SSO role provisioning split into two dropdowns

Summary

Refactors the single "User role provisioning" dropdown into a two-dropdown layout matching the approved Figma design. This is PR 4 of 4 for IAM-397, tracked as IAM-521.

What this PR does:

• Splits the single "User role provisioning" dropdown into two separate selects:
  1. Role assignment — Assigned manually in n8n / Instance roles via SSO / Instance and project roles via SSO
  2. Role mapping method (conditional, hidden when manual) — Map rules on your IdP / Map rules inside n8n
• Dropdown options show rich content (title + description) in the popup
• Shows an info callout when "Map rules on your IdP" is selected
• Shows only instance rule editor when "Instance roles via SSO" + "Map rules inside n8n" is selected
• Shows both instance + project rule editors when "Instance and project roles via SSO" + "Map rules inside n8n" is selected
• Adds scopesUseExpressionMapping to the frontend ProvisioningConfig type
• Uses a project-rules-presence heuristic to recover the first dropdown's value when loading config with expression mapping active
• Removes N8N_ENV_FEAT_ROLE_MAPPING_RULES feature flag gating
• Adds comprehensive tests for the conversion logic and heuristic

Frontend-only change — backend already has scopesUseExpressionMapping field.

How to test manually

1. Go to Settings → SSO → configure SAML or OIDC
2. In the "Role assignment" card, verify:
   • "Assigned manually in n8n" — no second dropdown, no rule editor, no bottom border
   • "Instance roles via SSO" — second dropdown appears ("Role mapping method")
     • "Map rules on your IdP" → info callout shown
     • "Map rules inside n8n" → instance rule editor only (no project section)
   • "Instance and project roles via SSO" — second dropdown appears
     • "Map rules on your IdP" → info callout shown
     • "Map rules inside n8n" → both instance + project rule editors shown
3. Click into each dropdown — options should show bold title + grey description text
4. Verify selects are 280px wide, medium height, aligned with copy inputs
5. Save settings and reload — dropdowns should restore to the correct values
6. Test with expression mapping + only instance rules saved → should show "Instance roles via SSO"
7. Test with expression mapping + project rules saved → should show "Instance and project roles via SSO"

Key decisions for reviewers

• Two dropdowns map to three boolean flags — scopesProvisionInstanceRole, scopesProvisionProjectRoles, scopesUseExpressionMapping. When expression mapping is active, both scopes booleans are false (mutually exclusive backend code paths). See IAM-521 ticket for the full state matrix.
• Project rules heuristic — When scopesUseExpressionMapping=true, both scopes booleans are false, making "instance" vs "instance+project" indistinguishable from config alone. The frontend checks whether project-type rules exist in the DB to infer the user's intent. Documented in useUserRoleProvisioningForm.ts and the IAM-521 ticket.
• Legacy formValue computed — The old single-value type (UserRoleProvisioningSetting) is kept as a computed for backward compatibility with ConfirmProvisioningDialog and telemetry. The two-dropdown refs (roleAssignment, mappingMethod) are the source of truth.
• RoleMappingRuleEditor.showProjectRules prop — Controls whether the project rules section renders, driven by roleAssignment === 'instance_and_project' from the parent form.

Related Linear tickets, Github issues, and Community forum posts

https://linear.app/n8n/issue/IAM-521 https://linear.app/n8n/issue/IAM-397

Review / Merge checklist

• PR title and summary are descriptive. (conventions)
• Docs updated or follow-up ticket created.
• Tests included.
• PR Labeled with release/backport (if the PR is an urgent fix that needs to be backported)
• I have seen this code, I have run this code, and I take responsibility for this code.