Enterprise IAM Software Engineer II

We are building the next generation of Identity and Access Management at Affirm. This role is ideal for someone who wants to break into IAM and blend software engineering skills with process-driven operations.

You will support the day-to-day operations of our enterprise IAM program while also contributing to scripting, bug fixes, and backend coding. This is intentionally a 50/50 role: half focused on operational process and execution, and half focused on technical delivery.

SailPoint is the core systems in our environment. You will work directly within SailPoint and the surrounding automation and integration code.

What You’ll Do

• Support the daily operations of our enterprise IAM program, including intake, triage, and execution of access lifecycle work
• Run and improve core IAM processes (joiner/mover/leaver, access requests, certifications, and break-glass patterns)
• Partner with Security, IT, and Engineering stakeholders to coordinate changes with clear ownership, approvals, and auditability
• Troubleshoot and resolve IAM-related issues, including access failures, provisioning bugs, and workflow errors
• Write and maintain scripts and small services that automate repetitive IAM tasks and reduce manual effort
• Contribute backend code and bug fixes in our IAM automation codebase (including tests and safe rollout practices)
• Help document runbooks, standard operating procedures, and operational metrics for the program
• Participate in on-call or escalation rotations as needed for IAM-owned systems

Example problems you may work on:

• Debugging a provisioning workflow that intermittently fails and adding monitoring + automated retries
• Writing a script to reconcile access between source systems and SailPoint
• Improving a Jira intake workflow so requests are validated and routed correctly before execution
• Building a small API integration to connect an internal system to identity lifecycle events

What We’re Looking For

• 2+ years of professional software engineering experience (or equivalent internship/co-op experience with strong projects)
• Ability to write production-quality code in Python or a similar backend language
• Comfort working with operational processes, tickets/requests, and cross-functional stakeholders
• Experience with APIs, scripting, and debugging distributed systems issues
• Familiarity with CI/CD and GitHub-based workflows
• Familiarity with cloud environments (AWS preferred)
• Strong written communication and documentation habits

Nice to Have

• Any exposure to IAM/IGA/SSO concepts (e.g., SAML/OIDC, SCIM, RBAC)
• Experience with SailPoint, Auth0, Okta, OneLogin, or similar identity platforms
• Experience with infrastructure as code (Terraform or similar)
• Familiarity with compliance/audit-driven environments (SOC 2, SOX, ISO, PCI)

Base Pay Grade - L

Equity Grade - Canada 5

Employees new to Affirm typically come in at the start of the pay range. Affirm focuses on providing a simple and transparent pay structure which is based on a variety of factors, including location, experience and job-related skills. [IF APPLICABLE] For sales roles, the range provided is the role’s On Target Earnings ("OTE") range, which includes the annual base pay and the sales incentive target.

Base pay is part of a total compensation package that may include monthly stipends for health, wellness and tech spending, and benefits (including 100% subsidized medical coverage, dental and vision for you and your dependents). In addition, the employees may be eligible for equity rewards offered by Affirm Holdings, Inc. (parent company).

CAN base pay range per year: $125,000 - $175,000

#LI-Remote