Using an external Identity Provider (IDP) it is easy to control user's assignments to access groups (e.g. Analytics Admin or Developper). With KeyCloak as IDP this works fine, new users can be created and their initial logon works fine.
What's missing is the user's entitlement to e.g. Analyzer or Professional license. For me it is no option having a new user automatically assigned to Professional entitlement since the majority will work as Analyzer. Thus I must always go to Qlik Mgmt Console and manually set the desired entitlement for each user.
When using an external IDP it is essential to control appropriate license allocation as well since privileges and entitlement are related. Also changing later the entitlement of an user by the IDP is important for centralized user management.