Auto provisioning users & teams

You may provide the following additional and optional SAML attributes on your IdP side when creating SAML2 responses for our SP.

In case of malformed values or states which are not allowed e.g.role = ADMIN with teamRole = USER the login and provision workflow will always try to recover the login by relying on fallback values.

Auto provision user details

Auto provision team details

If a team with the same name does not exist, it is created on the first login of this user. In any case the user will be added to the team.

Preventing unwanted auto-provisionings in SAML setups

Besides managing access to e.g. LDAP groups on IdP side, ilert additionally offers a simple way to restrict auto-provisioning of certain users on the SdP side. The SAML settings offer the "Check provision attribute" field. By default this field is empty and it is in no way required to be set, however if you would like to prevent certain users from being auto-provisioned you can use the field.

It works by checking the provided SAML attribute field right before the auto provisioning, if you fill it e.g. with "role": when a user logs in through your IdP (for the first time), ilert will check if the SAML attribute "role" is present in the SAML response, if it is not, the user is redirected to an error page displaying the information that he/she should reach out to an account admin, otherwise the user is auto-provisioned and logged in.

As an admin or account manager, this gives you an additional option to controll the auto provisioning flow and you can make sure users that want/need to be onboarded are properly setup with their requirements before e.g. making sure a certain user is auto-provisioned with the correct role and team before his first login.