicated policy engine becomes the authoritative evaluation layer. This is an active direction, not a completed migration. You will help scope the roadmap, sequence the work, and support consuming teams through the transition.

Participate in an active dual-domain migration for the identity platform, including reverse proxy configuration, dynamic issuer handling, and ensuring downstream resource servers can validate tokens across both issuer values without regression.

Authorization Model Development

Work within and evolve a hybrid RBAC/ABAC authorization model built around a user, role, customer, and application authorization tuple, including platform-defined baseline roles, customer-scoped composite roles, and application-defined custom role patterns.

Help identify and address security misconfigurations in how consuming teams integrate with the platform, ensuring authorization is evaluated against customer context, not flat role presence in a token.

Developer Experience and Integration Enablement

Contribute to Golden Path integration patterns for the engineering teams building on top of the platform, covering OAuth2/OIDC client registration, PKCE, identity provider hints, step-up authentication, redirect URI strategy, and token validation for Angular and React applications.

Platform Operations Console

Help drive an internal operations and governance UI from its current prototype state to production. The tool serves platform operators, security engineers, and compliance teams across modules including application management, role management, user management, customer hierarchy, MFA configuration, enterprise SSO federation, authorization policy authoring, and audit logs. The goal is reducing manual, ticket-based admin work.

Security, Compliance and Risk

Contribute to technical controls mapped to SOC2 CC6 and NIST 800-53 in alignment with Zero Trust principles. Support business-risk framing of architectural decisions and technical debt for leadership audiences, covering compliance exposure, audit risk, and real-time access control gaps.

What You Bring

Required

• 7+ years in software engineering with demonstrated experience in complex, multi-team platform environments
• Strong hands-on proficiency with Java and Spring Boot in a production microservice context
• Solid understanding of software development lifecycle practices including CI/CD, code review, testing strategy, and release management
• Foundational understanding of security principles — authentication, authorization, token-based identity, and secure API design
• Experience working with or integrating against an identity provider (Keycloak, Okta, Auth0, Entra ID, or similar)
• Familiarity with OAuth 2.0 and OIDC concepts including authorization code flow, PKCE, and JWT structure
• Ability to communicate technical decisions clearly to both engineering peers and non-technical stakeholders

Strongly Preferred

• Hands-on experience with Keycloak or a comparable open-source identity provider, including realm configuration, client scopes, protocol mappers, IdP federation, and the Admin REST API
• Experience with a production authorization policy engine and a point of view on decoupling policy from application code
• Experience designing IAM for multi-tenant SaaS, including JWT size constraints, token claim strategy, and downstream performance tradeoffs
• Practical experience with API gateway security and policy enforcement at the edge
• SAML 2.0 federation and enterprise SSO integration with providers such as Microsoft Entra ID or Okta
• SOC2 Type II audit preparation and NIST 800-53 control mapping
• Familiarity with NIST 800-207 Zero Trust Architecture principles

Nice to Have

• Experience with TOTP enforcement and MFA patterns for privileged access
• Reverse proxy configuration for multi-domain identity routing
• Frontend prototyping experience for operator tooling (Angular or React)
• Experience writing authorization policy expressions against principal and resource attributes
• Integration testing experience for auth flows
• Prior work on developer-facing platforms, including writing integration guides and reviewing PRs for auth correctness

Why This Role

This is not a commodity IAM deployment. It is a purpose-built platform with a nuanced authorization model that has real compliance and security implications across Xylem's entire digital portfolio. The person in this role will be contributing to architectural decisions that affect how dozens of engineering teams authenticate users, enforce fine-grained access, and satisfy audit requirements for a global water technology company.

Join the global Xylem team to be a part of innovative technology solutions transforming water usage, conservation, and re-use. Our products impact public utilities, industrial sectors, residential areas, and commercial buildings, with a commitment to providing smart metering, network technologies, and advanced analytics for water, electric, and gas utilities. Partner with us in creating a world where water challenges are met with ingenuity and dedication; where we recognize the power of inclusion and belonging in driving innovation and allowing us to compete more effectively around the world.