Skip to content

Principal Solutions Architect

Faraz Ali Zuberi

I set target-state architecture and lead the hardest cross-domain problems — event streaming, identity, and AI/MCP platforms — then turn them into the patterns and standards a whole engineering org runs on.

View work Download CV LinkedIn Email

About

Summary

Principal Solutions Architect with 16+ years building and modernising large-scale, multi-tenant SaaS platforms — 6+ of them at the architect level. I set current- and target-state architecture, advise C-level executives, and stay hands-on across distributed systems, event-driven architecture, identity, and AI/MCP platforms. I lead the hardest cross-domain problems: breaking up monoliths in thin slices, designing Kafka/Debezium CDC pipelines, and building secure OAuth2/PKCE and MCP authorization flows — then turn them into reusable patterns, standards, and reference architectures the whole org runs on.

16+ yrs
engineering experience
6+ yrs
at architect level
Since 2016
at ELMO Software
ISO 27001
led accreditation

Capability map

Where I operate

Five domains I set architecture and standards across — colour-coded for orientation, not seniority.

Principal Solutions Architect
Sets current- & target-state architecture · advises the C-suite

Distributed systems & events

  • Kafka, Confluent, Redpanda
  • Debezium CDC pipelines
  • Avro & Schema Registry
  • Event-driven architecture
  • Time-based consumer SLOs
  • Multi-region, GDPR-aware data

Identity & AI security

  • OAuth2, OIDC, SAML, JWT
  • PKCE & device authorization
  • MCP auth, consent & AI gateways
  • IAM, SCIM, Kong, Keycloak
  • ISO 27001 · DevSecOps
  • Mobile / QR-code login

Platform & integration

  • Public API, BFF & SPA pattern
  • Multi-tenant platform services
  • Two-way data sync
  • Config, notifications, shared services
  • API standards & REST design
  • Reusable Terraform & containers

Architecture leadership

  • Current- & target-state (strawman)
  • Reference architectures
  • DACI decision records
  • C-suite technical strategy
  • Governance & org-wide standards
  • Delivery maturity models

Modernisation

  • Strangler fig pattern
  • Thin-slice extraction
  • Interceptor / shadow-run cutover
  • DDD & service right-sizing
  • Evolutionary architecture
  • Technical-debt management
16+ years · 6+ as architect
TypeScript · JavaScript · PHP · AWS · Confluent · Kubernetes · Terraform

Selected work

Initiatives I've led

Cross-domain platform, identity, and AI work at ELMO Software — each turned into reusable patterns and org-wide standards.

AI / MCP authorization platform

Featured

Principal Architect · 2024–25

Designed a multi-phase MCP (Model Context Protocol) authorization architecture letting AI agents (Glean, Claude) securely access multi-tenant ELMO data on a user’s behalf — an AgentCore Gateway fronting N sub-MCP servers, inbound JWT validation against the TMS identity server, semantic tool routing, hierarchical per-tenant scope filtering, PKCE-only public clients, and incremental consent via WWW-Authenticate challenges.

  • AWS Bedrock AgentCore
  • Kong
  • OAuth2/PKCE
  • OIDC
  • JWT/JWKS
  • MCP

Event streaming & CDC pipeline

Architect / DACI Driver · 2024–25

Drove the event-streaming platform decision (DACI) — Kinesis vs Kafka/MSK, DMS vs Debezium+Kafka Connect — landing on Apache Kafka for CDC and domain events. Architected the ELMO Kafka Consumer Library (EKCL), defined time-based CDC SLOs targeting p95 < 500ms, and set the schema-registry strategy for 400+ source tables across 5+ teams.

  • Apache Kafka
  • MSK
  • Debezium
  • Avro
  • Schema Registry
  • Node.js

Identity platform — device auth & QR login

Principal Security Architect & Team Lead · 2023–24

Led the upgrade of ELMO’s identity server to the OAuth2 Device Authorization flow, enabling mobile-app login via QR code. Implemented the IETF specifications and hardened the flow beyond the baseline spec, with automated security scanning built into the delivery pipeline.

  • OAuth2 Device Flow
  • OIDC
  • PKCE
  • JWT
  • CI/CD

Two-way data sync — payroll integration

Principal Architect · 2023–24

Principal architect for a two-way sync keeping payroll data consistent between two independent systems, partnering with Thoughtworks Australia. Designed an event-ledger state machine and a worker/conflict-management service with timestamp-based conflict resolution, on a serverless + container stack with full observability.

  • AWS SNS/SQS/Lambda
  • DynamoDB
  • Elasticsearch
  • Kubernetes
  • WSO2

Public API, BFF & SPA foundational pattern

Principal Architect · 2022–23

Authored and ratified the Public API / BFF / SPA pattern: per-service-area CloudFront edge routing, S3-hosted SPAs, BFFs keeping auth secrets server-side in ElastiCache/Redis, and distributed public API gateways under one apex domain. Built reusable Terraform modules and a shared BFF container image, plus the external-party OAuth2 access model.

  • CloudFront
  • API Gateway
  • Lambda
  • ElastiCache/Redis
  • Terraform
  • OAuth2

Monolith modernisation — thin-slice refactoring

Architect · Ongoing

Defined the strategy for re-architecting the TMS monolith toward target state using the Strangler Fig and Interceptor patterns — replacing functionality in small, low-risk slices. Specified parallel/shadow-run for high-risk extractions (payroll tax engine, permissions module) and tied modernisation to event interception so new services develop without coupling to the legacy emitter.

  • Strangler Fig
  • Interceptor pattern
  • Event interception
  • DDD

Architecture showcase

MCP authorization platform

The most current and differentiating piece of work — secure AI-agent access to multi-tenant data.

AI agents like Glean and Claude need to act on a user's behalf against multi-tenant ELMO data — without ever exceeding what that user, or their tenant, is allowed to see. The design threads an OAuth2/PKCE token (no client secret) from the agent host through an AgentCore Gateway, a fleet of sub-MCP servers, and the Kong API gateway down to the downstream services.

JWTs are validated and scope is enforced at every tier, with hierarchical per-tenant scope filtering applied at the identity server's /authorize endpoint. Insufficient-scope responses drive incremental consent via WWW-Authenticate challenges, so agents request exactly the access they need and no more.

AI agent host
Glean / Claude
TMS identity server
PKCE · per-tenant scopes

← OAuth2 + PKCE authorization (no client secret) →

Bearer token
AgentCore Gateway
Validate inbound JWT (JWKS) · semantic tool routing · tool catalogue
Sub-MCP servers (1..N)
Validate JWT · check scope claim · 403 insufficient_scope → incremental consent
Kong API gateway
Verify JWT + secret header · path-based route · strip secret before upstream
Downstream API services
Final JWT validation: signature, audience, scope, expiry

JWT validated and scope enforced at every tier · hierarchical per-tenant scope filtering at the identity server

Career timeline & key initiatives

2024–25 · AI / MCP authorization platform
AgentCore Gateway, hierarchical per-tenant scopes, PKCE, incremental consent, Kong
2024–25 · Event streaming & CDC pipeline
Kafka/Debezium DACI, EKCL consumer library, schema registry, time-based SLOs
2023–24 · Identity server & two-way sync
OAuth2 device flow + QR login; payroll two-way sync with Thoughtworks
2021–23 · Platform patterns & IAM
Public API/BFF/SPA, integrations platform, IAM with SCIM, governance framework
2016 · Joined ELMO Software, Sydney
Grew from mid-level developer to Principal Solutions Architect
2008–16 · Earlier career
Head of Programming, Mariah Solutions · Temenos T24 consultant, NDC

Standards & writing

What I codify

Architecture only scales when it becomes the patterns and standards an org actually runs on.

API Standards

Org-wide, 100+ readers

REST design, versioning, resource modelling, bulk/idempotency, error responses.

Right-Sizing Your Service Areas

Ratified

A microservice guide on coupling metrics, cohesion and decomposition.

Load Testing & Planning for Goodput

Published

SLOs, peak/average load, replica and goodput calculations.

Major author of ELMO’s Architecture Handbook — Architectural Vision & North Star, Architecture Principles, the Strawman stack, Reference Architectures (monolith / microservice / serverless), database-tenancy & naming guides, Refactoring the Monolith, Public API/BFF/SPA, Authentication & Token Auth, Event Streaming (Kafka), and ELMO MCP.

Technologies

Streaming & Data
Apache Kafka, Confluent, Redpanda, Debezium, Avro, Schema Registry, Kinesis, Redshift, Aurora, DynamoDB, RDS/MySQL, Elasticsearch, Redis
Languages
TypeScript, JavaScript, PHP; NestJS, Symfony, Node.js
AWS
API Gateway, Lambda, SNS, SQS, Kinesis, S3, CloudFront, ElastiCache, Cognito, Bedrock AgentCore, ECR, WAF, VPC, IAM
Identity & Gateways
Kong, Keycloak, OAuth2/OIDC/SAML, WSO2 Micro-integrator, Dell Boomi
Platform & DevSecOps
Docker, Kubernetes, Helm, ArgoCD, Jenkins, SonarQube, Artifactory, Terraform
Observability
Elastic, Kibana, Grafana, APM, RUM, JMeter, Vegeta, Temporal.io

Contact

Let's talk

Open to senior and principal architecture roles. The fastest way to reach me is email or LinkedIn.

Email
farazive@gmail.com
Phone
+61 435 733 561
LinkedIn
linkedin.com/in/farazalizuberi
Location
Sydney, Australia · Australian citizen
Résumé · PDF · 2 pages Full CV · PDF · 4 pages

Background

Bachelor of Computer Sciences

FAST-NU, Pakistan · Aug 2004 – Jun 2008

  • Mariah Solutions

    Senior Developer → Head of Programming · Jeddah

    May 2010 – Jan 2016

  • NDC Technologies

    Temenos T24 Consultant

    Aug 2008 – Apr 2010