Mohammed,
Question 1: LDAP provisioning seems to be on boarding users to the Mendix platform. LDAP sync will synchronize users on your app.
Question 2: This depends on your setup. Both options are possible. When creating a centralized app then you'll need to take care of creating users on the apps that need the users.
Question 3: Single Sign On is different from LDAP sync. This will allow users to be signed into your Mendix app once signed in to the network. LDAP could help when using something like Kerberos, but as you're talking about internal and external users the SAML module would be the appropriate route. Then synchronization is not needed as users can be provisioned by the SAML module.