# Benefits of IdP versus local accounts
Keycloak is the application used by Spark to manage Identity and Access Management.
Coherent strongly recommends that customers federate their own Identity Provider (IdP), such as Microsoft Entra ID, Okta, or any SAML/OIDC-compliant IdP, and integrate with Keycloak instead of relying upon local Keycloak accounts created using [Manage users](/tenant-administration/manage-users.md).
Using a federated corporate IdP gives the customer full control over:
| Feature | Federated corporate IdP | Local Keycloak accounts |
| --------------------------------------------------------------------------------------------------- | ----------------------- | ---------------------------------------- |
| Compliance integration:
- User lifecycle management
- Password policies
| ✅ | Manual user management. |
| SSO | ✅ | Not supported natively. |
| MFA enforcement | ✅ | Basic MFA implementation with Keycloak. |
| JIT provisioning | ✅ | Manual user management. |
| Security Information and Event Management (SIEM) visibility | ✅ | Requires custom integration and mapping. |
| Privileged Access Management (PAM) | ✅ | Requires custom roles configuration. |
| Just-in-Time Access for elevated roles | ✅ | Not supported without external tooling |
## Single Sign-On (SSO) and improved user experience
Federating an IdP enables seamless SSO across systems, reducing password fatigue and operational overhead. Users authenticate using corporate-approved methods and strong multi-factor authentication mechanisms.
No additional credentials are required, providing secure and streamlined access.
## Compliance and auditing
Customer internal compliance standards (e.g., HIPAA, ISO 27001, SOC 2) likely require centralized control over:
* Access logs.
* MFA enforcement.
* User provisioning and deprovisioning.
* Audit trails.
When using a corporate IdP:
* All authentication events are logged in the customer's Security Information Event Management (SIEM) / Security Operations Center (SOC).
* Compliance policies extend into the customer's Spark tenant.
Logs and controls are not included as part of local Keycloak accounts, making it more difficult for organizations to have a complete audit trail for Spark usage.
## Minimized attack surface
Each local account represents a potential attack vector. Maintaining local accounts means organizations must manage identities for an additional application or environment. This leads to:
* Duplicated user management effort.
* Increased likelihood of inconsistent access controls.
* Higher operational overhead and audit complexity.
* Users need to manage an additional password that needs to be robust and rotated.
By federating a corporate IdP, the customer can:
* Eliminate redundant credentials.
* Centralize access control.
* Reduce the risk of password-related incidents.
## Just-In-Time (JIT) provisioning
Most IdPs support Just-In-Time (JIT) user provisioning, which can automatically create a user profile in the moment they log in via SSO.
Local accounts require manual provisioning and deprovisioning, which can lead to:
* Stale or orphaned accounts.
* Operational overhead.
* Potential unauthorized access.
JIT provisioning keeps the Spark tenant aligned with the Customer’s current identity state.
---
# Agent Instructions: Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.
Perform an HTTP GET request on the current page URL with the `ask` query parameter:
```
GET https://docs.coherent.global/identity-and-access-management/benefits-of-idp-versus-local-accounts.md?ask=
```
The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.
Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.