From 28a4e2c418be6b398be8f76eceeeb25982117ebb Mon Sep 17 00:00:00 2001
From: Stephen Wright <sjw948@gmail.com>
Date: Tue, 14 Oct 2025 10:18:32 +0100
Subject: [PATCH] feat: Add new env vars for sso provisioning configuration
 (#20749)

---
 .../@n8n/config/src/configs/sso.config.ts     | 32 +++++++++++++++++++
 packages/@n8n/config/test/config.test.ts      |  8 +++++
 2 files changed, 40 insertions(+)

diff --git a/packages/@n8n/config/src/configs/sso.config.ts b/packages/@n8n/config/src/configs/sso.config.ts
index 919d04cb30c..c5ef6f6ea96 100644
--- a/packages/@n8n/config/src/configs/sso.config.ts
+++ b/packages/@n8n/config/src/configs/sso.config.ts
@@ -1,5 +1,7 @@
 import { Config, Env, Nested } from '../decorators';
 
+type ScopesProvisioningFrequency = 'never' | 'first_login' | 'every_login';
+
 @Config
 class SamlConfig {
 	/** Whether to enable SAML SSO. */
@@ -27,6 +29,33 @@ class LdapConfig {
 	loginLabel: string = '';
 }
 
+@Config
+class ProvisioningConfig {
+	/** Whether to provision the instance role from an SSO auth claim */
+	@Env('N8N_SSO_SCOPES_PROVISION_INSTANCE_ROLE')
+	scopesProvisionInstanceRole: boolean = false;
+
+	/** Whether to provision the project <> role mappings from an SSO auth claim */
+	@Env('N8N_SSO_SCOPES_PROVISION_PROJECT_ROLES')
+	scopesProvisionProjectRoles: boolean = false;
+
+	/** How often to trigger provisioning, never, fist login, or every login */
+	@Env('N8N_SSO_SCOPES_PROVISIONING_FREQUENCY')
+	scopesProvisioningFrequency: ScopesProvisioningFrequency = 'never';
+
+	/** The name of scope to request on oauth flows */
+	@Env('N8N_SSO_SCOPES_NAME')
+	scopesName: string = 'n8n';
+
+	/** The name of the expected claim to be returned for provisioning instance role */
+	@Env('N8N_SSO_SCOPES_INSTANCE_ROLE_CLAIM_NAME')
+	scopesInstanceRoleClaimName: string = 'n8n_instance_role';
+
+	/** The name of the expected claim to be returned for provisioning project <> role mappings */
+	@Env('N8N_SSO_SCOPES_PROJECTS_ROLES_CLAIM_NAME')
+	scopesProjectsRolesClaimName: string = 'n8n_projects';
+}
+
 @Config
 export class SsoConfig {
 	/** Whether to create users when they log in via SSO. */
@@ -45,4 +74,7 @@ export class SsoConfig {
 
 	@Nested
 	ldap: LdapConfig;
+
+	@Nested
+	provisioning: ProvisioningConfig;
 }
diff --git a/packages/@n8n/config/test/config.test.ts b/packages/@n8n/config/test/config.test.ts
index 623f3ae6b3f..f820a72b32e 100644
--- a/packages/@n8n/config/test/config.test.ts
+++ b/packages/@n8n/config/test/config.test.ts
@@ -368,6 +368,14 @@ describe('GlobalConfig', () => {
 				loginEnabled: false,
 				loginLabel: '',
 			},
+			provisioning: {
+				scopesProvisionInstanceRole: false,
+				scopesProvisionProjectRoles: false,
+				scopesProvisioningFrequency: 'never',
+				scopesName: 'n8n',
+				scopesInstanceRoleClaimName: 'n8n_instance_role',
+				scopesProjectsRolesClaimName: 'n8n_projects',
+			},
 		},
 		redis: {
 			prefix: 'n8n',