Workflow Automation

X-Forwarded-User / X-n8n-User

Zero-Day Shield

SSO + Zero-Day Protection for n8n

by n8n GmbH

Add SAML/OIDC SSO to n8n — Protect Workflow Automation and API Credentials

Overview

Why n8n Needs an Authenticated Proxy

n8n is a popular workflow automation platform that connects APIs, services, and databases into automated workflows. Self-hosted n8n instances store API keys, OAuth tokens, database credentials, and webhook configurations for dozens of connected services. A compromised n8n instance gives attackers access to every integrated service — Slack, GitHub, databases, CRMs, payment processors, and more. The workflow editor also enables arbitrary code execution via the Code node. OnePAM adds enterprise SSO by placing an authenticated reverse proxy in front of n8n. Users authenticate through your corporate IdP, and only verified users can access workflow automation, credentials, and execution history.

HTTP Header Authentication

X-Forwarded-User / X-n8n-User

n8n can be configured behind a trusted reverse proxy that provides the authenticated user identity via HTTP headers. OnePAM injects the verified identity, and n8n creates the session accordingly.

Zero-Day Risk Profile

n8n Vulnerability Risks

Without an authenticated proxy, these risks are directly exploitable by any network-reachable attacker.

n8n Code nodes enable arbitrary JavaScript execution on the server

Credential storage contains API keys and OAuth tokens for all connected services

Webhook endpoints can be used to trigger workflows with external input

Execution history may contain sensitive data processed by workflows

The Challenge

Security Challenges with n8n

These are the risks organizations face when n8n is not behind an authenticated proxy.

Multi-Service Credential Store

n8n stores API keys, OAuth tokens, and database passwords for every connected service. One compromise exposes credentials for dozens of platforms.

Arbitrary Code Execution

The Code node enables JavaScript execution on the n8n server, allowing arbitrary command execution if access is unauthorized.

Webhook Exposure

n8n webhook URLs are publicly accessible by default, allowing external triggering of workflows that may have privileged access.

Execution Data Sensitivity

Workflow execution history contains data processed from connected services, which may include PII, financial data, or credentials.

SSO Licensing

n8n's built-in SSO (SAML, LDAP) requires the Enterprise plan. Self-hosted community users have limited auth options.

Broad Integration Access

A single n8n instance connects to email, CRM, databases, cloud services, and internal APIs — maximizing the blast radius of a compromise.

The OnePAM Solution

How OnePAM Adds SSO + Zero-Day Protection to n8n

A step-by-step guide to deploying OnePAM's authenticated proxy in front of n8n.

Deploy OnePAM as n8n's Gateway

Place OnePAM in front of n8n, intercepting all web and webhook traffic.

n8n is configured to accept connections only from OnePAM. The n8n editor and execution interface are only accessible after authentication.

Configure Your IdP

Connect OnePAM to your SAML 2.0 or OIDC identity provider.

OnePAM handles authentication, MFA enforcement, and session management.

Enable Proxy Authentication

OnePAM injects the authenticated identity via HTTP headers that n8n trusts.

Users authenticate via your IdP and land in the n8n editor without a separate login. Sessions are managed by OnePAM.

Secure Credentials and Webhooks

Control who can view credentials, edit workflows, and configure webhook endpoints.

Automation engineers get full access, analysts get read-only execution views, and webhook endpoints get separate security policies.

Audit Automation Activity

Every workflow edit, execution, and credential access is logged with corporate identity.

Know who modified which workflow, triggered which execution, and accessed which credentials.

Business Impact

Benefits of Securing n8n with OnePAM

Measurable security and operational outcomes from deploying OnePAM in front of n8n.

Protect Integration Credentials

API keys and OAuth tokens for all connected services are behind identity-verified access.

All credentials protected

SSO for n8n Community

OnePAM provides enterprise SSO for self-hosted n8n without requiring the Enterprise plan.

Enterprise SSO for free n8n

Block Code Execution Abuse

Only authenticated users can access the workflow editor and Code nodes.

Unauthorized execution blocked

Secure Webhook Endpoints

Webhook URLs can be protected with authentication policies separate from the main UI.

Webhooks identity-gated

MFA for Automation

Require MFA before editing workflows or accessing credentials.

MFA-protected automation

Complete Automation Audit

Every workflow change and execution is logged with corporate identity.

Full audit trail

SSO Features

n8n SSO Capabilities

Every feature needed to provide enterprise-grade SSO and access control for n8n.

SAML 2.0 & OIDC SSO for n8n via proxy authentication

Credential access controls from IdP groups

Workflow edit and execution policies

Webhook endpoint security policies

Session recording for automation auditing

IP and geo-restriction for n8n access

Device trust verification

API access policies

Execution history access controls

Multi-n8n instance SSO support

Security

Zero-Day Protection Features

Enterprise-grade security controls that shield n8n from exploitation.

n8n isolated from direct network access

End-to-end TLS encryption

Request-level identity verification

Code node execution restriction to authorized users

Credential vault access auditing

Automatic session termination on IdP sign-out

Real-World Scenarios

n8n SSO + Security Use Cases

Common scenarios where organizations deploy OnePAM in front of n8n.

Automation engineers building workflows via corporate SSO with MFA

Business analysts viewing execution results with read-only access

Security teams auditing workflow credentials and execution history

Restricting Code node access to senior engineers

Protecting n8n webhook endpoints from unauthorized triggering

Providing enterprise SSO without upgrading to n8n Enterprise

Frequently Asked Questions

n8n SSO + Security FAQ

Common questions about deploying OnePAM's authenticated proxy for n8n.

Does OnePAM work with self-hosted n8n community edition?

Yes. OnePAM provides enterprise SSO at the proxy layer, working with all n8n editions including the free self-hosted community version.

Can we protect n8n webhook endpoints?

Yes. OnePAM supports path-based policies. Webhook endpoints can require authentication, specific IP ranges, or tokens while the main UI uses SSO.

Does OnePAM affect n8n's internal workflow execution?

No. OnePAM protects user-facing access (editor, API, webhooks). Internal workflow execution between nodes is unaffected.

Can we restrict who can use Code nodes?

OnePAM controls who can access n8n. Combined with n8n's role-based features, you can restrict workflow editing capabilities to specific user groups.

What about n8n's built-in user management?

OnePAM's proxy authentication can replace or complement n8n's built-in user management, providing centralized identity management from your corporate IdP.

Ready to Secure n8n with SSO + Zero-Day Protection?

Deploy OnePAM in minutes — no n8n code changes required. Start your free 14-day trial today.

Start Free Trial View All Supported Apps