Rafat Khan

Designed and deployed enterprise-grade Single Sign-On (SSO) using PingFederate across 500+ internal and SaaS applications. • Applied TOGAF principles to define enterprise-wide architecture standards covering Business, Application, Data, and Technology domains. • Designed and governed on-premises and hybrid API security architecture using Apigee, enforcing OAuth 2.0 and JWT-based access controls across enterprise APIs.

• Implemented token lifecycle management including issuance, validation, introspection, expiry, and rotation aligned with OAuth 2.0 RFC standards.
• Integrated Apigee with ForgeRock IDP for OIDC-based authentication and federated identity flows.
• Defined Zero Trust principles for APIs, ensuring every API call was authenticated, authorized, and validated regardless of network location.
• Collaborated with platform teams to align API security with service mesh architectures (mTLS, east-west traffic protection).
• • Created SAML 2.0 connections for enterprise and third-party apps, including attribute mapping, signing, and encryption certificates. • Designed and implemented OIDC client configurations with authorization code and implicit flows. • Integrated OAuth 2.0 resource servers with PingFederate using access tokens and scopes for granular authorization. • Built custom authentication policies in PingFederate leveraging policy contracts, authentication selectors, and adapters. • Designed and architected IAM solutions leveraging Active Directory, Azure AD, Azure, and ADFS. • Integrated user provisioning processes for enterprise applications across the organization. • Led SAP integration by migrating legacy SAP tools to SAP S/4HANA. • Applied advanced expertise in authentication protocols (SAML, OAuth2.0, OpenID Connect) and token standards (SAML/JWT). • Authored High-Level Designs (HLDs), Low-Level Designs (LLDs), and configuration guides for enterprise IAM solutions. • Embedded Conditional Access, Tenant Restrictions, and RBAC as core security controls within M365 designs. • Defined and implemented Security Baselines for Azure AD and M365 environments. • Architected SIEM integration using Log Analytics, Event Hub, Splunk, and ESaaS for centralized logging and monitoring. • Established guest user recertification processes to enforce Azure AD governance and compliance. • Implemented Identity Governance & Access Packages for streamlined role assignment and compliance adherence. • Transitioned from ADFS to Pass-through Authentication (PTA) for simplified authentication. • Upgraded AD Connect to the latest version for secure synchronization. • Migrated from on-premises MFA to Azure MFA for stronger security and user experience. • Designed and deployed PIM for Entra ID and Azure resource roles. • Migrated 200+ enterprise applications from Ping ID to Azure AD using SAML, OIDC, and OAuth2.0. • Implemented seamless identity sync across multiple O365 tenants. • Configured cloud group synchronization back to on-prem AD using Cloud Sync Agent. • Delivered unified identity lifecycle management by integrating One Identity, Azure, SAP, and AD. • Extended Domain Controller migration to Azure AD using virtualized infrastructure. • Upgraded AD (2008 2022) for modernization and enhanced security. • Migrated Exchange Server (2016 2019) for reliability and compliance. • Integrated Zscaler for secure remote access. • Implemented Palo Alto Firewall integration for enterprise security. • Developed PowerShell scripts for automation of administrative tasks, IAM, and cloud security processes

• Architected hybrid Apigee deployments to secure north-south and east-west API traffic in regulated enterprise environments.
• Designed OIDC and OAuth 2.0 authorization flows using ForgeRock as the central IDP for internal and partner-facing applications.
• Implemented fine-grained token validation (claims, scopes, audience, issuer) within Apigee policies to enforce least-privilege access.
• Led Zero Trust API adoption, decoupling API access from network trust and enforcing identity-based authorization.
• Integrated API security controls with service mesh patterns, enabling mTLS and identity propagation between microservices.

• Led enterprise IAM strategy for API ecosystems, securing APIs using Apigee on-prem and hybrid models.
• Established OAuth 2.0 and OIDC standards across teams, ensuring compliance with relevant RFCs and security best practices.
• Integrated ForgeRock with Apigee for centralized identity, token issuance, and federated authentication.
• Designed Zero Trust–aligned API security architecture, eliminating implicit trust between services and consumers.
• Supported frontend security architectures (MFE/Web Components) by enabling secure token exchange and backend API protection.

• Defined API-first IAM architecture using Apigee hybrid deployments for scalable and secure enterprise integrations.
• Implemented advanced token handling mechanisms including JWT signing, validation, token exchange, and revocation strategies.
• Designed OIDC federation models with ForgeRock to support internal users, partners, and service identities.
• Aligned API security with Zero Trust and service mesh architectures, enforcing identity-based access for all service calls.
• Advised application teams on frontend-to-backend security patterns, ensuring secure OAuth token usage in modern UI architectures.

Managed a team to identify and resolve challenges in daily BAU operations. • Oversaw infrastructure operations including user account and license management. • Configured and maintained Palo Alto and FortiGate Next-Generation Firewalls for secure network operations. • Implemented App-ID, User-ID, and Content-ID for application-based f irewall security. • Created and enforced Conditional Access and Multi-Factor Authentication (MFA) policies in Azure AD. • Resolved MFA-related issues including resets and configuration updates. • Managed Azure AD Connect and Connect Health for directory synchronization. • Supported migration of all directory objects from multiple domains to a unified target domain. • Monitored and resolved Azure AD licensing and group-based assignment issues. • Troubleshot Azure AD Connect sync errors, data mismatches, and attribute conflicts. • Managed security and identity operations including DirSync and PTA for seamless authentication. • Assisted users with Self-Service Password Reset (SSPR) and login customization. • Collaborated with billing and gateway teams to fulfill customer requirements.

Troubleshot complex Active Directory issues including replication, FRS, Global Catalog, FSMO, DFS, and LSASS errors. • Resolved advanced AD-related problems for Microsoft Enterprise customers. • Provided advisory support on Active Directory design, implementation, and best-practice recommendations. • Monitored and resolved Azure AD licensing issues, including group-based license assignments. • Configured and managed Self-Service Password Reset (SSPR) in Azure AD. • Created and enforced Data Loss Prevention (DLP) policies in Microsoft 365 Security & Compliance. • Managed Azure resources including storage, enterprise applications, and virtual components. • Configured enterprise applications with Single Sign-On (SSO) using the SAML protocol in Azure AD. • Developed and maintained retention and Messaging Records Management (MRM) policies for data lifecycle compliance. • Implemented Office Message Encryption (OME) to secure email communication in O365. • Introduced Microsoft Planner syncing to monitor Office 365 Message Center updates. • Configured and managed Azure AD Application Proxy for secure remote access to internal apps. • Ensured all client services were maintained in line with contractual SLAs and performance standards

Worked on Outlook troubleshooting issues. • Troubleshot Outlook configuration issues including profile setup and connectivity. • Configured and supported ADFS 2.0, ADFS 3.0, ADFS Proxy, and WAP. • Managed Exchange Environments including Exchange 2007, 2010, 2013, and 2016. • Performed migrations to SharePoint Online (SPO) and OneDrive for Business (ODB). • Configured and optimized EOP policies to safeguard email communication. • Implemented custom anti-phishing policies to block phishing attempts. • Collaborated with cybersecurity teams to fine-tune EOP policies. • Designed and implemented retention policies in Office 365 to meet compliance requirements. • Configured retention labels and classifications for automated data management. • Collaborated with legal teams to create and enforce legal hold policies