Support authnRequestsSigned to be set as true when integrate with SAML SSO

Feature Requests
, ,
1

The idea is:

Our company is planning to deploy n8n, but our InfoSec team requires us to integrate with SSO before going live.

During the integration test, we encountered the error message:
ERR_METADATA_CONFLICT_REQUEST_SIGNED_FLAG.

We noticed that the IdP metadata XML has WantAuthnRequestsSigned="true". We are unsure whether we also need to set authnRequestsSigned to true in n8n’s SAML config.

We tried setting authnRequestsSigned to true, but then ran into another issue saying “This is not a private key”. After some research, it seems n8n currently does not support configuring a private key for SAML AuthnRequest signing, so this problem appears unresolved.

As a result, we are blocked on this integration. Could anyone please advise how to properly handle this? Any guidance or workarounds would be greatly appreciated.

Thank you!

My use case:

Our team is a platform team, and we need to deploy the n8n product company-wide to enable easy agent setup.

I think it would be beneficial to add this because:

SSO Integration is important for the company wise usage.

Any resources to support this?

Are you willing to work on this?

Yes

2

Hi @Huan_Li,

Thanks for reaching out and for your feedback on our SAML SSO integration.

You’re right that n8n currently doesn’t support configuring a private key for signed SAML AuthnRequests, which is needed when your IdP has WantAuthnRequestsSigned="true". I appreciate this might not be possible, but could you disable the requirement for this in your IdP? That’s the only workaround we have right now.

While it’s not something we’re actively working on right now, it’s on our radar and I’ve added it to our issue tracker. We may consider looking into it in the next quarter or two but we can’t offer a firm commitment at this stage.

Thanks.

3

We resolved this issue by set WantAuthnRequestsSigned=false from the IDP side, but the sso still have issue caused by the AllowCreate empty in the SSO saml template. So we have to hack the template file in the docker file to set it as true to make it work.