Auto provisioning users & teams
Configuring ilert SSO to automatically setup users and teams on their first login.
You may provide the following additional and optional SAML attributes on your IdP side when creating SAML2 responses for our SP.
In case of malformed values or states which are not allowed e.g.role = ADMIN with teamRole = USER the login and provision workflow will always try to recover the login by relying on fallback values.
Auto provision user details
| Attribute keys | Values | Default | Info |
|---|---|---|---|
firstName | String | parsed from Email (claim) | |
lastName | String | parsed from Email (claim) | |
position | String | None | |
department | String | None | |
role | STAKEHOLDER, GUEST, RESPONDER, USER, ADMIN | RESPONDER | |
mobileRegionCode | Region Code e.g. DE | None | |
mobileNumber | Phone Number without country e.g. 0221 123 123 | None | Requires mobileRegionCode to be set |
userProfileImage | absolute URL to image of user (500x500px) | None |
Auto provision team details
| Attribute keys | Values | Default | Info |
|---|---|---|---|
teamName | String | ||
teamRole | STAKEHOLDER, RESPONDER, USER, ADMIN | RESPONDER | if |
If a team with the same name does not exist, it is created on the first login of this user. In any case the user will be added to the team.
Auto provision will only execute if the user does not already exist, a simple login will not create and assign a team for example
Preventing unwanted auto-provisionings in SAML setups
Besides managing access to e.g. LDAP groups on IdP side, ilert additionally offers a simple way to restrict auto-provisioning of certain users on the SdP side. The SAML settings offer the "Check provision attribute" field. By default this field is empty and it is in no way required to be set, however if you would like to prevent certain users from being auto-provisioned you can use the field.
It works by checking the provided SAML attribute field right before the auto provisioning, if you fill it e.g. with "role": when a user logs in through your IdP (for the first time), ilert will check if the SAML attribute "role" is present in the SAML response, if it is not, the user is redirected to an error page displaying the information that he/she should reach out to an account admin, otherwise the user is auto-provisioned and logged in.
Note that role here is just an example, you may use any kind of SAML response attribute that you prefer to set. The value does not matter as well.
As an admin or account manager, this gives you an additional option to controll the auto provisioning flow and you can make sure users that want/need to be onboarded are properly setup with their requirements before e.g. making sure a certain user is auto-provisioned with the correct role and team before his first login.
Last updated
