@n8n-as-code/skills 2.0.0-next.136 → 2.0.0-next.138

package/dist/assets/n8n-docs-complete.json

@@ -1,5 +1,5 @@
 {
-  "generatedAt": "2026-05-06T10:10:03.617Z",
+  "generatedAt": "2026-05-06T10:58:05.885Z",
   "version": "1.0.0",
   "sourceUrl": "https://docs.n8n.io/llms.txt",
   "totalPages": 1274,
@@ -21,7 +21,7 @@
     },
     "withNodeNames": 471,
     "withUseCases": 39,
-    "withCodeExamples": 181
+    "withCodeExamples": 182
   },
   "categories": {
     "other": {
@@ -90994,7 +90994,7 @@
       "nodeName": null,
       "nodeType": null,
       "content": {
-        "markdown": "# Set up OIDC\n\nFeature availability\n\n- Available on Enterprise plans.\n- You need to be an instance owner or admin to enable and configure OIDC.\n\n## Setting up and enabling OIDC\n\n1. In n8n, go to **Settings** > **SSO**.\n\n1. Under **Select Authentication Protocol**, choose **OIDC** from the dropdown.\n\n1. Copy the **redirect URL** shown (for example, `https://yourworkspace.app.n8n.cloud/rest/sso/oidc/callback`).\n\n   Extra configuration for load balancers or proxies\n\n   If you are running n8n behind a load balancer, make sure you set the [`N8N_EDITOR_BASE_URL` environment variable](../../../hosting/configuration/environment-variables/deployment/).\n\n1. Set up OIDC with your identity provider (IdP). You'll need to:\n\n   - Create a new OIDC client/application in your IdP.\n   - Configure the redirect URL from the previous step.\n   - Note down the **Client ID** and **Client Secret** provided by your IdP.\n\n1. In your IdP, locate the **Discovery Endpoint** (also called the well-known configuration endpoint). It typically has the following format:\n\n   ```\n   https://your-idp-domain/.well-known/openid-configuration\n   ```\n\n1. In n8n, complete the OIDC configuration:\n\n   - **Discovery Endpoint**: Enter the discovery endpoint URL from your IdP.\n   - **Client ID**: Enter the client ID you received when registering your application with your IdP.\n   - **Client Secret**: Enter the client secret you received when registering your application with your IdP.\n\n1. Select **Save settings**.\n\n1. Set OIDC to **Activated**.\n\n### Instance and project access provisioning\n\nFrom version `1.122.2` upwards, n8n supports provisioning the instance role and project roles from your IdP.\n\nYou need to add a an additional scope called `n8n` to your OIDC authorization server.\n\nOn this `n8n` scope, you need to add these two claims:\n\n| **Name**          | **Data type** | **Scope** | **Token type** |\n| ----------------- | ------------- | --------- | -------------- |\n| n8n_instance_role | string        | n8n       | ID             |\n| n8n_projects      | string array  | n8n       | ID             |\n\nThese two need to always be included in the \"ID Token\" from your authorization server.\n\nEnsure that these two attributes are configured in the user groups of your identity provider that have access to n8n.\n\nInside the form on the **Settings** > **SSO** page in n8n, you will find a dropdown labeled \"User role provisioning\" in the form.\n\nBy default this is set to \"Manged in n8n\".\n\nYou can choose to set it to:\n\n- Instance role\n  - Only the instance role of each provisioned user will be read from the `n8n_instance_role` attribute from the SAML response. Project access will still be managed inside n8n only.\n  - If there is no value for `n8n_instance_role` configured on your IdP, the `global:member` role is used as fallback.\n- Instance and project roles\n  - Both the instance role and project access of each provisioned user will be read from the `n8n_instance_role` and `n8n_projects` attributes from the SAML response.\n\nExisting access will be overwritten\n\nOnce you enable \"User role provisioning\", the next time any user logs in using SAML, any access they've been granted inside n8n, which isn't reflected in the n8n_instance_role and n8n_projects will be removed from that user.\n\nWhen activating this feature, you are required to download two CSV files before you can save this change. These files contain all your current access settings should you need to reference them.\n\n**Configuring n8n_instance_role attribute**\n\nThe n8n_instance_role attribute is a simple string configured for a group or user on your IdP.\n\nSupported instance roles are:\n\n- global:member\n- global:admin\n\n**Configuring n8n_projects attribute**\n\nThe n8n_projects attribute is a string array configured for a group or user on your IdP.\n\nEach element in this array needs to follow this format: :\n\nFor example:\n\n- bHsykgeFirmIhezz:viewer\n- 4K3zrg3DvlMFFTB7:editor\n- dCjnYuEpYOUBVaNe:admin\n\nFor existing access settings at the time of enabling project access provisioning using your IdP, you can find the project IDs in the downloaded CSV file.\n\nWhen creating a project from scratch, get the project ID from the URL when viewing the project in your browser:\n\nIn the URL `<your-domain>/projects/VVRWZaq5DRxaf9O1/workflows` for example, the project ID is `VVRWZaq5DRxaf9O1`.\n\n## Provider-specific OIDC setup\n\n### Okta\n\nThe steps to setup OIDC in Okta are similar as with Auth0 described below.\n\nFor Okta, you can download a visual step-by-step guide as PDF:\n\n[n8n-oidc-with-okta.pdf](../n8n-oidc-with-okta.pdf)\n\n### Auth0\n\n1. **Create an application in Auth0**:\n   - Log in to your Auth0 Dashboard.\n   - Go to **Applications** > **Applications**.\n   - Click **Create Application**.\n   - Enter a name (for example, \"n8n SSO\") and select **Regular Web Applications**.\n   - Click **Create**.\n1. **Configure the application**:\n   - Go to the **Settings** tab of your new application.\n   - **Allowed Callback URLs**: Add your n8n redirect URL from **Settings** > **SSO** > **OIDC**.\n   - **Allowed Web Origins**: Add your n8n base URL (for example, `https://yourworkspace.app.n8n.cloud`).\n   - Click **Save Changes**.\n1. **Get your credentials**:\n   - **Client ID**: Found in the **Settings** tab.\n   - **Client Secret**: Found in the **Settings** tab.\n   - **Discovery Endpoint**: `https://{your-auth0-domain}.auth0.com/.well-known/openid-configuration`.\n1. **In n8n, complete the OIDC configuration:**\n   - **Discovery Endpoint**: Enter the discovery endpoint URL from Auth0.\n   - **Client ID**: Enter the client ID you found in your Auth0 settings.\n   - **Client Secret**: Enter the client secret you found in your Auth0 settings.\n1. Select **Save settings**.\n1. Set OIDC to **Activated**.\n\n## Discovery endpoints reference\n\n- **Google discovery endpoint example**:\n\n  ```\n  https://accounts.google.com/.well-known/openid-configuration\n  ```\n\n- **Microsoft Azure AD discovery endpoint example**:\n\n  ```\n  https://login.microsoftonline.com/{tenant-id}/v2.0/.well-known/openid-configuration\n  ```\n\n- **Auth0 discovery endpoint example**:\n\n  ```\n  https://{your-domain}.auth0.com/.well-known/openid-configuration\n  ```\n\n- **Okta discovery endpoint example**:\n\n  ```\n  https://{your-domain}.okta.com/.well-known/openid-configuration\n  ```\n\n- **Amazon Cognito discovery endpoint example**:\n\n  ```\n  https://cognito-idp.{region}.amazonaws.com/{user-pool-id}/.well-known/openid-configuration\n  ```\n",
+        "markdown": "# Set up OIDC\n\nFeature availability\n\n- Available on Enterprise plans.\n- You need to be an instance owner or admin to enable and configure OIDC.\n\n## Setting up and enabling OIDC\n\n1. In n8n, go to **Settings** > **SSO**.\n\n1. Under **Select Authentication Protocol**, choose **OIDC** from the dropdown.\n\n1. Copy the **redirect URL** shown (for example, `https://yourworkspace.app.n8n.cloud/rest/sso/oidc/callback`).\n\n   Extra configuration for load balancers or proxies\n\n   If you are running n8n behind a load balancer, make sure you set the [`N8N_EDITOR_BASE_URL` environment variable](../../../hosting/configuration/environment-variables/deployment/).\n\n1. Set up OIDC with your identity provider (IdP). You'll need to:\n\n   - Create a new OIDC client/application in your IdP.\n   - Configure the redirect URL from the previous step.\n   - Note down the **Client ID** and **Client Secret** provided by your IdP.\n\n1. In your IdP, locate the **Discovery Endpoint** (also called the well-known configuration endpoint). It typically has the following format:\n\n   ```\n   https://your-idp-domain/.well-known/openid-configuration\n   ```\n\n1. In n8n, complete the OIDC configuration:\n\n   - **Discovery Endpoint**: Enter the discovery endpoint URL from your IdP.\n   - **Client ID**: Enter the client ID you received when registering your application with your IdP.\n   - **Client Secret**: Enter the client secret you received when registering your application with your IdP.\n\n1. Select **Save settings**.\n\n1. Set OIDC to **Activated**.\n\n### Instance and project access provisioning\n\nn8n supports provisioning the instance role and project roles via SSO. When a user signs in via OIDC, n8n can assign their instance role and project access automatically based on claims in the IdP response.\n\nRole provisioning was introduced in version `1.122.2`.\n\n#### Choose how roles are assigned\n\nIn n8n, go to **Settings** > **SSO**. Use the **Role assignment** dropdown to choose how n8n assigns roles to users who sign in via SSO. The default is **Assigned manually in n8n**.\n\nThe options are:\n\n- **Assigned manually in n8n**: admins assign every role directly in n8n. No automatic mapping from your IdP.\n- **Instance roles via SSO**: n8n reads the user's instance role from the IdP at login. Project access is still managed manually in n8n.\n- **Instance and project roles via SSO**: n8n reads both the instance role and project access from the IdP at login.\n\nRoles are re-evaluated on every login, so changes in the IdP take effect at the user's next sign-in.\n\nExisting access will be overwritten\n\nWhen you enable one of the SSO provisioning modes, any access granted inside n8n that isn't reflected in the IdP response is removed from users on their next login.\n\nBefore saving this change, n8n asks you to download two CSV files containing your current access settings. Keep these for reference.\n\n#### Choose a role mapping method\n\nWhen **Role assignment** is set to **Instance roles via SSO** or **Instance and project roles via SSO**, a **Role mapping method** dropdown appears. You can choose:\n\n- **Map rules on your IdP**: n8n reads n8n-specific claims (`n8n_instance_role` and `n8n_projects`) directly from the IdP response. Your IdP admin configures which n8n role or project each user or group should receive.\n- **Map rules inside n8n**: you define expressions in n8n that evaluate the user's OIDC claims and return a role. Use this when your IdP can't encode n8n-specific role logic, or when IT governance makes IdP-side changes slow.\n\n#### Map rules on your IdP\n\nAdd an additional scope called `n8n` to your OIDC authorization server with these two claims:\n\n| **Name**            | **Data type** | **Scope** | **Token type** |\n| ------------------- | ------------- | --------- | -------------- |\n| `n8n_instance_role` | string        | `n8n`     | ID             |\n| `n8n_projects`      | string array  | `n8n`     | ID             |\n\nBoth claims must always be included in the ID Token from your authorization server. Configure them on the user groups in your IdP that have access to n8n.\n\n**Configuring the `n8n_instance_role` claim**\n\n`n8n_instance_role` is a string configured for a group or user on your IdP. If no value is set, n8n falls back to `global:member`.\n\nSupported instance roles:\n\n- `global:member`\n- `global:admin`\n- `global:chatUser`\n\n**Configuring the `n8n_projects` claim**\n\n`n8n_projects` is a string array configured for a group or user on your IdP. Each element must follow the format `<project-id>:<role>`.\n\nFor example:\n\n- `bHsykgeFirmIhezz:viewer`\n- `4K3zrg3DvlMFFTB7:editor`\n- `dCjnYuEpYOUBVaNe:admin`\n\nFor existing access at the time of enabling project provisioning, find the project IDs in the downloaded CSV file.\n\nFor new projects, get the project ID from the URL when viewing the project in your browser. In the URL `<your-domain>/projects/VVRWZaq5DRxaf9O1/workflows`, the project ID is `VVRWZaq5DRxaf9O1`.\n\n#### Map rules inside n8n\n\n**Map rules inside n8n** is available from version `2.19.0` upwards.\n\nUse this option to define group-to-role mappings inside n8n rather than in your IdP. Each rule is an expression that n8n evaluates against the OIDC claims in the IdP response.\n\n**How expressions work**\n\n- Expressions access all OIDC claims from the IdP response through a `$claims` object.\n- If the expression returns `true`, n8n assigns the role you've selected on that rule.\n- Rules are evaluated top-to-bottom. The first matching rule wins.\n- Rules re-evaluate on every login, so role changes take effect at the user's next session.\n- `$claims` exposes the raw IdP response. n8n doesn't normalise it, so write expressions against the structure your IdP actually sends.\n\nSend a groups claim from your IdP\n\nMost group-based rules need a `groups` claim in the OIDC response. This claim isn't included by default, you need to configure your IdP to send it. For example, add a `groups` scope in Okta, or configure the `groups` claim in the Azure AD token configuration. Inspect your IdP's response before writing rules so you know the exact claim name and structure.\n\n**Example userinfo response**\n\nAfter authenticating, n8n calls the IdP's userinfo endpoint to fetch the user's claims. A typical response looks like this:\n\n```\n{\n  \"sub\": \"00uwyqw9raWrKRJ0Q697\",\n  \"name\": \"Jane Doe\",\n  \"email\": \"jane.doe@example.com\",\n  \"email_verified\": true,\n  \"given_name\": \"Jane\",\n  \"family_name\": \"Doe\",\n  \"groups\": [\n    \"Everyone\",\n    \"n8n admins\",\n    \"n8n members\",\n    \"Operations\"\n  ]\n}\n```\n\n`$claims` reflects this payload. So `$claims.email` is a string, `$claims.groups` is an array of strings, and you can use standard JavaScript methods on either. The exact group names depend on your IdP. Some providers (for example Azure AD) send group UUIDs rather than display names, in which case your expressions need to reference the UUID.\n\nTo inspect your own userinfo response in Okta, call the userinfo endpoint directly with a valid access token. You can get a test access token from **Security** > **API** > **Authorization Servers** > your server > **Token Preview** tab, then run:\n\n```\ncurl -H \"Authorization: Bearer <access-token>\" https://<your-okta-domain>/oauth2/<auth-server-id>/v1/userinfo\n```\n\n**Instance role rules**\n\nUnder **Instance role rules**, select **Add rule** to create a rule. Enter a condition expression and choose the instance role to assign when the condition returns `true`.\n\nFor example, to assign the **Admin** role to any user in the IdP `admin` group:\n\n```\n{{ $claims.groups.includes('admin') }}\n```\n\nThe **Default condition** row sets the role that users receive when no rule matches. By default this is **Member**.\n\n**Project role rules**\n\nUnder **Project role rules**, select **Add rule** to create a rule that assigns a project role in one or more projects.\n\nFor example, to give users in the `operations` group the **Project Editor** role in the **Operations** project, set the expression to:\n\n```\n{{ $claims.groups.includes('operations') }}\n```\n\nChoose the role in the **assign** field and the target projects in the **in** field. Users who don't match any project rule get no project access.\n\nManual role management is disabled\n\nWhen **Map rules inside n8n** is active, the UI controls for manually assigning user roles are disabled. All role assignment flows through the mapping rules.\n\nSwitching mapping methods\n\nSwitching from **Map rules inside n8n** back to **Map rules on your IdP** removes any in-n8n mappings. Users may lose their currently assigned roles on their next login if equivalent mappings aren't set up in your IdP. n8n asks you to confirm before applying this change.\n\n## Provider-specific OIDC setup\n\n### Okta\n\nThe steps to setup OIDC in Okta are similar as with Auth0 described below.\n\nFor Okta, you can download a visual step-by-step guide as PDF:\n\n[n8n-oidc-with-okta.pdf](../n8n-oidc-with-okta.pdf)\n\n### Auth0\n\n1. **Create an application in Auth0**:\n   - Log in to your Auth0 Dashboard.\n   - Go to **Applications** > **Applications**.\n   - Click **Create Application**.\n   - Enter a name (for example, \"n8n SSO\") and select **Regular Web Applications**.\n   - Click **Create**.\n1. **Configure the application**:\n   - Go to the **Settings** tab of your new application.\n   - **Allowed Callback URLs**: Add your n8n redirect URL from **Settings** > **SSO** > **OIDC**.\n   - **Allowed Web Origins**: Add your n8n base URL (for example, `https://yourworkspace.app.n8n.cloud`).\n   - Click **Save Changes**.\n1. **Get your credentials**:\n   - **Client ID**: Found in the **Settings** tab.\n   - **Client Secret**: Found in the **Settings** tab.\n   - **Discovery Endpoint**: `https://{your-auth0-domain}.auth0.com/.well-known/openid-configuration`.\n1. **In n8n, complete the OIDC configuration:**\n   - **Discovery Endpoint**: Enter the discovery endpoint URL from Auth0.\n   - **Client ID**: Enter the client ID you found in your Auth0 settings.\n   - **Client Secret**: Enter the client secret you found in your Auth0 settings.\n1. Select **Save settings**.\n1. Set OIDC to **Activated**.\n\n## Discovery endpoints reference\n\n- **Google discovery endpoint example**:\n\n  ```\n  https://accounts.google.com/.well-known/openid-configuration\n  ```\n\n- **Microsoft Azure AD discovery endpoint example**:\n\n  ```\n  https://login.microsoftonline.com/{tenant-id}/v2.0/.well-known/openid-configuration\n  ```\n\n- **Auth0 discovery endpoint example**:\n\n  ```\n  https://{your-domain}.auth0.com/.well-known/openid-configuration\n  ```\n\n- **Okta discovery endpoint example**:\n\n  ```\n  https://{your-domain}.okta.com/.well-known/openid-configuration\n  ```\n\n- **Amazon Cognito discovery endpoint example**:\n\n  ```\n  https://cognito-idp.{region}.amazonaws.com/{user-pool-id}/.well-known/openid-configuration\n  ```\n",
         "excerpt": "# Set up OIDC  Feature availability  - Available on Enterprise plans. - You need to be an instance owner or admin to enable and configure OIDC.  ## Setting up and enabling OIDC  1. In n8n, go to **Settings** > **SSO**.  1. Under **Select Authentication Protocol**, choose **OIDC** from the dropdown.  1. Copy the **redirect URL** shown (for example, `https://yourworkspace.app.n8n.cloud/rest/sso/oidc/callback`).     Extra configuration for load balancers or proxies     If you are running n8n behind...",
         "sections": [
           {
@@ -91013,6 +91013,15 @@
           "project",
           "access",
           "provisioning",
+          "choose",
+          "roles",
+          "assigned",
+          "role",
+          "mapping",
+          "method",
+          "rules",
+          "your",
+          "inside",
           "provider",
           "specific",
           "setup",
@@ -91023,68 +91032,68 @@
           "reference"
         ],
         "useCases": [
-          "- bHsykgeFirmIhezz:viewer"
+          "- `bHsykgeFirmIhezz:viewer`"
         ],
         "operations": [],
-        "codeExamples": 6,
-        "complexity": "beginner",
-        "readingTime": "5 min",
-        "contentLength": 6456,
+        "codeExamples": 10,
+        "complexity": "intermediate",
+        "readingTime": "8 min",
+        "contentLength": 10757,
         "relatedPages": []
       },
       "searchIndex": {
-        "fullText": "set up oidc # set up oidc\n\nfeature availability\n\n- available on enterprise plans.\n- you need to be an instance owner or admin to enable and configure oidc.\n\n## setting up and enabling oidc\n\n1. in n8n, go to **settings** > **sso**.\n\n1. under **select authentication protocol**, choose **oidc** from the dropdown.\n\n1. copy the **redirect url** shown (for example, `https://yourworkspace.app.n8n.cloud/rest/sso/oidc/callback`).\n\n   extra configuration for load balancers or proxies\n\n   if you are running n8n behind a load balancer, make sure you set the [`n8n_editor_base_url` environment variable](../../../hosting/configuration/environment-variables/deployment/).\n\n1. set up oidc with your identity provider (idp). you'll need to:\n\n   - create a new oidc client/application in your idp.\n   - configure the redirect url from the previous step.\n   - note down the **client id** and **client secret** provided by your idp.\n\n1. in your idp, locate the **discovery endpoint** (also called the well-known configuration endpoint). it typically has the following format:\n\n   ```\n   https://your-idp-domain/.well-known/openid-configuration\n   ```\n\n1. in n8n, complete the oidc configuration:\n\n   - **discovery endpoint**: enter the discovery endpoint url from your idp.\n   - **client id**: enter the client id you received when registering your application with your idp.\n   - **client secret**: enter the client secret you received when registering your application with your idp.\n\n1. select **save settings**.\n\n1. set oidc to **activated**.\n\n### instance and project access provisioning\n\nfrom version `1.122.2` upwards, n8n supports provisioning the instance role and project roles from your idp.\n\nyou need to add a an additional scope called `n8n` to your oidc authorization server.\n\non this `n8n` scope, you need to add these two claims:\n\n| **name**          | **data type** | **scope** | **token type** |\n| ----------------- | ------------- | --------- | -------------- |\n| n8n_instance_role | string        | n8n       | id             |\n| n8n_projects      | string array  | n8n       | id             |\n\nthese two need to always be included in the \"id token\" from your authorization server.\n\nensure that these two attributes are configured in the user groups of your identity provider that have access to n8n.\n\ninside the form on the **settings** > **sso** page in n8n, you will find a dropdown labeled \"user role provisioning\" in the form.\n\nby default this is set to \"manged in n8n\".\n\nyou can choose to set it to:\n\n- instance role\n  - only the instance role of each provisioned user will be read from the `n8n_instance_role` attribute from the saml response. project access will still be managed inside n8n only.\n  - if there is no value for `n8n_instance_role` configured on your idp, the `global:member` role is used as fallback.\n- instance and project roles\n  - both the instance role and project access of each provisioned user will be read from the `n8n_instance_role` and `n8n_projects` attributes from the saml response.\n\nexisting access will be overwritten\n\nonce you enable \"user role provisioning\", the next time any user logs in using saml, any access they've been granted inside n8n, which isn't reflected in the n8n_instance_role and n8n_projects will be removed from that user.\n\nwhen activating this feature, you are required to download two csv files before you can save this change. these files contain all your current access settings should you need to reference them.\n\n**configuring n8n_instance_role attribute**\n\nthe n8n_instance_role attribute is a simple string configured for a group or user on your idp.\n\nsupported instance roles are:\n\n- global:member\n- global:admin\n\n**configuring n8n_projects attribute**\n\nthe n8n_projects attribute is a string array configured for a group or user on your idp.\n\neach element in this array needs to follow this format: :\n\nfor example:\n\n- bhsykgefirmihezz:viewer\n- 4k3zrg3dvlmfftb7:editor\n- dcjnyuepyoubvane:admin\n\nfor existing access settings at the time of enabling project access provisioning using your idp, you can find the project ids in the downloaded csv file.\n\nwhen creating a project from scratch, get the project id from the url when viewing the project in your browser:\n\nin the url `<your-domain>/projects/vvrwzaq5drxaf9o1/workflows` for example, the project id is `vvrwzaq5drxaf9o1`.\n\n## provider-specific oidc setup\n\n### okta\n\nthe steps to setup oidc in okta are similar as with auth0 described below.\n\nfor okta, you can download a visual step-by-step guide as pdf:\n\n[n8n-oidc-with-okta.pdf](../n8n-oidc-with-okta.pdf)\n\n### auth0\n\n1. **create an application in auth0**:\n   - log in to your auth0 dashboard.\n   - go to **applications** > **applications**.\n   - click **create application**.\n   - enter a name (for example, \"n8n sso\") and select **regular web applications**.\n   - click **create**.\n1. **configure the application**:\n   - go to the **settings** tab of your new application.\n   - **allowed callback urls**: add your n8n redirect url from **settings** > **sso** > **oidc**.\n   - **allowed web origins**: add your n8n base url (for example, `https://yourworkspace.app.n8n.cloud`).\n   - click **save changes**.\n1. **get your credentials**:\n   - **client id**: found in the **settings** tab.\n   - **client secret**: found in the **settings** tab.\n   - **discovery endpoint**: `https://{your-auth0-domain}.auth0.com/.well-known/openid-configuration`.\n1. **in n8n, complete the oidc configuration:**\n   - **discovery endpoint**: enter the discovery endpoint url from auth0.\n   - **client id**: enter the client id you found in your auth0 settings.\n   - **client secret**: enter the client secret you found in your auth0 settings.\n1. select **save settings**.\n1. set oidc to **activated**.\n\n## discovery endpoints reference\n\n- **google discovery endpoint example**:\n\n  ```\n  https://accounts.google.com/.well-known/openid-configuration\n  ```\n\n- **microsoft azure ad discovery endpoint example**:\n\n  ```\n  https://login.microsoftonline.com/{tenant-id}/v2.0/.well-known/openid-configuration\n  ```\n\n- **auth0 discovery endpoint example**:\n\n  ```\n  https://{your-domain}.auth0.com/.well-known/openid-configuration\n  ```\n\n- **okta discovery endpoint example**:\n\n  ```\n  https://{your-domain}.okta.com/.well-known/openid-configuration\n  ```\n\n- **amazon cognito discovery endpoint example**:\n\n  ```\n  https://cognito-idp.{region}.amazonaws.com/{user-pool-id}/.well-known/openid-configuration\n  ```\n set up oidc",
+        "fullText": "set up oidc # set up oidc\n\nfeature availability\n\n- available on enterprise plans.\n- you need to be an instance owner or admin to enable and configure oidc.\n\n## setting up and enabling oidc\n\n1. in n8n, go to **settings** > **sso**.\n\n1. under **select authentication protocol**, choose **oidc** from the dropdown.\n\n1. copy the **redirect url** shown (for example, `https://yourworkspace.app.n8n.cloud/rest/sso/oidc/callback`).\n\n   extra configuration for load balancers or proxies\n\n   if you are running n8n behind a load balancer, make sure you set the [`n8n_editor_base_url` environment variable](../../../hosting/configuration/environment-variables/deployment/).\n\n1. set up oidc with your identity provider (idp). you'll need to:\n\n   - create a new oidc client/application in your idp.\n   - configure the redirect url from the previous step.\n   - note down the **client id** and **client secret** provided by your idp.\n\n1. in your idp, locate the **discovery endpoint** (also called the well-known configuration endpoint). it typically has the following format:\n\n   ```\n   https://your-idp-domain/.well-known/openid-configuration\n   ```\n\n1. in n8n, complete the oidc configuration:\n\n   - **discovery endpoint**: enter the discovery endpoint url from your idp.\n   - **client id**: enter the client id you received when registering your application with your idp.\n   - **client secret**: enter the client secret you received when registering your application with your idp.\n\n1. select **save settings**.\n\n1. set oidc to **activated**.\n\n### instance and project access provisioning\n\nn8n supports provisioning the instance role and project roles via sso. when a user signs in via oidc, n8n can assign their instance role and project access automatically based on claims in the idp response.\n\nrole provisioning was introduced in version `1.122.2`.\n\n#### choose how roles are assigned\n\nin n8n, go to **settings** > **sso**. use the **role assignment** dropdown to choose how n8n assigns roles to users who sign in via sso. the default is **assigned manually in n8n**.\n\nthe options are:\n\n- **assigned manually in n8n**: admins assign every role directly in n8n. no automatic mapping from your idp.\n- **instance roles via sso**: n8n reads the user's instance role from the idp at login. project access is still managed manually in n8n.\n- **instance and project roles via sso**: n8n reads both the instance role and project access from the idp at login.\n\nroles are re-evaluated on every login, so changes in the idp take effect at the user's next sign-in.\n\nexisting access will be overwritten\n\nwhen you enable one of the sso provisioning modes, any access granted inside n8n that isn't reflected in the idp response is removed from users on their next login.\n\nbefore saving this change, n8n asks you to download two csv files containing your current access settings. keep these for reference.\n\n#### choose a role mapping method\n\nwhen **role assignment** is set to **instance roles via sso** or **instance and project roles via sso**, a **role mapping method** dropdown appears. you can choose:\n\n- **map rules on your idp**: n8n reads n8n-specific claims (`n8n_instance_role` and `n8n_projects`) directly from the idp response. your idp admin configures which n8n role or project each user or group should receive.\n- **map rules inside n8n**: you define expressions in n8n that evaluate the user's oidc claims and return a role. use this when your idp can't encode n8n-specific role logic, or when it governance makes idp-side changes slow.\n\n#### map rules on your idp\n\nadd an additional scope called `n8n` to your oidc authorization server with these two claims:\n\n| **name**            | **data type** | **scope** | **token type** |\n| ------------------- | ------------- | --------- | -------------- |\n| `n8n_instance_role` | string        | `n8n`     | id             |\n| `n8n_projects`      | string array  | `n8n`     | id             |\n\nboth claims must always be included in the id token from your authorization server. configure them on the user groups in your idp that have access to n8n.\n\n**configuring the `n8n_instance_role` claim**\n\n`n8n_instance_role` is a string configured for a group or user on your idp. if no value is set, n8n falls back to `global:member`.\n\nsupported instance roles:\n\n- `global:member`\n- `global:admin`\n- `global:chatuser`\n\n**configuring the `n8n_projects` claim**\n\n`n8n_projects` is a string array configured for a group or user on your idp. each element must follow the format `<project-id>:<role>`.\n\nfor example:\n\n- `bhsykgefirmihezz:viewer`\n- `4k3zrg3dvlmfftb7:editor`\n- `dcjnyuepyoubvane:admin`\n\nfor existing access at the time of enabling project provisioning, find the project ids in the downloaded csv file.\n\nfor new projects, get the project id from the url when viewing the project in your browser. in the url `<your-domain>/projects/vvrwzaq5drxaf9o1/workflows`, the project id is `vvrwzaq5drxaf9o1`.\n\n#### map rules inside n8n\n\n**map rules inside n8n** is available from version `2.19.0` upwards.\n\nuse this option to define group-to-role mappings inside n8n rather than in your idp. each rule is an expression that n8n evaluates against the oidc claims in the idp response.\n\n**how expressions work**\n\n- expressions access all oidc claims from the idp response through a `$claims` object.\n- if the expression returns `true`, n8n assigns the role you've selected on that rule.\n- rules are evaluated top-to-bottom. the first matching rule wins.\n- rules re-evaluate on every login, so role changes take effect at the user's next session.\n- `$claims` exposes the raw idp response. n8n doesn't normalise it, so write expressions against the structure your idp actually sends.\n\nsend a groups claim from your idp\n\nmost group-based rules need a `groups` claim in the oidc response. this claim isn't included by default, you need to configure your idp to send it. for example, add a `groups` scope in okta, or configure the `groups` claim in the azure ad token configuration. inspect your idp's response before writing rules so you know the exact claim name and structure.\n\n**example userinfo response**\n\nafter authenticating, n8n calls the idp's userinfo endpoint to fetch the user's claims. a typical response looks like this:\n\n```\n{\n  \"sub\": \"00uwyqw9rawrkrj0q697\",\n  \"name\": \"jane doe\",\n  \"email\": \"jane.doe@example.com\",\n  \"email_verified\": true,\n  \"given_name\": \"jane\",\n  \"family_name\": \"doe\",\n  \"groups\": [\n    \"everyone\",\n    \"n8n admins\",\n    \"n8n members\",\n    \"operations\"\n  ]\n}\n```\n\n`$claims` reflects this payload. so `$claims.email` is a string, `$claims.groups` is an array of strings, and you can use standard javascript methods on either. the exact group names depend on your idp. some providers (for example azure ad) send group uuids rather than display names, in which case your expressions need to reference the uuid.\n\nto inspect your own userinfo response in okta, call the userinfo endpoint directly with a valid access token. you can get a test access token from **security** > **api** > **authorization servers** > your server > **token preview** tab, then run:\n\n```\ncurl -h \"authorization: bearer <access-token>\" https://<your-okta-domain>/oauth2/<auth-server-id>/v1/userinfo\n```\n\n**instance role rules**\n\nunder **instance role rules**, select **add rule** to create a rule. enter a condition expression and choose the instance role to assign when the condition returns `true`.\n\nfor example, to assign the **admin** role to any user in the idp `admin` group:\n\n```\n{{ $claims.groups.includes('admin') }}\n```\n\nthe **default condition** row sets the role that users receive when no rule matches. by default this is **member**.\n\n**project role rules**\n\nunder **project role rules**, select **add rule** to create a rule that assigns a project role in one or more projects.\n\nfor example, to give users in the `operations` group the **project editor** role in the **operations** project, set the expression to:\n\n```\n{{ $claims.groups.includes('operations') }}\n```\n\nchoose the role in the **assign** field and the target projects in the **in** field. users who don't match any project rule get no project access.\n\nmanual role management is disabled\n\nwhen **map rules inside n8n** is active, the ui controls for manually assigning user roles are disabled. all role assignment flows through the mapping rules.\n\nswitching mapping methods\n\nswitching from **map rules inside n8n** back to **map rules on your idp** removes any in-n8n mappings. users may lose their currently assigned roles on their next login if equivalent mappings aren't set up in your idp. n8n asks you to confirm before applying this change.\n\n## provider-specific oidc setup\n\n### okta\n\nthe steps to setup oidc in okta are similar as with auth0 described below.\n\nfor okta, you can download a visual step-by-step guide as pdf:\n\n[n8n-oidc-with-okta.pdf](../n8n-oidc-with-okta.pdf)\n\n### auth0\n\n1. **create an application in auth0**:\n   - log in to your auth0 dashboard.\n   - go to **applications** > **applications**.\n   - click **create application**.\n   - enter a name (for example, \"n8n sso\") and select **regular web applications**.\n   - click **create**.\n1. **configure the application**:\n   - go to the **settings** tab of your new application.\n   - **allowed callback urls**: add your n8n redirect url from **settings** > **sso** > **oidc**.\n   - **allowed web origins**: add your n8n base url (for example, `https://yourworkspace.app.n8n.cloud`).\n   - click **save changes**.\n1. **get your credentials**:\n   - **client id**: found in the **settings** tab.\n   - **client secret**: found in the **settings** tab.\n   - **discovery endpoint**: `https://{your-auth0-domain}.auth0.com/.well-known/openid-configuration`.\n1. **in n8n, complete the oidc configuration:**\n   - **discovery endpoint**: enter the discovery endpoint url from auth0.\n   - **client id**: enter the client id you found in your auth0 settings.\n   - **client secret**: enter the client secret you found in your auth0 s",
         "importantTerms": [
           "your",
+          "role",
           "oidc",
-          "from",
-          "client",
-          "settings",
-          "configuration",
-          "discovery",
-          "endpoint",
           "project",
+          "from",
+          "rules",
           "example",
+          "claims",
+          "instance",
+          "endpoint",
+          "access",
+          "configuration",
+          "client",
           "user",
+          "discovery",
+          "settings",
+          "when",
+          "roles",
+          "response",
           "https",
-          "access",
-          "instance",
+          "okta",
+          "group",
+          "groups",
+          "rule",
+          "with",
           "well",
           "known",
+          "enter",
+          "this",
+          "admin",
+          "choose",
           "application",
           "openid",
-          "enter",
-          "role",
-          "okta",
-          "need",
-          "with",
+          "login",
+          "inside",
+          "that",
+          "token",
+          "claim",
+          "configure",
+          "select",
+          "create",
           "secret",
-          "this",
-          "will",
           "domain",
-          "when",
+          "users",
+          "need",
           "provisioning",
-          "attribute",
-          "select",
-          "create",
-          "save",
-          "these",
-          "string",
-          "configured",
-          "found",
-          "admin",
-          "configure",
-          "redirect",
-          "provider",
-          "step",
-          "roles",
-          "scope",
-          "array",
-          "that",
-          "inside",
-          "each",
-          "saml",
-          "global"
+          "assign",
+          "mapping",
+          "expressions",
+          "string"
         ]
       }
     },
@@ -91543,6 +91552,56 @@
     },
     {
       "id": "page-1246",
+      "title": "Manage users with SAML",
+      "url": "https://docs.n8n.io/user-management/saml/managing/index.md",
+      "urlPath": "user-management/saml/managing/index.md",
+      "category": "other",
+      "subcategory": null,
+      "nodeName": null,
+      "nodeType": null,
+      "content": {
+        "markdown": "# Manage users with SAML\n\nFeature availability\n\n- Available on Business and Enterprise plans.\n- You need to be an instance owner or admin to enable and configure SAML.\n\nThere are some user management tasks that are affected by SAML.\n\n## Exempt users from SAML\n\nYou can allow users to log in without using SAML. To do this:\n\n1. Go to **Settings** > **Users**.\n1. Select the menu icon by the user you want to exempt from SAML.\n1. Select **Allow Manual Login**.\n\n## Deleting users\n\nIf you remove a user from your IdP, they remain logged in to n8n. You need to manually remove them from n8n as well. Refer to [Manage users](../../manage-users/) for guidance on deleting users.\n",
+        "excerpt": "# Manage users with SAML  Feature availability  - Available on Business and Enterprise plans. - You need to be an instance owner or admin to enable and configure SAML.  There are some user management tasks that are affected by SAML.  ## Exempt users from SAML  You can allow users to log in without using SAML. To do this:  1. Go to **Settings** > **Users**. 1. Select the menu icon by the user you want to exempt from SAML. 1. Select **Allow Manual Login**.  ## Deleting users  If you remove a user...",
+        "sections": [
+          {
+            "title": "Manage users with SAML",
+            "level": 1,
+            "content": "Feature availability\n\n- Available on Business and Enterprise plans.\n- You need to be an instance owner or admin to enable and configure SAML.\n\nThere are some user management tasks that are affected by SAML."
+          }
+        ]
+      },
+      "metadata": {
+        "keywords": [
+          "manage",
+          "users",
+          "with",
+          "saml",
+          "exempt",
+          "from",
+          "deleting"
+        ],
+        "useCases": [],
+        "operations": [],
+        "codeExamples": 0,
+        "complexity": "beginner",
+        "readingTime": "1 min",
+        "contentLength": 673,
+        "relatedPages": []
+      },
+      "searchIndex": {
+        "fullText": "manage users with saml # manage users with saml\n\nfeature availability\n\n- available on business and enterprise plans.\n- you need to be an instance owner or admin to enable and configure saml.\n\nthere are some user management tasks that are affected by saml.\n\n## exempt users from saml\n\nyou can allow users to log in without using saml. to do this:\n\n1. go to **settings** > **users**.\n1. select the menu icon by the user you want to exempt from saml.\n1. select **allow manual login**.\n\n## deleting users\n\nif you remove a user from your idp, they remain logged in to n8n. you need to manually remove them from n8n as well. refer to [manage users](../../manage-users/) for guidance on deleting users.\n manage users with saml",
+        "importantTerms": [
+          "users",
+          "saml",
+          "manage",
+          "from",
+          "with",
+          "user"
+        ]
+      }
+    },
+    {
+      "id": "page-1247",
       "title": "Azure AD SAML setup",
       "url": "https://docs.n8n.io/user-management/saml/azuread/index.md",
       "urlPath": "user-management/saml/azuread/index.md",
@@ -91551,7 +91610,7 @@
       "nodeName": null,
       "nodeType": null,
       "content": {
-        "markdown": "# Azure AD SAML setup\n\nThis document provides instructions for configuring Azure AD to send role information to n8n via SAML attributes. This enables automatic role assignment based on Azure AD group membership.\n\n## Prerequisites\n\nYou need an Azure AD account with access to Enterprise Applications, and the redirect URL and entity ID from n8n's SAML settings.\n\nRead the [Set up SAML](../setup/) guide first.\n\n## What n8n requires\n\nn8n expects a custom SAML attribute to be included in the SAML assertion:\n\n| **Attribute Name** | **Data Type** | **Purpose**                            |\n| ------------------ | ------------- | -------------------------------------- |\n| n8n_instance_role  | String        | Controls the user's global role in n8n |\n\nValid values for `n8n_instance_role`:\n\n| **Value**         | **Description**                                                                                                   |\n| ----------------- | ----------------------------------------------------------------------------------------------------------------- |\n| `global:owner`    | Full instance owner access                                                                                        |\n| `global:admin`    | Administrator access                                                                                              |\n| `global:member`   | Regular member access (default if not specified)                                                                  |\n| `global:chatUser` | Restricted, non-technical role in n8n designed for securely interacting with AI agents via the Chat Hub interface |\n\n## Setup\n\n**Step 1: Configure Standard SAML Attributes**\n\n1. In your Azure AD portal, navigate to your n8n Enterprise Application.\n\n1. Go to **Single sign-on** > **Attributes & Claims**.\n\n1. Ensure these standard attributes are configured:\n\n   | **Claim Name**                                                       | **Source Attribute**   |\n   | -------------------------------------------------------------------- | ---------------------- |\n   | `http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress` | user.mail              |\n   | `http://schemas.xmlsoap.org/ws/2005/05/identity/claims/firstname`    | user.givenname         |\n   | `http://schemas.xmlsoap.org/ws/2005/05/identity/claims/lastname`     | user.surname           |\n   | `http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn`          | user.userprincipalname |\n\n**Step 2: Add the n8n_instance_role Claim**\n\nThis claim uses conditional logic to emit different role values based on Azure AD group membership.\n\n1. In **Attributes & Claims**, click **Add new claim**.\n\n1. Configure the basic settings:\n\n   - **Name**: `n8n_instance_role`\n   - **Namespace**: leave empty\n   - **Source**: `Attribute`\n\n1. Expand **Claim conditions** and click **Add condition**.\n\n1. Add conditions for each Azure AD group (in priority order):\n\n   | **User Type** | **Scoped Groups** | **Source** | **Value**         |\n   | ------------- | ----------------- | ---------- | ----------------- |\n   | Members       | n8n-chatusers     | Attribute  | `global:chatUser` |\n   | Members       | n8n-users         | Attribute  | `global:member`   |\n   | Members       | n8n-admins        | Attribute  | `global:admin`    |\n   | Members       | n8n-owners        | Attribute  | `global:owner`    |\n\nCondition order\n\nConditions are evaluated in order. Place the most privileged group (owners) at the end.\n\n5. Click **Save**.\n\n### Testing the configuration\n\n1. In n8n, go to **Settings** > **SSO**.\n1. Set **User role provisioning** to `Instance role`.\n1. Click **Test settings**.\n1. Verify the SAML response shows the correct `n8n_instance_role` value.\n\n### Troubleshooting\n\n**Claim not appearing in SAML response**\n\n- Verify the user is a member of at least one of the configured groups.\n- Check that the groups are assigned to the Enterprise Application.\n- Ensure conditions are configured with `Attribute` as the source.\n- Use a browser extension plugin like 'SAML Chrome Panel' to view the application SAML response.\n\n**User gets wrong role**\n\n- Check condition order (most privileged group should be last).\n\n## References\n\n- [n8n SAML Setup](https://docs.n8n.io/user-management/saml/setup/)\n- [n8n Okta Guide (reference)](https://docs.n8n.io/user-management/saml/okta/)\n- [Azure AD Claims Customization](https://learn.microsoft.com/en-us/entra/identity-platform/saml-claims-customization)\n",
+        "markdown": "# Azure AD SAML setup\n\nThis document provides instructions for configuring Azure AD to send role information to n8n via SAML attributes. This enables automatic role assignment based on Azure AD group membership.\n\n## Prerequisites\n\nYou need an Azure AD account with access to Enterprise Applications, and the redirect URL and entity ID from n8n's SAML settings.\n\nRead the [Set up SAML](../setup/) guide first.\n\n## What n8n requires\n\nn8n expects a custom SAML attribute to be included in the SAML assertion:\n\n| **Attribute Name** | **Data Type** | **Purpose**                            |\n| ------------------ | ------------- | -------------------------------------- |\n| n8n_instance_role  | String        | Controls the user's global role in n8n |\n\nValid values for `n8n_instance_role`:\n\n| **Value**         | **Description**                                                                                                   |\n| ----------------- | ----------------------------------------------------------------------------------------------------------------- |\n| `global:owner`    | Full instance owner access                                                                                        |\n| `global:admin`    | Administrator access                                                                                              |\n| `global:member`   | Regular member access (default if not specified)                                                                  |\n| `global:chatUser` | Restricted, non-technical role in n8n designed for securely interacting with AI agents via the Chat Hub interface |\n\n## Setup\n\n**Step 1: Configure Standard SAML Attributes**\n\n1. In your Azure AD portal, navigate to your n8n Enterprise Application.\n\n1. Go to **Single sign-on** > **Attributes & Claims**.\n\n1. Ensure these standard attributes are configured:\n\n   | **Claim Name**                                                       | **Source Attribute**   |\n   | -------------------------------------------------------------------- | ---------------------- |\n   | `http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress` | user.mail              |\n   | `http://schemas.xmlsoap.org/ws/2005/05/identity/claims/firstname`    | user.givenname         |\n   | `http://schemas.xmlsoap.org/ws/2005/05/identity/claims/lastname`     | user.surname           |\n   | `http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn`          | user.userprincipalname |\n\n**Step 2: Add the n8n_instance_role Claim**\n\nThis claim uses conditional logic to emit different role values based on Azure AD group membership.\n\n1. In **Attributes & Claims**, click **Add new claim**.\n\n1. Configure the basic settings:\n\n   - **Name**: `n8n_instance_role`\n   - **Namespace**: leave empty\n   - **Source**: `Attribute`\n\n1. Expand **Claim conditions** and click **Add condition**.\n\n1. Add conditions for each Azure AD group (in priority order):\n\n   | **User Type** | **Scoped Groups** | **Source** | **Value**         |\n   | ------------- | ----------------- | ---------- | ----------------- |\n   | Members       | n8n-chatusers     | Attribute  | `global:chatUser` |\n   | Members       | n8n-users         | Attribute  | `global:member`   |\n   | Members       | n8n-admins        | Attribute  | `global:admin`    |\n   | Members       | n8n-owners        | Attribute  | `global:owner`    |\n\nCondition order\n\nConditions are evaluated in order. Place the most privileged group (owners) at the end.\n\n5. Click **Save**.\n\n### Testing the configuration\n\n1. In n8n, go to **Settings** > **SSO**.\n1. Set **Role assignment** to **Instance roles via SSO**.\n1. Set **Role mapping method** to **Map rules on your IdP**.\n1. Click **Test settings**.\n1. Verify the SAML response shows the correct `n8n_instance_role` value.\n\n### Troubleshooting\n\n**Claim not appearing in SAML response**\n\n- Verify the user is a member of at least one of the configured groups.\n- Check that the groups are assigned to the Enterprise Application.\n- Ensure conditions are configured with `Attribute` as the source.\n- Use a browser extension plugin like 'SAML Chrome Panel' to view the application SAML response.\n\n**User gets wrong role**\n\n- Check condition order (most privileged group should be last).\n\n## References\n\n- [n8n SAML Setup](https://docs.n8n.io/user-management/saml/setup/)\n- [n8n Okta Guide (reference)](https://docs.n8n.io/user-management/saml/okta/)\n- [Azure AD Claims Customization](https://learn.microsoft.com/en-us/entra/identity-platform/saml-claims-customization)\n",
         "excerpt": "# Azure AD SAML setup  This document provides instructions for configuring Azure AD to send role information to n8n via SAML attributes. This enables automatic role assignment based on Azure AD group membership.  ## Prerequisites  You need an Azure AD account with access to Enterprise Applications, and the redirect URL and entity ID from n8n's SAML settings.  Read the [Set up SAML](../setup/) guide first.  ## What n8n requires  n8n expects a custom SAML attribute to be included in the SAML asser...",
         "sections": [
           {
@@ -91579,15 +91638,15 @@
         "codeExamples": 0,
         "complexity": "beginner",
         "readingTime": "3 min",
-        "contentLength": 4462,
+        "contentLength": 4527,
         "relatedPages": []
       },
       "searchIndex": {
-        "fullText": "azure ad saml setup # azure ad saml setup\n\nthis document provides instructions for configuring azure ad to send role information to n8n via saml attributes. this enables automatic role assignment based on azure ad group membership.\n\n## prerequisites\n\nyou need an azure ad account with access to enterprise applications, and the redirect url and entity id from n8n's saml settings.\n\nread the [set up saml](../setup/) guide first.\n\n## what n8n requires\n\nn8n expects a custom saml attribute to be included in the saml assertion:\n\n| **attribute name** | **data type** | **purpose**                            |\n| ------------------ | ------------- | -------------------------------------- |\n| n8n_instance_role  | string        | controls the user's global role in n8n |\n\nvalid values for `n8n_instance_role`:\n\n| **value**         | **description**                                                                                                   |\n| ----------------- | ----------------------------------------------------------------------------------------------------------------- |\n| `global:owner`    | full instance owner access                                                                                        |\n| `global:admin`    | administrator access                                                                                              |\n| `global:member`   | regular member access (default if not specified)                                                                  |\n| `global:chatuser` | restricted, non-technical role in n8n designed for securely interacting with ai agents via the chat hub interface |\n\n## setup\n\n**step 1: configure standard saml attributes**\n\n1. in your azure ad portal, navigate to your n8n enterprise application.\n\n1. go to **single sign-on** > **attributes & claims**.\n\n1. ensure these standard attributes are configured:\n\n   | **claim name**                                                       | **source attribute**   |\n   | -------------------------------------------------------------------- | ---------------------- |\n   | `http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress` | user.mail              |\n   | `http://schemas.xmlsoap.org/ws/2005/05/identity/claims/firstname`    | user.givenname         |\n   | `http://schemas.xmlsoap.org/ws/2005/05/identity/claims/lastname`     | user.surname           |\n   | `http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn`          | user.userprincipalname |\n\n**step 2: add the n8n_instance_role claim**\n\nthis claim uses conditional logic to emit different role values based on azure ad group membership.\n\n1. in **attributes & claims**, click **add new claim**.\n\n1. configure the basic settings:\n\n   - **name**: `n8n_instance_role`\n   - **namespace**: leave empty\n   - **source**: `attribute`\n\n1. expand **claim conditions** and click **add condition**.\n\n1. add conditions for each azure ad group (in priority order):\n\n   | **user type** | **scoped groups** | **source** | **value**         |\n   | ------------- | ----------------- | ---------- | ----------------- |\n   | members       | n8n-chatusers     | attribute  | `global:chatuser` |\n   | members       | n8n-users         | attribute  | `global:member`   |\n   | members       | n8n-admins        | attribute  | `global:admin`    |\n   | members       | n8n-owners        | attribute  | `global:owner`    |\n\ncondition order\n\nconditions are evaluated in order. place the most privileged group (owners) at the end.\n\n5. click **save**.\n\n### testing the configuration\n\n1. in n8n, go to **settings** > **sso**.\n1. set **user role provisioning** to `instance role`.\n1. click **test settings**.\n1. verify the saml response shows the correct `n8n_instance_role` value.\n\n### troubleshooting\n\n**claim not appearing in saml response**\n\n- verify the user is a member of at least one of the configured groups.\n- check that the groups are assigned to the enterprise application.\n- ensure conditions are configured with `attribute` as the source.\n- use a browser extension plugin like 'saml chrome panel' to view the application saml response.\n\n**user gets wrong role**\n\n- check condition order (most privileged group should be last).\n\n## references\n\n- [n8n saml setup](https://docs.n8n.io/user-management/saml/setup/)\n- [n8n okta guide (reference)](https://docs.n8n.io/user-management/saml/okta/)\n- [azure ad claims customization](https://learn.microsoft.com/en-us/entra/identity-platform/saml-claims-customization)\n azure ad saml setup",
+        "fullText": "azure ad saml setup # azure ad saml setup\n\nthis document provides instructions for configuring azure ad to send role information to n8n via saml attributes. this enables automatic role assignment based on azure ad group membership.\n\n## prerequisites\n\nyou need an azure ad account with access to enterprise applications, and the redirect url and entity id from n8n's saml settings.\n\nread the [set up saml](../setup/) guide first.\n\n## what n8n requires\n\nn8n expects a custom saml attribute to be included in the saml assertion:\n\n| **attribute name** | **data type** | **purpose**                            |\n| ------------------ | ------------- | -------------------------------------- |\n| n8n_instance_role  | string        | controls the user's global role in n8n |\n\nvalid values for `n8n_instance_role`:\n\n| **value**         | **description**                                                                                                   |\n| ----------------- | ----------------------------------------------------------------------------------------------------------------- |\n| `global:owner`    | full instance owner access                                                                                        |\n| `global:admin`    | administrator access                                                                                              |\n| `global:member`   | regular member access (default if not specified)                                                                  |\n| `global:chatuser` | restricted, non-technical role in n8n designed for securely interacting with ai agents via the chat hub interface |\n\n## setup\n\n**step 1: configure standard saml attributes**\n\n1. in your azure ad portal, navigate to your n8n enterprise application.\n\n1. go to **single sign-on** > **attributes & claims**.\n\n1. ensure these standard attributes are configured:\n\n   | **claim name**                                                       | **source attribute**   |\n   | -------------------------------------------------------------------- | ---------------------- |\n   | `http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress` | user.mail              |\n   | `http://schemas.xmlsoap.org/ws/2005/05/identity/claims/firstname`    | user.givenname         |\n   | `http://schemas.xmlsoap.org/ws/2005/05/identity/claims/lastname`     | user.surname           |\n   | `http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn`          | user.userprincipalname |\n\n**step 2: add the n8n_instance_role claim**\n\nthis claim uses conditional logic to emit different role values based on azure ad group membership.\n\n1. in **attributes & claims**, click **add new claim**.\n\n1. configure the basic settings:\n\n   - **name**: `n8n_instance_role`\n   - **namespace**: leave empty\n   - **source**: `attribute`\n\n1. expand **claim conditions** and click **add condition**.\n\n1. add conditions for each azure ad group (in priority order):\n\n   | **user type** | **scoped groups** | **source** | **value**         |\n   | ------------- | ----------------- | ---------- | ----------------- |\n   | members       | n8n-chatusers     | attribute  | `global:chatuser` |\n   | members       | n8n-users         | attribute  | `global:member`   |\n   | members       | n8n-admins        | attribute  | `global:admin`    |\n   | members       | n8n-owners        | attribute  | `global:owner`    |\n\ncondition order\n\nconditions are evaluated in order. place the most privileged group (owners) at the end.\n\n5. click **save**.\n\n### testing the configuration\n\n1. in n8n, go to **settings** > **sso**.\n1. set **role assignment** to **instance roles via sso**.\n1. set **role mapping method** to **map rules on your idp**.\n1. click **test settings**.\n1. verify the saml response shows the correct `n8n_instance_role` value.\n\n### troubleshooting\n\n**claim not appearing in saml response**\n\n- verify the user is a member of at least one of the configured groups.\n- check that the groups are assigned to the enterprise application.\n- ensure conditions are configured with `attribute` as the source.\n- use a browser extension plugin like 'saml chrome panel' to view the application saml response.\n\n**user gets wrong role**\n\n- check condition order (most privileged group should be last).\n\n## references\n\n- [n8n saml setup](https://docs.n8n.io/user-management/saml/setup/)\n- [n8n okta guide (reference)](https://docs.n8n.io/user-management/saml/okta/)\n- [azure ad claims customization](https://learn.microsoft.com/en-us/entra/identity-platform/saml-claims-customization)\n azure ad saml setup",
         "importantTerms": [
           "saml",
-          "user",
           "azure",
+          "user",
           "attribute",
           "global",
           "role",
@@ -91614,6 +91673,7 @@
           "name",
           "value",
           "owner",
+          "your",
           "application",
           "configured",
           "condition",
@@ -91623,56 +91683,6 @@
         ]
       }
     },
-    {
-      "id": "page-1247",
-      "title": "Manage users with SAML",
-      "url": "https://docs.n8n.io/user-management/saml/managing/index.md",
-      "urlPath": "user-management/saml/managing/index.md",
-      "category": "other",
-      "subcategory": null,
-      "nodeName": null,
-      "nodeType": null,
-      "content": {
-        "markdown": "# Manage users with SAML\n\nFeature availability\n\n- Available on Business and Enterprise plans.\n- You need to be an instance owner or admin to enable and configure SAML.\n\nThere are some user management tasks that are affected by SAML.\n\n## Exempt users from SAML\n\nYou can allow users to log in without using SAML. To do this:\n\n1. Go to **Settings** > **Users**.\n1. Select the menu icon by the user you want to exempt from SAML.\n1. Select **Allow Manual Login**.\n\n## Deleting users\n\nIf you remove a user from your IdP, they remain logged in to n8n. You need to manually remove them from n8n as well. Refer to [Manage users](../../manage-users/) for guidance on deleting users.\n",
-        "excerpt": "# Manage users with SAML  Feature availability  - Available on Business and Enterprise plans. - You need to be an instance owner or admin to enable and configure SAML.  There are some user management tasks that are affected by SAML.  ## Exempt users from SAML  You can allow users to log in without using SAML. To do this:  1. Go to **Settings** > **Users**. 1. Select the menu icon by the user you want to exempt from SAML. 1. Select **Allow Manual Login**.  ## Deleting users  If you remove a user...",
-        "sections": [
-          {
-            "title": "Manage users with SAML",
-            "level": 1,
-            "content": "Feature availability\n\n- Available on Business and Enterprise plans.\n- You need to be an instance owner or admin to enable and configure SAML.\n\nThere are some user management tasks that are affected by SAML."
-          }
-        ]
-      },
-      "metadata": {
-        "keywords": [
-          "manage",
-          "users",
-          "with",
-          "saml",
-          "exempt",
-          "from",
-          "deleting"
-        ],
-        "useCases": [],
-        "operations": [],
-        "codeExamples": 0,
-        "complexity": "beginner",
-        "readingTime": "1 min",
-        "contentLength": 673,
-        "relatedPages": []
-      },
-      "searchIndex": {
-        "fullText": "manage users with saml # manage users with saml\n\nfeature availability\n\n- available on business and enterprise plans.\n- you need to be an instance owner or admin to enable and configure saml.\n\nthere are some user management tasks that are affected by saml.\n\n## exempt users from saml\n\nyou can allow users to log in without using saml. to do this:\n\n1. go to **settings** > **users**.\n1. select the menu icon by the user you want to exempt from saml.\n1. select **allow manual login**.\n\n## deleting users\n\nif you remove a user from your idp, they remain logged in to n8n. you need to manually remove them from n8n as well. refer to [manage users](../../manage-users/) for guidance on deleting users.\n manage users with saml",
-        "importantTerms": [
-          "users",
-          "saml",
-          "manage",
-          "from",
-          "with",
-          "user"
-        ]
-      }
-    },
     {
       "id": "page-1248",
       "title": "Okta Workforce Identity SAML setup",
@@ -91683,7 +91693,7 @@
       "nodeName": null,
       "nodeType": null,
       "content": {
-        "markdown": "# Okta Workforce Identity SAML setup\n\nSet up SAML SSO in n8n with Okta.\n\nWorkforce Identity and Customer Identity\n\nThis guide covers setting up Workforce Identity. This is the original Okta product. Customer Identity is Okta's name for Auth0, which they've acquired.\n\n## Prerequisites\n\nYou need an Okta Workforce Identity account, and the redirect URL and entity ID from n8n's SAML settings.\n\nOkta Workforce may enforce two factor authentication for users, depending on your Okta configuration.\n\nRead the [Set up SAML](../setup/) guide first.\n\n## Setup\n\nIn addition to the following instructions, [this PDF](../n8n-saml-with-okta.pdf) provides visual step-by-step guide on how to setup SAML in n8n with Okta.\n\n1. In your Okta admin panel, select **Applications** > **Applications**.\n\n1. Select **Create App Integration**. Okta opens the app creation modal.\n\n1. Select **SAML 2.0**, then select **Next**.\n\n1. On the **General Settings** tab, enter `n8n` as the **App name**.\n\n1. Select **Next** .\n\n1. On the **Configure SAML** tab, complete the following **General** fields:\n\n   - **Single sign-on URL**: the **Redirect URL** from n8n.\n   - **Audience URI (SP Entity ID)**: the **Entity ID** from n8n.\n   - **Default RelayState**: leave this empty.\n   - **Name ID format**: `EmailAddress`.\n   - **Application username**: `Okta username`.\n   - **Update application username on**: `Create and update`.\n\n1. Create **Attribute Statements**:\n\n   | **Name**                                                             | **Name format** | **Value**      |\n   | -------------------------------------------------------------------- | --------------- | -------------- |\n   | `http://schemas.xmlsoap.org/ws/2005/05/identity/claims/firstname`    | URI Reference   | user.firstName |\n   | `http://schemas.xmlsoap.org/ws/2005/05/identity/claims/lastname`     | URI Reference   | user.lastName  |\n   | `http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn`          | URI Reference   | user.login     |\n   | `http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress` | URI Reference   | user.email     |\n\n1. Select **Next**. Okta may prompt you to complete a marketing form, or may take you directly to your new n8n Okta app.\n\n1. Assign the n8n app to people:\n\n   1. On the n8n app dashboard in Okta, select **Assignments**.\n   1. Select **Assign** > **Assign to People**. Okta displays a modal with a list of available people.\n   1. Select **Assign** next to the person you want to add. Okta displays a prompt to confirm the username.\n   1. Leave the username as email address. Select **Save and Go Back**.\n   1. Select **Done**.\n\n1. Get the metadata XML: on the **Sign On** tab, copy the Metadata URL. Navigate to it, and copy the XML. Paste this into **Identity Provider Settings** in n8n.\n\n1. Select **Save settings**.\n\n1. Select **Test settings**. n8n opens a new tab. If you're not currently logged in, Okta prompts you to sign in. n8n then displays a success message confirming the attributes returned by Okta.\n\n### Instance and project access provisioning\n\nSee the [Set up SAML page](../setup/#instance-and-project-access-provisioning) for additional information of this feature.\n\n**Adding the required attributes**\n\n1. In your Okta admin panel, select **Applications** > **Applications**.\n\n1. Go to the configuration of your n8n application\n\n1. On the **General** tab, click **Edit** next to **SAML Settings**\n\n1. In the page that opens, continue to step 2: **Configure SAML**\n\n1. Add the following two **Attribute Statements**:\n\n   | **Name**          | **Name format** | **Value**                 |\n   | ----------------- | --------------- | ------------------------- |\n   | n8n_instance_role | Basic           | appuser.n8n_instance_role |\n   | n8n_projects      | Basic           | appuser.n8n_projects      |\n\n1. Click **Next**\n\n1. Click **Finish**\n\n**Updating the app profile**\n\n1. In your Okta admin panel, select **Directory** > **Profile Editor**.\n1. Go to the profile of your n8n application\n1. Click **Add Attribute**\n1. Add the **n8n_instance_role** attribute\n   - **Data type**: string\n   - **Display name**: n8n_instance_role\n   - **Variable name**: n8n_instance_role\n   - **Attribute type**: Group\n1. Add the **n8n_projects** attribute\n   - **Data type**: string array\n   - **Display name**: n8n_projects\n   - **Variable name**: n8n_projects\n   - **Attribute type**: Group\n   - **Group priority**: Combine values across groups\n\nNow when you go to **Directory** > **Groups** and edit the assigned n8n application, you can configure the **n8n_instance_role** and **n8n_projects** to be sent to n8n upon logging in via SAML.\n",
+        "markdown": "# Okta Workforce Identity SAML setup\n\nSet up SAML SSO in n8n with Okta.\n\nWorkforce Identity and Customer Identity\n\nThis guide covers setting up Workforce Identity. This is the original Okta product. Customer Identity is Okta's name for Auth0, which they've acquired.\n\n## Prerequisites\n\nYou need an Okta Workforce Identity account, and the redirect URL and entity ID from n8n's SAML settings.\n\nOkta Workforce may enforce two factor authentication for users, depending on your Okta configuration.\n\nRead the [Set up SAML](../setup/) guide first.\n\n## Setup\n\nIn addition to the following instructions, [this PDF](../n8n-saml-with-okta.pdf) provides visual step-by-step guide on how to setup SAML in n8n with Okta.\n\n1. In your Okta admin panel, select **Applications** > **Applications**.\n\n1. Select **Create App Integration**. Okta opens the app creation modal.\n\n1. Select **SAML 2.0**, then select **Next**.\n\n1. On the **General Settings** tab, enter `n8n` as the **App name**.\n\n1. Select **Next** .\n\n1. On the **Configure SAML** tab, complete the following **General** fields:\n\n   - **Single sign-on URL**: the **Redirect URL** from n8n.\n   - **Audience URI (SP Entity ID)**: the **Entity ID** from n8n.\n   - **Default RelayState**: leave this empty.\n   - **Name ID format**: `EmailAddress`.\n   - **Application username**: `Okta username`.\n   - **Update application username on**: `Create and update`.\n\n1. Create **Attribute Statements**:\n\n   | **Name**                                                             | **Name format** | **Value**      |\n   | -------------------------------------------------------------------- | --------------- | -------------- |\n   | `http://schemas.xmlsoap.org/ws/2005/05/identity/claims/firstname`    | URI Reference   | user.firstName |\n   | `http://schemas.xmlsoap.org/ws/2005/05/identity/claims/lastname`     | URI Reference   | user.lastName  |\n   | `http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn`          | URI Reference   | user.login     |\n   | `http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress` | URI Reference   | user.email     |\n\n1. Select **Next**. Okta may prompt you to complete a marketing form, or may take you directly to your new n8n Okta app.\n\n1. Assign the n8n app to people:\n\n   1. On the n8n app dashboard in Okta, select **Assignments**.\n   1. Select **Assign** > **Assign to People**. Okta displays a modal with a list of available people.\n   1. Select **Assign** next to the person you want to add. Okta displays a prompt to confirm the username.\n   1. Leave the username as email address. Select **Save and Go Back**.\n   1. Select **Done**.\n\n1. Get the metadata XML: on the **Sign On** tab, copy the Metadata URL. Navigate to it, and copy the XML. Paste this into **Identity Provider Settings** in n8n.\n\n1. Select **Save settings**.\n\n1. Select **Test settings**. n8n opens a new tab. If you're not currently logged in, Okta prompts you to sign in. n8n then displays a success message confirming the attributes returned by Okta.\n\n### Instance and project access provisioning\n\nn8n supports two ways to provision instance and project roles via SSO. Choose one based on where you want the mapping logic to live:\n\n- **Map rules on your IdP**: configure n8n-specific attributes (`n8n_instance_role` and `n8n_projects`) in Okta, and n8n reads them directly from the SAML response. Steps below.\n- **Map rules inside n8n**: send group membership from Okta as a SAML attribute, and define mapping expressions inside n8n. No n8n-specific configuration is needed in Okta beyond the group attribute. See [Map rules inside n8n](../setup/#map-rules-inside-n8n) on the main SAML setup page.\n\nIn n8n, set **Role assignment** to **Instance roles via SSO** or **Instance and project roles via SSO**, then choose your preferred **Role mapping method**.\n\n#### Map rules on your IdP\n\n**Adding the required attributes**\n\n1. In your Okta admin panel, select **Applications** > **Applications**.\n\n1. Go to the configuration of your n8n application\n\n1. On the **General** tab, click **Edit** next to **SAML Settings**\n\n1. In the page that opens, continue to step 2: **Configure SAML**\n\n1. Add the following two **Attribute Statements**:\n\n   | **Name**          | **Name format** | **Value**                 |\n   | ----------------- | --------------- | ------------------------- |\n   | n8n_instance_role | Basic           | appuser.n8n_instance_role |\n   | n8n_projects      | Basic           | appuser.n8n_projects      |\n\n1. Click **Next**\n\n1. Click **Finish**\n\n**Updating the app profile**\n\n1. In your Okta admin panel, select **Directory** > **Profile Editor**.\n1. Go to the profile of your n8n application\n1. Click **Add Attribute**\n1. Add the **n8n_instance_role** attribute\n   - **Data type**: string\n   - **Display name**: n8n_instance_role\n   - **Variable name**: n8n_instance_role\n   - **Attribute type**: Group\n1. Add the **n8n_projects** attribute\n   - **Data type**: string array\n   - **Display name**: n8n_projects\n   - **Variable name**: n8n_projects\n   - **Attribute type**: Group\n   - **Group priority**: Combine values across groups\n\nNow when you go to **Directory** > **Groups** and edit the assigned n8n application, you can configure the **n8n_instance_role** and **n8n_projects** to be sent to n8n upon logging in via SAML.\n",
         "excerpt": "# Okta Workforce Identity SAML setup  Set up SAML SSO in n8n with Okta.  Workforce Identity and Customer Identity  This guide covers setting up Workforce Identity. This is the original Okta product. Customer Identity is Okta's name for Auth0, which they've acquired.  ## Prerequisites  You need an Okta Workforce Identity account, and the redirect URL and entity ID from n8n's SAML settings.  Okta Workforce may enforce two factor authentication for users, depending on your Okta configuration.  Read...",
         "sections": [
           {
@@ -91704,35 +91714,41 @@
           "instance",
           "project",
           "access",
-          "provisioning"
+          "provisioning",
+          "rules",
+          "your"
         ],
         "useCases": [],
         "operations": [],
         "codeExamples": 0,
-        "complexity": "beginner",
+        "complexity": "intermediate",
         "readingTime": "4 min",
-        "contentLength": 4645,
+        "contentLength": 5308,
         "relatedPages": []
       },
       "searchIndex": {
-        "fullText": "okta workforce identity saml setup # okta workforce identity saml setup\n\nset up saml sso in n8n with okta.\n\nworkforce identity and customer identity\n\nthis guide covers setting up workforce identity. this is the original okta product. customer identity is okta's name for auth0, which they've acquired.\n\n## prerequisites\n\nyou need an okta workforce identity account, and the redirect url and entity id from n8n's saml settings.\n\nokta workforce may enforce two factor authentication for users, depending on your okta configuration.\n\nread the [set up saml](../setup/) guide first.\n\n## setup\n\nin addition to the following instructions, [this pdf](../n8n-saml-with-okta.pdf) provides visual step-by-step guide on how to setup saml in n8n with okta.\n\n1. in your okta admin panel, select **applications** > **applications**.\n\n1. select **create app integration**. okta opens the app creation modal.\n\n1. select **saml 2.0**, then select **next**.\n\n1. on the **general settings** tab, enter `n8n` as the **app name**.\n\n1. select **next** .\n\n1. on the **configure saml** tab, complete the following **general** fields:\n\n   - **single sign-on url**: the **redirect url** from n8n.\n   - **audience uri (sp entity id)**: the **entity id** from n8n.\n   - **default relaystate**: leave this empty.\n   - **name id format**: `emailaddress`.\n   - **application username**: `okta username`.\n   - **update application username on**: `create and update`.\n\n1. create **attribute statements**:\n\n   | **name**                                                             | **name format** | **value**      |\n   | -------------------------------------------------------------------- | --------------- | -------------- |\n   | `http://schemas.xmlsoap.org/ws/2005/05/identity/claims/firstname`    | uri reference   | user.firstname |\n   | `http://schemas.xmlsoap.org/ws/2005/05/identity/claims/lastname`     | uri reference   | user.lastname  |\n   | `http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn`          | uri reference   | user.login     |\n   | `http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress` | uri reference   | user.email     |\n\n1. select **next**. okta may prompt you to complete a marketing form, or may take you directly to your new n8n okta app.\n\n1. assign the n8n app to people:\n\n   1. on the n8n app dashboard in okta, select **assignments**.\n   1. select **assign** > **assign to people**. okta displays a modal with a list of available people.\n   1. select **assign** next to the person you want to add. okta displays a prompt to confirm the username.\n   1. leave the username as email address. select **save and go back**.\n   1. select **done**.\n\n1. get the metadata xml: on the **sign on** tab, copy the metadata url. navigate to it, and copy the xml. paste this into **identity provider settings** in n8n.\n\n1. select **save settings**.\n\n1. select **test settings**. n8n opens a new tab. if you're not currently logged in, okta prompts you to sign in. n8n then displays a success message confirming the attributes returned by okta.\n\n### instance and project access provisioning\n\nsee the [set up saml page](../setup/#instance-and-project-access-provisioning) for additional information of this feature.\n\n**adding the required attributes**\n\n1. in your okta admin panel, select **applications** > **applications**.\n\n1. go to the configuration of your n8n application\n\n1. on the **general** tab, click **edit** next to **saml settings**\n\n1. in the page that opens, continue to step 2: **configure saml**\n\n1. add the following two **attribute statements**:\n\n   | **name**          | **name format** | **value**                 |\n   | ----------------- | --------------- | ------------------------- |\n   | n8n_instance_role | basic           | appuser.n8n_instance_role |\n   | n8n_projects      | basic           | appuser.n8n_projects      |\n\n1. click **next**\n\n1. click **finish**\n\n**updating the app profile**\n\n1. in your okta admin panel, select **directory** > **profile editor**.\n1. go to the profile of your n8n application\n1. click **add attribute**\n1. add the **n8n_instance_role** attribute\n   - **data type**: string\n   - **display name**: n8n_instance_role\n   - **variable name**: n8n_instance_role\n   - **attribute type**: group\n1. add the **n8n_projects** attribute\n   - **data type**: string array\n   - **display name**: n8n_projects\n   - **variable name**: n8n_projects\n   - **attribute type**: group\n   - **group priority**: combine values across groups\n\nnow when you go to **directory** > **groups** and edit the assigned n8n application, you can configure the **n8n_instance_role** and **n8n_projects** to be sent to n8n upon logging in via saml.\n okta workforce identity saml setup",
+        "fullText": "okta workforce identity saml setup # okta workforce identity saml setup\n\nset up saml sso in n8n with okta.\n\nworkforce identity and customer identity\n\nthis guide covers setting up workforce identity. this is the original okta product. customer identity is okta's name for auth0, which they've acquired.\n\n## prerequisites\n\nyou need an okta workforce identity account, and the redirect url and entity id from n8n's saml settings.\n\nokta workforce may enforce two factor authentication for users, depending on your okta configuration.\n\nread the [set up saml](../setup/) guide first.\n\n## setup\n\nin addition to the following instructions, [this pdf](../n8n-saml-with-okta.pdf) provides visual step-by-step guide on how to setup saml in n8n with okta.\n\n1. in your okta admin panel, select **applications** > **applications**.\n\n1. select **create app integration**. okta opens the app creation modal.\n\n1. select **saml 2.0**, then select **next**.\n\n1. on the **general settings** tab, enter `n8n` as the **app name**.\n\n1. select **next** .\n\n1. on the **configure saml** tab, complete the following **general** fields:\n\n   - **single sign-on url**: the **redirect url** from n8n.\n   - **audience uri (sp entity id)**: the **entity id** from n8n.\n   - **default relaystate**: leave this empty.\n   - **name id format**: `emailaddress`.\n   - **application username**: `okta username`.\n   - **update application username on**: `create and update`.\n\n1. create **attribute statements**:\n\n   | **name**                                                             | **name format** | **value**      |\n   | -------------------------------------------------------------------- | --------------- | -------------- |\n   | `http://schemas.xmlsoap.org/ws/2005/05/identity/claims/firstname`    | uri reference   | user.firstname |\n   | `http://schemas.xmlsoap.org/ws/2005/05/identity/claims/lastname`     | uri reference   | user.lastname  |\n   | `http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn`          | uri reference   | user.login     |\n   | `http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress` | uri reference   | user.email     |\n\n1. select **next**. okta may prompt you to complete a marketing form, or may take you directly to your new n8n okta app.\n\n1. assign the n8n app to people:\n\n   1. on the n8n app dashboard in okta, select **assignments**.\n   1. select **assign** > **assign to people**. okta displays a modal with a list of available people.\n   1. select **assign** next to the person you want to add. okta displays a prompt to confirm the username.\n   1. leave the username as email address. select **save and go back**.\n   1. select **done**.\n\n1. get the metadata xml: on the **sign on** tab, copy the metadata url. navigate to it, and copy the xml. paste this into **identity provider settings** in n8n.\n\n1. select **save settings**.\n\n1. select **test settings**. n8n opens a new tab. if you're not currently logged in, okta prompts you to sign in. n8n then displays a success message confirming the attributes returned by okta.\n\n### instance and project access provisioning\n\nn8n supports two ways to provision instance and project roles via sso. choose one based on where you want the mapping logic to live:\n\n- **map rules on your idp**: configure n8n-specific attributes (`n8n_instance_role` and `n8n_projects`) in okta, and n8n reads them directly from the saml response. steps below.\n- **map rules inside n8n**: send group membership from okta as a saml attribute, and define mapping expressions inside n8n. no n8n-specific configuration is needed in okta beyond the group attribute. see [map rules inside n8n](../setup/#map-rules-inside-n8n) on the main saml setup page.\n\nin n8n, set **role assignment** to **instance roles via sso** or **instance and project roles via sso**, then choose your preferred **role mapping method**.\n\n#### map rules on your idp\n\n**adding the required attributes**\n\n1. in your okta admin panel, select **applications** > **applications**.\n\n1. go to the configuration of your n8n application\n\n1. on the **general** tab, click **edit** next to **saml settings**\n\n1. in the page that opens, continue to step 2: **configure saml**\n\n1. add the following two **attribute statements**:\n\n   | **name**          | **name format** | **value**                 |\n   | ----------------- | --------------- | ------------------------- |\n   | n8n_instance_role | basic           | appuser.n8n_instance_role |\n   | n8n_projects      | basic           | appuser.n8n_projects      |\n\n1. click **next**\n\n1. click **finish**\n\n**updating the app profile**\n\n1. in your okta admin panel, select **directory** > **profile editor**.\n1. go to the profile of your n8n application\n1. click **add attribute**\n1. add the **n8n_instance_role** attribute\n   - **data type**: string\n   - **display name**: n8n_instance_role\n   - **variable name**: n8n_instance_role\n   - **attribute type**: group\n1. add the **n8n_projects** attribute\n   - **data type**: string array\n   - **display name**: n8n_projects\n   - **variable name**: n8n_projects\n   - **attribute type**: group\n   - **group priority**: combine values across groups\n\nnow when you go to **directory** > **groups** and edit the assigned n8n application, you can configure the **n8n_instance_role** and **n8n_projects** to be sent to n8n upon logging in via saml.\n okta workforce identity saml setup",
         "importantTerms": [
           "okta",
-          "select",
           "saml",
+          "select",
           "identity",
           "name",
-          "workforce",
-          "setup",
           "your",
           "attribute",
-          "this",
+          "setup",
+          "workforce",
           "settings",
           "next",
+          "this",
+          "from",
           "application",
           "username",
+          "rules",
+          "group",
           "with",
           "applications",
+          "configure",
           "http",
           "schemas",
           "xmlsoap",
@@ -91740,25 +91756,29 @@
           "reference",
           "user",
           "assign",
+          "instance",
+          "inside",
           "click",
           "type",
           "guide",
           "entity",
-          "from",
+          "configuration",
           "following",
           "step",
           "admin",
           "panel",
           "create",
           "opens",
+          "then",
           "general",
-          "configure",
           "sign",
           "format",
           "people",
           "displays",
-          "profile",
-          "group"
+          "attributes",
+          "project",
+          "roles",
+          "mapping"
         ]
       }
     },
@@ -91772,7 +91792,7 @@
       "nodeName": null,
       "nodeType": null,
       "content": {
-        "markdown": "# Set up SAML\n\nFeature availability\n\n- Available on Business and Enterprise plans.\n- You need to be an instance owner or admin to enable and configure SAML.\n\n## Enable SAML\n\n1. In n8n, go to **Settings** > **SSO**.\n1. Make a note of the n8n **Redirect URL** and **Entity ID**.\n   - **Optional**: If your IdP allows you to set up SAML from imported metadata, navigate to the **Entity ID** URL and save the XML.\n   - **Optional**: If you are running n8n behind a load balancer make sure you have `N8N_EDITOR_BASE_URL` configured.\n1. Set up SAML with your identity provider (IdP). You need the **Redirect URL** and **Entity ID**. You may also need an email address and name for the IdP user.\n1. After completing setup in your IdP, load the metadata XML into n8n. You can use a metadata URL or raw XML:\n   - **Metadata URL**: Copy the metadata URL from your IdP into the **Identity Provider Settings** field in n8n.\n   - **Raw XML**: Download the metadata XML from your IdP, toggle **Identiy Provider Settings** to **XML**, and then copy the raw XML into **Identity Provider Settings**.\n1. Select **Save settings**.\n1. Select **Test settings** to check your SAML setup is working.\n1. Set SAML 2.0 to **Activated**.\n\nSAML Request Type\n\nn8n doesn't support `POST` binding. Configure your IdP to use `HTTP` request binding instead.\n\n## Generic IdP setup\n\nThe steps to configure the IdP vary depending on your chosen IdP. These are some common setup tasks:\n\n- Create an app for n8n in your IdP.\n- Map n8n attributes to IdP attributes:\n\n| Value (IdP side) | Name format   | Name                                                                 |\n| ---------------- | ------------- | -------------------------------------------------------------------- |\n| User email       | URI Reference | `http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress` |\n| User First Name  | URI Reference | `http://schemas.xmlsoap.org/ws/2005/05/identity/claims/firstname`    |\n| User Last Name   | URI Reference | `http://schemas.xmlsoap.org/ws/2005/05/identity/claims/lastname`     |\n| User Email       | URI Reference | `http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn`          |\n\n### Instance and project access provisioning\n\nFrom version `1.122.2` upwards, n8n supports provisioning the instance role and project roles from your IdP.\n\nYou need to configure these attributes on the groups or individual users in your IdP:\n\n| Value (IdP side)    | Data type | Name                |\n| ------------------- | --------- | ------------------- |\n| `n8n_instance_role` | string    | `n8n_instance_role` |\n| `n8n_projects`      | array     | `n8n_projects`      |\n\nOn the form on the **Settings** > **SSO** page, located the dropdown labeled **User role provisioning**. n8n sets the default value of this dropdown to **Managed in n8n**.\n\nYou can choose to set it to one of these values:\n\n- **Instance role**\n  - Only the instance role of each provisioned user is read from the `n8n_instance_role` attribute from the SAML response. Project access is still managed inside n8n only.\n  - If there is no value for `n8n_instance_role` configured on your IdP, the `global:member` role is used as fallback.\n- **Instance and project roles**\n  - Both the instance role and project access of each provisioned user are read from the `n8n_instance_role` and `n8n_projects` attributes from the SAML response.\n\nExisting access will be overwritten\n\nOnce you enable \"User role provisioning\", the next time any user logs in via SAML, any access they've been granted inside n8n, which isn't reflected in the n8n_instance_role and n8n_projects will be removed from that user.\n\nWhen activating this feature, you are required to download two CSV files before you can save this change. These files contain all your current access settings should you need to reference them.\n\n#### Configuring n8n_instance_role attribute\n\nThe `n8n_instance_role` attribute is a string configured for a group or user on your IdP.\n\nSupported instance roles are:\n\n- `global:member`\n- `global:admin`\n\n#### Configuring n8n_projects attribute\n\nThe `n8n_projects` attribute is a string array configured for a group or user on your IdP.\n\nEach element in this array needs to follow this format: `<project-id>:<role>`\n\nFor example:\n\n- `bHsykgeFirmIhezz:viewer`\n- `4K3zrg3DvlMFFTB7:editor`\n- `dCjnYuEpYOUBVaNe:admin`\n\nFor existing access settings at the time of enabling project access provisioning through your IdP, you can find the project IDs in the downloaded CSV file.\n\nWhen creating a project from scratch, get the project ID from the URL when viewing the project in your browser:\n\nIn the URL `<your-domain>/projects/VVRWZaq5DRxaf9O1/workflows` for example, the project ID is `VVRWZaq5DRxaf9O1`.\n\n## Setup resources for common IdPs\n\nDocumentation links for common IdPs.\n\n| IdP          | Documentation                                                                                                                                                                                                                         |\n| ------------ | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |\n| Auth0        | [Configure Auth0 as SAML Identity Provider: Manually configure SSO integrations](https://auth0.com/docs/authenticate/protocols/saml/saml-sso-integrations/configure-auth0-saml-identity-provider#manually-configure-sso-integrations) |\n| Authentik    | [Applications](https://goauthentik.io/docs/applications) and the [SAML Provider](https://docs.goauthentik.io/add-secure-apps/providers/saml/)                                                                                         |\n| Azure AD     | [SAML authentication with Azure Active Directory](https://learn.microsoft.com/en-us/azure/active-directory/fundamentals/auth-saml)                                                                                                    |\n| JumpCloud    | [How to setup SAML (SSO) applications with JumpCloud](https://jumpcloud.com/support/integrate-with-zoom#configuring-the-sso-integration) (using `Zoom` as an example)                                                                 |\n| Keycloak     | Choose a [Getting Started](https://www.keycloak.org/guides#getting-started) guide depending on your hosting.                                                                                                                          |\n| Okta         | n8n provides a [Workforce Identity setup guide](../okta/) as well as a [step-by-step PDF guide](../n8n-saml-with-okta.pdf)                                                                                                            |\n| PingIdentity | [PingOne SSO](https://docs.pingidentity.com/pingone/getting_started_with_pingone/p1_p1sso_start.html)                                                                                                                                 |\n",
+        "markdown": "# Set up SAML\n\nFeature availability\n\n- Available on Business and Enterprise plans.\n- You need to be an instance owner or admin to enable and configure SAML.\n\n## Enable SAML\n\n1. In n8n, go to **Settings** > **SSO**.\n1. Make a note of the n8n **Redirect URL** and **Entity ID**.\n   - **Optional**: If your IdP allows you to set up SAML from imported metadata, navigate to the **Entity ID** URL and save the XML.\n   - **Optional**: If you are running n8n behind a load balancer make sure you have `N8N_EDITOR_BASE_URL` configured.\n1. Set up SAML with your identity provider (IdP). You need the **Redirect URL** and **Entity ID**. You may also need an email address and name for the IdP user.\n1. After completing setup in your IdP, load the metadata XML into n8n. You can use a metadata URL or raw XML:\n   - **Metadata URL**: Copy the metadata URL from your IdP into the **Identity Provider Settings** field in n8n.\n   - **Raw XML**: Download the metadata XML from your IdP, toggle **Identiy Provider Settings** to **XML**, and then copy the raw XML into **Identity Provider Settings**.\n1. Select **Save settings**.\n1. Select **Test settings** to check your SAML setup is working.\n1. Set SAML 2.0 to **Activated**.\n\nSAML Request Type\n\nn8n doesn't support `POST` binding. Configure your IdP to use `HTTP` request binding instead.\n\n## Generic IdP setup\n\nThe steps to configure the IdP vary depending on your chosen IdP. These are some common setup tasks:\n\n- Create an app for n8n in your IdP.\n- Map n8n attributes to IdP attributes:\n\n| Value (IdP side) | Name format   | Name                                                                 |\n| ---------------- | ------------- | -------------------------------------------------------------------- |\n| User email       | URI Reference | `http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress` |\n| User First Name  | URI Reference | `http://schemas.xmlsoap.org/ws/2005/05/identity/claims/firstname`    |\n| User Last Name   | URI Reference | `http://schemas.xmlsoap.org/ws/2005/05/identity/claims/lastname`     |\n| User Email       | URI Reference | `http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn`          |\n\n### Instance and project access provisioning\n\nn8n supports provisioning the instance role and project roles via SSO. When a user signs in via SAML, n8n can assign their instance role and project access automatically based on attributes in the SAML response.\n\nRole provisioning was introduced in version `1.122.2`.\n\n#### Choose how roles are assigned\n\nIn n8n, go to **Settings** > **SSO**. Use the **Role assignment** dropdown to choose how n8n assigns roles to users who sign in via SSO. The default is **Assigned manually in n8n**.\n\nThe options are:\n\n- **Assigned manually in n8n**: admins assign every role directly in n8n. No automatic mapping from your IdP.\n- **Instance roles via SSO**: n8n reads the user's instance role from the IdP at login. Project access is still managed manually in n8n.\n- **Instance and project roles via SSO**: n8n reads both the instance role and project access from the IdP at login.\n\nRoles are re-evaluated on every login, so changes in the IdP take effect at the user's next sign-in.\n\nExisting access will be overwritten\n\nWhen you enable one of the SSO provisioning modes, any access granted inside n8n that isn't reflected in the IdP response is removed from users on their next login.\n\nBefore saving this change, n8n asks you to download two CSV files containing your current access settings. Keep these for reference.\n\n#### Choose a role mapping method\n\nWhen **Role assignment** is set to **Instance roles via SSO** or **Instance and project roles via SSO**, a **Role mapping method** dropdown appears. You can choose:\n\n- **Map rules on your IdP**: n8n reads n8n-specific attributes (`n8n_instance_role` and `n8n_projects`) directly from the SAML response. Your IdP admin configures which n8n role or project each user or group should receive.\n- **Map rules inside n8n**: you define expressions in n8n that evaluate the user's SAML attributes and return a role. Use this when your IdP can't encode n8n-specific role logic, or when IT governance makes IdP-side changes slow.\n\n#### Map rules on your IdP\n\nConfigure these attributes on the groups or individual users in your IdP:\n\n| Value (IdP side)    | Data type | Name                |\n| ------------------- | --------- | ------------------- |\n| `n8n_instance_role` | string    | `n8n_instance_role` |\n| `n8n_projects`      | array     | `n8n_projects`      |\n\n**Configuring the `n8n_instance_role` attribute**\n\n`n8n_instance_role` is a string configured for a group or user on your IdP. If no value is set, n8n falls back to `global:member`.\n\nSupported instance roles:\n\n- `global:member`\n- `global:admin`\n- `global:chatUser`\n\n**Configuring the `n8n_projects` attribute**\n\n`n8n_projects` is a string array configured for a group or user on your IdP. Each element must follow the format `<project-id>:<role>`.\n\nFor example:\n\n- `bHsykgeFirmIhezz:viewer`\n- `4K3zrg3DvlMFFTB7:editor`\n- `dCjnYuEpYOUBVaNe:admin`\n\nFor existing access at the time of enabling project provisioning, find the project IDs in the downloaded CSV file.\n\nFor new projects, get the project ID from the URL when viewing the project in your browser. In the URL `<your-domain>/projects/VVRWZaq5DRxaf9O1/workflows`, the project ID is `VVRWZaq5DRxaf9O1`.\n\n#### Map rules inside n8n\n\n**Map rules inside n8n** is available from version `2.19.0` upwards.\n\nUse this option to define group-to-role mappings inside n8n rather than in your IdP. Each rule is an expression that n8n evaluates against the SAML attributes in the IdP response.\n\n**How expressions work**\n\n- Expressions access all SAML attributes from the IdP response through a `$claims` object.\n- If the expression returns `true`, n8n assigns the role you've selected on that rule.\n- Rules are evaluated top-to-bottom. The first matching rule wins.\n- Rules re-evaluate on every login, so role changes take effect at the user's next session.\n- `$claims` exposes the raw SAML attributes. n8n doesn't normalise them, so write expressions against the structure your IdP actually sends. SAML group membership is usually delivered as a multi-value attribute, but the exact shape depends on your IdP.\n\nCheck your SAML response structure\n\nDifferent IdPs serialise groups and other attributes differently. Before writing rules, use a browser tool like SAML Chrome Panel (or your IdP's test tools) to inspect the SAML response and confirm the attribute names and structure.\n\n**Instance role rules**\n\nUnder **Instance role rules**, select **Add rule** to create a rule. Enter a condition expression and choose the instance role to assign when the condition returns `true`.\n\nFor example, to assign the **Admin** role to any user in the IdP `admin` group:\n\n```\n{{ $claims.groups.includes('admin') }}\n```\n\nThe **Default condition** row sets the role that users receive when no rule matches. By default this is **Member**.\n\n**Project role rules**\n\nUnder **Project role rules**, select **Add rule** to create a rule that assigns a project role in one or more projects.\n\nFor example, to give users in the `operations` group the **Project Editor** role in the **Operations** project, set the expression to:\n\n```\n{{ $claims.groups.includes('operations') }}\n```\n\nChoose the role in the **assign** field and the target projects in the **in** field. Users who don't match any project rule get no project access.\n\nManual role management is disabled\n\nWhen **Map rules inside n8n** is active, the UI controls for manually assigning user roles are disabled. All role assignment flows through the mapping rules.\n\nSwitching mapping methods\n\nSwitching from **Map rules inside n8n** back to **Map rules on your IdP** removes any in-n8n mappings. Users may lose their currently assigned roles on their next login if equivalent mappings aren't set up in your IdP. n8n asks you to confirm before applying this change.\n\n## Setup resources for common IdPs\n\nDocumentation links for common IdPs.\n\n| IdP          | Documentation                                                                                                                                                                                                                         |\n| ------------ | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |\n| Auth0        | [Configure Auth0 as SAML Identity Provider: Manually configure SSO integrations](https://auth0.com/docs/authenticate/protocols/saml/saml-sso-integrations/configure-auth0-saml-identity-provider#manually-configure-sso-integrations) |\n| Authentik    | [Applications](https://goauthentik.io/docs/applications) and the [SAML Provider](https://docs.goauthentik.io/add-secure-apps/providers/saml/)                                                                                         |\n| Azure AD     | [SAML authentication with Azure Active Directory](https://learn.microsoft.com/en-us/azure/active-directory/fundamentals/auth-saml)                                                                                                    |\n| JumpCloud    | [How to setup SAML (SSO) applications with JumpCloud](https://jumpcloud.com/support/integrate-with-zoom#configuring-the-sso-integration) (using `Zoom` as an example)                                                                 |\n| Keycloak     | Choose a [Getting Started](https://www.keycloak.org/guides#getting-started) guide depending on your hosting.                                                                                                                          |\n| Okta         | n8n provides a [Workforce Identity setup guide](../okta/) as well as a [step-by-step PDF guide](../n8n-saml-with-okta.pdf)                                                                                                            |\n| PingIdentity | [PingOne SSO](https://docs.pingidentity.com/pingone/getting_started_with_pingone/p1_p1sso_start.html)                                                                                                                                 |\n",
         "excerpt": "# Set up SAML  Feature availability  - Available on Business and Enterprise plans. - You need to be an instance owner or admin to enable and configure SAML.  ## Enable SAML  1. In n8n, go to **Settings** > **SSO**. 1. Make a note of the n8n **Redirect URL** and **Entity ID**.    - **Optional**: If your IdP allows you to set up SAML from imported metadata, navigate to the **Entity ID** URL and save the XML.    - **Optional**: If you are running n8n behind a load balancer make sure you have `N8N_E...",
         "sections": [
           {
@@ -91792,10 +91812,15 @@
           "project",
           "access",
           "provisioning",
-          "configuring",
+          "choose",
+          "roles",
+          "assigned",
           "role",
-          "attribute",
-          "projects",
+          "mapping",
+          "method",
+          "rules",
+          "your",
+          "inside",
           "resources",
           "common",
           "idps"
@@ -91804,65 +91829,65 @@
           "- `bHsykgeFirmIhezz:viewer`"
         ],
         "operations": [],
-        "codeExamples": 0,
+        "codeExamples": 2,
         "complexity": "intermediate",
-        "readingTime": "5 min",
-        "contentLength": 7054,
+        "readingTime": "7 min",
+        "contentLength": 10284,
         "relatedPages": []
       },
       "searchIndex": {
-        "fullText": "set up saml # set up saml\n\nfeature availability\n\n- available on business and enterprise plans.\n- you need to be an instance owner or admin to enable and configure saml.\n\n## enable saml\n\n1. in n8n, go to **settings** > **sso**.\n1. make a note of the n8n **redirect url** and **entity id**.\n   - **optional**: if your idp allows you to set up saml from imported metadata, navigate to the **entity id** url and save the xml.\n   - **optional**: if you are running n8n behind a load balancer make sure you have `n8n_editor_base_url` configured.\n1. set up saml with your identity provider (idp). you need the **redirect url** and **entity id**. you may also need an email address and name for the idp user.\n1. after completing setup in your idp, load the metadata xml into n8n. you can use a metadata url or raw xml:\n   - **metadata url**: copy the metadata url from your idp into the **identity provider settings** field in n8n.\n   - **raw xml**: download the metadata xml from your idp, toggle **identiy provider settings** to **xml**, and then copy the raw xml into **identity provider settings**.\n1. select **save settings**.\n1. select **test settings** to check your saml setup is working.\n1. set saml 2.0 to **activated**.\n\nsaml request type\n\nn8n doesn't support `post` binding. configure your idp to use `http` request binding instead.\n\n## generic idp setup\n\nthe steps to configure the idp vary depending on your chosen idp. these are some common setup tasks:\n\n- create an app for n8n in your idp.\n- map n8n attributes to idp attributes:\n\n| value (idp side) | name format   | name                                                                 |\n| ---------------- | ------------- | -------------------------------------------------------------------- |\n| user email       | uri reference | `http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress` |\n| user first name  | uri reference | `http://schemas.xmlsoap.org/ws/2005/05/identity/claims/firstname`    |\n| user last name   | uri reference | `http://schemas.xmlsoap.org/ws/2005/05/identity/claims/lastname`     |\n| user email       | uri reference | `http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn`          |\n\n### instance and project access provisioning\n\nfrom version `1.122.2` upwards, n8n supports provisioning the instance role and project roles from your idp.\n\nyou need to configure these attributes on the groups or individual users in your idp:\n\n| value (idp side)    | data type | name                |\n| ------------------- | --------- | ------------------- |\n| `n8n_instance_role` | string    | `n8n_instance_role` |\n| `n8n_projects`      | array     | `n8n_projects`      |\n\non the form on the **settings** > **sso** page, located the dropdown labeled **user role provisioning**. n8n sets the default value of this dropdown to **managed in n8n**.\n\nyou can choose to set it to one of these values:\n\n- **instance role**\n  - only the instance role of each provisioned user is read from the `n8n_instance_role` attribute from the saml response. project access is still managed inside n8n only.\n  - if there is no value for `n8n_instance_role` configured on your idp, the `global:member` role is used as fallback.\n- **instance and project roles**\n  - both the instance role and project access of each provisioned user are read from the `n8n_instance_role` and `n8n_projects` attributes from the saml response.\n\nexisting access will be overwritten\n\nonce you enable \"user role provisioning\", the next time any user logs in via saml, any access they've been granted inside n8n, which isn't reflected in the n8n_instance_role and n8n_projects will be removed from that user.\n\nwhen activating this feature, you are required to download two csv files before you can save this change. these files contain all your current access settings should you need to reference them.\n\n#### configuring n8n_instance_role attribute\n\nthe `n8n_instance_role` attribute is a string configured for a group or user on your idp.\n\nsupported instance roles are:\n\n- `global:member`\n- `global:admin`\n\n#### configuring n8n_projects attribute\n\nthe `n8n_projects` attribute is a string array configured for a group or user on your idp.\n\neach element in this array needs to follow this format: `<project-id>:<role>`\n\nfor example:\n\n- `bhsykgefirmihezz:viewer`\n- `4k3zrg3dvlmfftb7:editor`\n- `dcjnyuepyoubvane:admin`\n\nfor existing access settings at the time of enabling project access provisioning through your idp, you can find the project ids in the downloaded csv file.\n\nwhen creating a project from scratch, get the project id from the url when viewing the project in your browser:\n\nin the url `<your-domain>/projects/vvrwzaq5drxaf9o1/workflows` for example, the project id is `vvrwzaq5drxaf9o1`.\n\n## setup resources for common idps\n\ndocumentation links for common idps.\n\n| idp          | documentation                                                                                                                                                                                                                         |\n| ------------ | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |\n| auth0        | [configure auth0 as saml identity provider: manually configure sso integrations](https://auth0.com/docs/authenticate/protocols/saml/saml-sso-integrations/configure-auth0-saml-identity-provider#manually-configure-sso-integrations) |\n| authentik    | [applications](https://goauthentik.io/docs/applications) and the [saml provider](https://docs.goauthentik.io/add-secure-apps/providers/saml/)                                                                                         |\n| azure ad     | [saml authentication with azure active directory](https://learn.microsoft.com/en-us/azure/active-directory/fundamentals/auth-saml)                                                                                                    |\n| jumpcloud    | [how to setup saml (sso) applications with jumpcloud](https://jumpcloud.com/support/integrate-with-zoom#configuring-the-sso-integration) (using `zoom` as an example)                                                                 |\n| keycloak     | choose a [getting started](https://www.keycloak.org/guides#getting-started) guide depending on your hosting.                                                                                                                          |\n| okta         | n8n provides a [workforce identity setup guide](../okta/) as well as a [step-by-step pdf guide](../n8n-saml-with-okta.pdf)                                                                                                            |\n| pingidentity | [pingone sso](https://docs.pingidentity.com/pingone/getting_started_with_pingone/p1_p1sso_start.html)                                                                                                                                 |\n set up saml",
+        "fullText": "set up saml # set up saml\n\nfeature availability\n\n- available on business and enterprise plans.\n- you need to be an instance owner or admin to enable and configure saml.\n\n## enable saml\n\n1. in n8n, go to **settings** > **sso**.\n1. make a note of the n8n **redirect url** and **entity id**.\n   - **optional**: if your idp allows you to set up saml from imported metadata, navigate to the **entity id** url and save the xml.\n   - **optional**: if you are running n8n behind a load balancer make sure you have `n8n_editor_base_url` configured.\n1. set up saml with your identity provider (idp). you need the **redirect url** and **entity id**. you may also need an email address and name for the idp user.\n1. after completing setup in your idp, load the metadata xml into n8n. you can use a metadata url or raw xml:\n   - **metadata url**: copy the metadata url from your idp into the **identity provider settings** field in n8n.\n   - **raw xml**: download the metadata xml from your idp, toggle **identiy provider settings** to **xml**, and then copy the raw xml into **identity provider settings**.\n1. select **save settings**.\n1. select **test settings** to check your saml setup is working.\n1. set saml 2.0 to **activated**.\n\nsaml request type\n\nn8n doesn't support `post` binding. configure your idp to use `http` request binding instead.\n\n## generic idp setup\n\nthe steps to configure the idp vary depending on your chosen idp. these are some common setup tasks:\n\n- create an app for n8n in your idp.\n- map n8n attributes to idp attributes:\n\n| value (idp side) | name format   | name                                                                 |\n| ---------------- | ------------- | -------------------------------------------------------------------- |\n| user email       | uri reference | `http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress` |\n| user first name  | uri reference | `http://schemas.xmlsoap.org/ws/2005/05/identity/claims/firstname`    |\n| user last name   | uri reference | `http://schemas.xmlsoap.org/ws/2005/05/identity/claims/lastname`     |\n| user email       | uri reference | `http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn`          |\n\n### instance and project access provisioning\n\nn8n supports provisioning the instance role and project roles via sso. when a user signs in via saml, n8n can assign their instance role and project access automatically based on attributes in the saml response.\n\nrole provisioning was introduced in version `1.122.2`.\n\n#### choose how roles are assigned\n\nin n8n, go to **settings** > **sso**. use the **role assignment** dropdown to choose how n8n assigns roles to users who sign in via sso. the default is **assigned manually in n8n**.\n\nthe options are:\n\n- **assigned manually in n8n**: admins assign every role directly in n8n. no automatic mapping from your idp.\n- **instance roles via sso**: n8n reads the user's instance role from the idp at login. project access is still managed manually in n8n.\n- **instance and project roles via sso**: n8n reads both the instance role and project access from the idp at login.\n\nroles are re-evaluated on every login, so changes in the idp take effect at the user's next sign-in.\n\nexisting access will be overwritten\n\nwhen you enable one of the sso provisioning modes, any access granted inside n8n that isn't reflected in the idp response is removed from users on their next login.\n\nbefore saving this change, n8n asks you to download two csv files containing your current access settings. keep these for reference.\n\n#### choose a role mapping method\n\nwhen **role assignment** is set to **instance roles via sso** or **instance and project roles via sso**, a **role mapping method** dropdown appears. you can choose:\n\n- **map rules on your idp**: n8n reads n8n-specific attributes (`n8n_instance_role` and `n8n_projects`) directly from the saml response. your idp admin configures which n8n role or project each user or group should receive.\n- **map rules inside n8n**: you define expressions in n8n that evaluate the user's saml attributes and return a role. use this when your idp can't encode n8n-specific role logic, or when it governance makes idp-side changes slow.\n\n#### map rules on your idp\n\nconfigure these attributes on the groups or individual users in your idp:\n\n| value (idp side)    | data type | name                |\n| ------------------- | --------- | ------------------- |\n| `n8n_instance_role` | string    | `n8n_instance_role` |\n| `n8n_projects`      | array     | `n8n_projects`      |\n\n**configuring the `n8n_instance_role` attribute**\n\n`n8n_instance_role` is a string configured for a group or user on your idp. if no value is set, n8n falls back to `global:member`.\n\nsupported instance roles:\n\n- `global:member`\n- `global:admin`\n- `global:chatuser`\n\n**configuring the `n8n_projects` attribute**\n\n`n8n_projects` is a string array configured for a group or user on your idp. each element must follow the format `<project-id>:<role>`.\n\nfor example:\n\n- `bhsykgefirmihezz:viewer`\n- `4k3zrg3dvlmfftb7:editor`\n- `dcjnyuepyoubvane:admin`\n\nfor existing access at the time of enabling project provisioning, find the project ids in the downloaded csv file.\n\nfor new projects, get the project id from the url when viewing the project in your browser. in the url `<your-domain>/projects/vvrwzaq5drxaf9o1/workflows`, the project id is `vvrwzaq5drxaf9o1`.\n\n#### map rules inside n8n\n\n**map rules inside n8n** is available from version `2.19.0` upwards.\n\nuse this option to define group-to-role mappings inside n8n rather than in your idp. each rule is an expression that n8n evaluates against the saml attributes in the idp response.\n\n**how expressions work**\n\n- expressions access all saml attributes from the idp response through a `$claims` object.\n- if the expression returns `true`, n8n assigns the role you've selected on that rule.\n- rules are evaluated top-to-bottom. the first matching rule wins.\n- rules re-evaluate on every login, so role changes take effect at the user's next session.\n- `$claims` exposes the raw saml attributes. n8n doesn't normalise them, so write expressions against the structure your idp actually sends. saml group membership is usually delivered as a multi-value attribute, but the exact shape depends on your idp.\n\ncheck your saml response structure\n\ndifferent idps serialise groups and other attributes differently. before writing rules, use a browser tool like saml chrome panel (or your idp's test tools) to inspect the saml response and confirm the attribute names and structure.\n\n**instance role rules**\n\nunder **instance role rules**, select **add rule** to create a rule. enter a condition expression and choose the instance role to assign when the condition returns `true`.\n\nfor example, to assign the **admin** role to any user in the idp `admin` group:\n\n```\n{{ $claims.groups.includes('admin') }}\n```\n\nthe **default condition** row sets the role that users receive when no rule matches. by default this is **member**.\n\n**project role rules**\n\nunder **project role rules**, select **add rule** to create a rule that assigns a project role in one or more projects.\n\nfor example, to give users in the `operations` group the **project editor** role in the **operations** project, set the expression to:\n\n```\n{{ $claims.groups.includes('operations') }}\n```\n\nchoose the role in the **assign** field and the target projects in the **in** field. users who don't match any project rule get no project access.\n\nmanual role management is disabled\n\nwhen **map rules inside n8n** is active, the ui controls for manually assigning user roles are disabled. all role assignment flows through the mapping rules.\n\nswitching mapping methods\n\nswitching from **map rules inside n8n** back to **map rules on your idp** removes any in-n8n mappings. users may lose their currently assigned roles on their next login if equivalent mappings aren't set up in your idp. n8n asks you to confirm before applying this change.\n\n## setup resources for common idps\n\ndocumentation links for common idps.\n\n| idp          | documentation                                                                                                                                                                                                                         |\n| ------------ | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |\n| auth0        | [configure auth0 as saml identity provider: manually configure sso integrations](https://auth0.com/docs/authenticate/protocols/saml/saml-sso-integrations/configure-auth0-saml-identity-provider#manually-configure-sso-integrations) |\n| authentik    | [applications](https://goauthentik.io/docs/applications) and the [saml provider](https://docs.goauthentik.io/add-secure-apps/providers/saml/)                                                                                         |\n| azure ad     | [saml authentication with azure active directory](https://learn.microsoft.com/en-us/azure/active-directory/fundamentals/auth-saml)                                                                                                    |\n| jumpcloud    | [how to setup saml (sso) applications with jumpcloud](https://jumpcloud.com/support/integrate-with-zoom#configuring-the-sso-integration) (using `zoom` as an example)                                                                 |\n| keycloak     | choose a [getting started](https://www.keycloak.org/guides#getting-started) guide depending on your hosting.                                                                                                                          |\n| okta         | n8n provides a [workforce identity setup guide](../okta/) as well as a [step-by-step pdf guide](../n8n-saml-with-okta.pdf)                                                               ",
         "importantTerms": [
           "saml",
+          "role",
           "your",
+          "project",
+          "rules",
           "user",
+          "instance",
           "from",
-          "project",
+          "roles",
           "identity",
-          "settings",
-          "instance",
-          "configure",
+          "attributes",
           "access",
-          "role",
+          "when",
+          "rule",
+          "configure",
+          "settings",
+          "claims",
+          "admin",
           "provider",
           "setup",
+          "response",
+          "choose",
+          "users",
+          "inside",
+          "group",
           "https",
           "metadata",
           "name",
-          "need",
+          "manually",
+          "login",
+          "that",
           "with",
           "http",
           "reference",
           "provisioning",
+          "assign",
+          "mapping",
           "this",
-          "attribute",
-          "configured",
-          "these",
-          "attributes",
+          "select",
           "value",
           "schemas",
           "xmlsoap",
-          "claims",
-          "docs",
-          "admin",
-          "enable",
-          "entity",
-          "save",
-          "email",
-          "into",
-          "common",
-          "roles",
-          "string",
-          "array",
-          "each",
+          "their",
+          "assigned",
+          "next",
+          "expressions",
+          "groups",
+          "attribute",
           "global",
-          "when",
-          "configuring",
-          "example",
-          "integrations",
-          "applications",
-          "azure",
-          "jumpcloud"
+          "example"
         ]
       }
     },
@@ -95229,7 +95254,7 @@
         "page-1216",
         "page-1218",
         "page-1230",
-        "page-1247",
+        "page-1246",
         "page-1253",
         "page-1268"
       ],
@@ -96138,7 +96163,7 @@
         "page-1144",
         "page-1145",
         "page-1146",
-        "page-1246"
+        "page-1247"
       ],
       "upgrade": [
         "page-0003",
@@ -96283,7 +96308,9 @@
         "page-1177",
         "page-1193",
         "page-1194",
-        "page-1218"
+        "page-1218",
+        "page-1239",
+        "page-1249"
       ],
       "your": [
         "page-0004",
@@ -96505,6 +96532,9 @@
         "page-1227",
         "page-1230",
         "page-1237",
+        "page-1239",
+        "page-1248",
+        "page-1249",
         "page-1261",
         "page-1262",
         "page-1265",
@@ -96666,7 +96696,7 @@
         "page-0749",
         "page-0885",
         "page-1216",
-        "page-1246"
+        "page-1247"
       ],
       "vault": [
         "page-0005",
@@ -97485,7 +97515,7 @@
         "page-1218",
         "page-1225",
         "page-1230",
-        "page-1247",
+        "page-1246",
         "page-1257"
       ],
       "environments": [
@@ -97504,14 +97534,15 @@
         "page-0044",
         "page-0050",
         "page-1216",
-        "page-1243",
-        "page-1249"
+        "page-1243"
       ],
       "roles": [
         "page-0005",
         "page-0013",
         "page-1216",
+        "page-1239",
         "page-1242",
+        "page-1249",
         "page-1257"
       ],
       "troubleshooting": [
@@ -97531,7 +97562,7 @@
         "page-1198",
         "page-1199",
         "page-1240",
-        "page-1246",
+        "page-1247",
         "page-1250",
         "page-1273"
       ],
@@ -98851,7 +98882,7 @@
         "page-1231",
         "page-1234",
         "page-1239",
-        "page-1246",
+        "page-1247",
         "page-1248",
         "page-1249"
       ],
@@ -99279,7 +99310,7 @@
         "page-1214",
         "page-1221",
         "page-1227",
-        "page-1246",
+        "page-1247",
         "page-1272"
       ],
       "chat": [
@@ -101594,6 +101625,7 @@
         "page-0148",
         "page-0745",
         "page-0979",
+        "page-1239",
         "page-1241",
         "page-1242",
         "page-1244",
@@ -103540,7 +103572,9 @@
         "page-0870",
         "page-1170",
         "page-1180",
-        "page-1185"
+        "page-1185",
+        "page-1239",
+        "page-1249"
       ],
       "(this": [
         "page-0045",
@@ -103702,7 +103736,7 @@
         "page-1161",
         "page-1203",
         "page-1236",
-        "page-1247",
+        "page-1246",
         "page-1260"
       ],
       "other": [
@@ -103796,7 +103830,9 @@
         "page-0062"
       ],
       "inside": [
-        "page-0052"
+        "page-0052",
+        "page-1239",
+        "page-1249"
       ],
       "second": [
         "page-0052",
@@ -105696,7 +105732,7 @@
         "page-1167",
         "page-1170",
         "page-1219",
-        "page-1246",
+        "page-1247",
         "page-1248"
       ],
       "generating": [
@@ -105854,7 +105890,9 @@
       ],
       "mapping": [
         "page-0100",
-        "page-1215"
+        "page-1215",
+        "page-1239",
+        "page-1249"
       ],
       "drag": [
         "page-0100",
@@ -107260,8 +107298,7 @@
         "page-0219",
         "page-0708",
         "page-0754",
-        "page-0862",
-        "page-1249"
+        "page-0862"
       ],
       "container": [
         "page-0154",
@@ -107320,7 +107357,7 @@
         "page-1236",
         "page-1242",
         "page-1243",
-        "page-1247"
+        "page-1246"
       ],
       "base": [
         "page-0157",
@@ -108401,7 +108438,7 @@
       ],
       "requires": [
         "page-0206",
-        "page-1246"
+        "page-1247"
       ],
       "main:": [
         "page-0206"
@@ -111705,7 +111742,10 @@
       "rules": [
         "page-0616",
         "page-0660",
-        "page-0700"
+        "page-0700",
+        "page-1239",
+        "page-1248",
+        "page-1249"
       ],
       "parser": [
         "page-0617",
@@ -112002,8 +112042,7 @@
         "page-0670"
       ],
       "attribute": [
-        "page-0670",
-        "page-1249"
+        "page-0670"
       ],
       "restrictions": [
         "page-0670",
@@ -112861,7 +112900,7 @@
         "page-1129",
         "page-1155",
         "page-1168",
-        "page-1246"
+        "page-1247"
       ],
       "(beta)": [
         "page-1074",
@@ -113120,7 +113159,7 @@
       ],
       "deleting": [
         "page-1181",
-        "page-1247"
+        "page-1246"
       ],
       "simplifying": [
         "page-1181"
@@ -113756,6 +113795,10 @@
       "(oidc)": [
         "page-1238"
       ],
+      "assigned": [
+        "page-1239",
+        "page-1249"
+      ],
       "discovery": [
         "page-1239"
       ],
@@ -113787,10 +113830,10 @@
         "page-1249",
         "page-1250"
       ],
-      "references": [
+      "exempt": [
         "page-1246"
       ],
-      "exempt": [
+      "references": [
         "page-1247"
       ],
       "workforce": [