Multi-cloud deployment: difference between using an Identity Provider (IdP) and a Local Bearer Token

Daniele_Purrone · May 10, 2022 2:59:01 PM

Question:

The help site for Qlik Sense Enterprise for Windows mentions, among the characteristics of a multi-cloud deployment, "an identity provider that supports OIDC and SAML to integrate user authentication between on-premises and cloud, or a local bearer token".
What is the difference between the two options?

Environment:

Qlik Cloud with Qlik Sense Enterprise on Windows multi-cloud setup

Answer:

While it's not necessary to have an identity provider (check the Multi-Cloud FAQ for more details), that is the recommended option for having a fully integrated set-up, where users are shared between the on-premise and SaaS environments.
Here are the main differences:

Identity Provider (IdP)
- no duplicated users, which means that one person will only consume one license allocation
- a central repository for all users, integrated between environments
- it requires getting the service from a third party (generally at a cost) and implementing a solution
Local Bearer Token
- can be used immediately, without having an Identity Provider
- easy setup
- separate set of user repositories. Typically: Active Directory for on-premise access and QlikID for SaaS access*
- the same person will use two license allocations when accessing SaaS and on-premise applications

* For some companies this might actually be a preferred choice (e.g.: granting SaaS access to external users authenticating with QlikID, and keeping the on premise version for internal ones on AD)

Multi-cloud deployment: difference between using an Identity Provider (IdP) and a Local Bearer Token