# Auto provisioning users & teams
You may provide the following additional and **optional** SAML attributes on your **IdP** side when creating SAML2 responses for our SP.
In case of malformed values or states which are not allowed e.g.`role = ADMIN with teamRole = USER` the login and provision workflow will always try to recover the login by relying on fallback values.
## Auto provision user details
| Attribute keys | Values | Default | Info |
| ---------------- | -------------------------------------------------- | ------------------------- | ----------------------------------- |
| firstName | String | parsed from Email (claim) | |
| lastName | String | parsed from Email (claim) | |
| position | String | None | |
| department | String | None | |
| role | STAKEHOLDER, VIEWER, GUEST, RESPONDER, USER, ADMIN | VIEWER | |
| mobileRegionCode | Region Code e.g. DE | None | |
| mobileNumber | Phone Number without country e.g. 0221 123 123 | None | Requires mobileRegionCode to be set |
| userProfileImage | absolute URL to image of user (500x500px) | None | |
## Auto provision team details
| Attribute keys | Values | Default | Info |
| -------------- | ----------------------------------- | --------- | ---- |
| teamName | String | | |
| teamRole | STAKEHOLDER, RESPONDER, USER, ADMIN | RESPONDER | |
If a team with the same name does not exist, it is created on the first login of this user. In any case the user will be added to the team.
{% hint style="info" %}
Auto provision will only execute if the user does not already exist, a simple login will not create and assign a team for example
{% endhint %}
## Preventing unwanted auto-provisionings in SAML setups
Besides managing access to e.g. LDAP groups on IdP side, ilert additionally offers a simple way to restrict auto-provisioning of certain users on the SdP side. The SAML settings offer the "**Check provision attribute**" field. By default this field is empty and it is in no way required to be set, however if you would like to prevent certain users from being auto-provisioned you can use the field.
It works by checking the provided SAML attribute field right before the auto provisioning, if you fill it e.g. with "`role`": when a user logs in through your IdP (for the first time), ilert will check if the SAML attribute "`role`" is present in the SAML response, if it is not, the user is redirected to an error page displaying the information that he/she should reach out to an account admin, otherwise the user is auto-provisioned and logged in.
{% hint style="info" %}
Note that role here is just an example, you may use any kind of SAML response attribute that you prefer to set. The value does not matter as well.
{% endhint %}
As an admin or account manager, this gives you an additional option to control the auto provisioning flow and you can make sure users that want/need to be onboarded are properly setup with their requirements before e.g. making sure a certain user is auto-provisioned with the correct role and team before his first login.
---
# Agent Instructions: Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.
Perform an HTTP GET request on the current page URL with the `ask` query parameter:
```
GET https://docs.ilert.com/users-and-access-management/single-sign-on/auto-provisioning-users-and-teams.md?ask=
```
The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.
Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.