The idea is:
Add an option for the SAML implementation to leverage a specific attribute to control whether a user is authorized to login to n8n or not. For instance, if a user has value “n8n_user” in their attribute “eduPersonEntitlement”, then they are allowed to login to n8n. Otherwise, they get “Access Denied”. This is applicable to OIDC as well if n8n is exploring it as another SSO mechanism.
My use case:
Currently there is no mechanism to restrict who should have access to n8n via SSO. In large deployments, we need a way to have SSO configured with an option to specify if we want to restrict access based on the presence of a value in an additional attribute the admin specifies.
I think it would be beneficial to add this because:
Currently, any admin who configures SAML cannot restrict who should access n8n. As such, there is no AuthZ mechanism to support the SAML implementation at the relying party side. To get around this issue, we have to add additional software before the web server to intercept the AuthN request and block anyone who does not have a specific value in a released attribute.
Any resources to support this?
Are you willing to work on this?
Yes.