OIDC SSO settings now configurable via environment variables
System administrators can now lock OIDC connection settings to environment variables, keeping sensitive credentials out of the database and enabling automated, infrastructure-as-code deployments.
Organizations running n8n in containerized or automated environments often need to manage all configuration through code rather than clicking through a UI. Previously, OIDC SSO settings could only be configured through the web interface — a friction point for teams treating infrastructure as immutable or managing multiple environments programmatically.
SSO connection settings can now be defined entirely through environment variables. Eight new variables control client credentials, discovery endpoints, authentication flows, and user role provisioning. When enabled via N8N_SSO_MANAGED_BY_ENV, these settings are applied on every startup and the UI is locked to prevent conflicts.
This matters for two audiences: security-conscious teams can pass the client secret via a file path rather than embedding it in a database, and DevOps engineers can spin up n8n instances with SSO pre-configured without manual intervention.
In the CLI package, a new OidcInstanceSettingsLoader service reads the environment on startup, validates the configuration against a Zod schema, and upserts the settings into the database. The frontend receives a flag indicating env-based management is active and disables all form inputs accordingly. A warning banner informs users that changes must be made through environment variables and a server restart.
View Original GitHub Description
Summary
Configure OIDC via environment variables.
N8N_SSO_MANAGED_BY_ENV
N8N_SSO_USER_ROLE_PROVISIONING
N8N_SSO_OIDC_CLIENT_ID
N8N_SSO_OIDC_CLIENT_SECRET
N8N_SSO_OIDC_DISCOVERY_ENDPOINT
N8N_SSO_OIDC_LOGIN_ENABLED
N8N_SSO_OIDC_PROMPT
N8N_SSO_OIDC_ACR_VALUES
Note it is recommended to pass in the client secret via the
_FILEmethod:N8N_SSO_OIDC_CLIENT_SECRET_FILE=/mnt/oidc-client-secret
Related Linear tickets, Github issues, and Community forum posts
<!-- Include links to **Linear ticket** or Github issue or Community forum post. Important in order to close *automatically* and provide context to reviewers. https://linear.app/n8n/issue/ --> <!-- Use "closes #<issue-number>", "fixes #<issue-number>", or "resolves #<issue-number>" to automatically close issues when the PR is merged. -->Review / Merge checklist
- PR title and summary are descriptive. (conventions) <!-- **Remember, the title automatically goes into the changelog. Use `(no-changelog)` otherwise.** -->
- Docs updated or follow-up ticket created.
- Tests included. <!-- A bug is not considered fixed, unless a test is added to prevent it from happening again. A feature is not complete without tests. -->
- PR Labeled with
Backport to Beta,Backport to Stable, orBackport to v1(if the PR is an urgent fix that needs to be backported) - I have seen this code, I have run this code, and I take responsibility for this code.