Benefits of IdP versus local accounts
Keycloak is the application used by Spark to manage Identity and Access Management.
Coherent strongly recommends that customers federate their own Identity Provider (IdP), such as Microsoft Entra ID, Okta, or any SAML/OIDC-compliant IdP, and integrate with Keycloak instead of relying upon local Keycloak accounts created using Manage users.
Using a federated corporate IdP gives the customer full control over:
Compliance integration:
User lifecycle management
Password policies
✅
Manual user management.
SSO
✅
Not supported natively.
MFA enforcement
✅
Basic MFA implementation with Keycloak.
JIT provisioning
✅
Manual user management.
Security Information and Event Management (SIEM) visibility
✅
Requires custom integration and mapping.
Privileged Access Management (PAM)
✅
Requires custom roles configuration.
Just-in-Time Access for elevated roles
✅
Not supported without external tooling
Single Sign-On (SSO) and improved user experience
Federating an IdP enables seamless SSO across systems, reducing password fatigue and operational overhead. Users authenticate using corporate-approved methods and strong multi-factor authentication mechanisms.
No additional credentials are required, providing secure and streamlined access.
Compliance and auditing
Customer internal compliance standards (e.g., HIPAA, ISO 27001, SOC 2) likely require centralized control over:
Access logs.
MFA enforcement.
User provisioning and deprovisioning.
Audit trails.
When using a corporate IdP:
All authentication events are logged in the customer's Security Information Event Management (SIEM) / Security Operations Center (SOC).
Compliance policies extend into the customer's Spark tenant.
Logs and controls are not included as part of local Keycloak accounts, making it more difficult for organizations to have a complete audit trail for Spark usage.
Minimized attack surface
Each local account represents a potential attack vector. Maintaining local accounts means organizations must manage identities for an additional application or environment. This leads to:
Duplicated user management effort.
Increased likelihood of inconsistent access controls.
Higher operational overhead and audit complexity.
Users need to manage an additional password that needs to be robust and rotated.
By federating a corporate IdP, the customer can:
Eliminate redundant credentials.
Centralize access control.
Reduce the risk of password-related incidents.
Just-In-Time (JIT) provisioning
Most IdPs support Just-In-Time (JIT) user provisioning, which can automatically create a user profile in the moment they log in via SSO.
Local accounts require manual provisioning and deprovisioning, which can lead to:
Stale or orphaned accounts.
Operational overhead.
Potential unauthorized access.
JIT provisioning keeps the Spark tenant aligned with the Customer’s current identity state.
Last updated