Multi-cloud deployment: difference between using an Identity Provider (IdP) and a Local Bearer Token

Answer:

While it's not necessary to have an identity provider (check the Multi-Cloud FAQ for more details), that is the recommended option for having a fully integrated set-up, where users are shared between the on-premise and SaaS environments.
Here are the main differences:

• Identity Provider (IdP)
  • no duplicated users, which means that one person will only consume one license allocation
  • a central repository for all users, integrated between environments
  • it requires getting the service from a third party (generally at a cost) and implementing a solution
    
    
• Local Bearer Token
  • can be used immediately, without having an Identity Provider
  • easy setup
  • separate set of user repositories. Typically: Active Directory for on-premise access and QlikID for SaaS access*
  • the same person will use two license allocations when accessing SaaS and on-premise applications

* For some companies this might actually be a preferred choice (e.g.: granting SaaS access to external users authenticating with QlikID, and keeping the on premise version for internal ones on AD)