From 5c1f63705ecb3d3e0a8c0eb02c9b11701781314d Mon Sep 17 00:00:00 2001
From: Csaba Tuncsik <csaba@n8n.io>
Date: Mon, 20 Mar 2023 17:03:38 +0100
Subject: [PATCH 01/25] feat(editor): SSO settings page

---
 .../src/components/SettingsSidebar.vue        | 16 +++++++++
 packages/editor-ui/src/constants.ts           |  1 +
 .../src/plugins/i18n/locales/en.json          |  6 +++-
 packages/editor-ui/src/plugins/icons.ts       |  2 ++
 packages/editor-ui/src/router.ts              | 32 ++++++++++++++++++
 packages/editor-ui/src/stores/sso.ts          |  1 +
 packages/editor-ui/src/views/SettingsSso.vue  | 33 +++++++++++++++++++
 7 files changed, 90 insertions(+), 1 deletion(-)
 create mode 100644 packages/editor-ui/src/views/SettingsSso.vue

diff --git a/packages/editor-ui/src/components/SettingsSidebar.vue b/packages/editor-ui/src/components/SettingsSidebar.vue
index 02dfe188bf1ed..bd9c380a1ad28 100644
--- a/packages/editor-ui/src/components/SettingsSidebar.vue
+++ b/packages/editor-ui/src/components/SettingsSidebar.vue
@@ -74,6 +74,14 @@ export default mixins(userHelpers, pushConnection).extend({
 					available: this.canAccessApiSettings(),
 					activateOnRouteNames: [VIEWS.API_SETTINGS],
 				},
+				{
+					id: 'settings-sso',
+					icon: 'user-lock',
+					label: this.$locale.baseText('settings.sso'),
+					position: 'top',
+					available: this.canAccessSso(),
+					activateOnRouteNames: [VIEWS.SSO_SETTINGS],
+				},
 				{
 					id: 'settings-ldap',
 					icon: 'network-wired',
@@ -143,6 +151,9 @@ export default mixins(userHelpers, pushConnection).extend({
 		canAccessUsageAndPlan(): boolean {
 			return this.canUserAccessRouteByName(VIEWS.USAGE);
 		},
+		canAccessSso(): boolean {
+			return this.canUserAccessRouteByName(VIEWS.SSO_SETTINGS);
+		},
 		onVersionClick() {
 			this.uiStore.openModal(ABOUT_MODAL_KEY);
 		},
@@ -191,6 +202,11 @@ export default mixins(userHelpers, pushConnection).extend({
 						this.$router.push({ name: VIEWS.USAGE });
 					}
 					break;
+				case 'settings-sso':
+					if (this.$router.currentRoute.name !== VIEWS.SSO_SETTINGS) {
+						this.$router.push({ name: VIEWS.SSO_SETTINGS });
+					}
+					break;
 				default:
 					break;
 			}
diff --git a/packages/editor-ui/src/constants.ts b/packages/editor-ui/src/constants.ts
index a7e2e4b597671..1e33ebf0951d4 100644
--- a/packages/editor-ui/src/constants.ts
+++ b/packages/editor-ui/src/constants.ts
@@ -386,6 +386,7 @@ export enum VIEWS {
 	WORKFLOW_EXECUTIONS = 'WorkflowExecutions',
 	USAGE = 'Usage',
 	LOG_STREAMING_SETTINGS = 'LogStreamingSettingsView',
+	SSO_SETTINGS = 'SSoSettings',
 }
 
 export enum FAKE_DOOR_FEATURES {
diff --git a/packages/editor-ui/src/plugins/i18n/locales/en.json b/packages/editor-ui/src/plugins/i18n/locales/en.json
index 9345cbf838bf5..df4301fcd9703 100644
--- a/packages/editor-ui/src/plugins/i18n/locales/en.json
+++ b/packages/editor-ui/src/plugins/i18n/locales/en.json
@@ -1693,7 +1693,11 @@
 	"settings.ldap.form.searchTimeout.label": "Search Timeout (Seconds)",
 	"settings.ldap.form.searchTimeout.infoText": "The timeout value for queries to the AD/LDAP server. Increase if you are getting timeout errors caused by a slow AD/LDAP server",
 	"settings.ldap.section.synchronization.title": "Synchronization",
-
+	"settings.sso": "SSO",
+	"settings.sso.title": "Single Sign On",
+	"settings.sso.subtitle": "SAML 2.0",
+	"settings.sso.info": "SAML SSO (Security Assertion Markup Language Single Sign-On) is a type of authentication process that enables users to access multiple applications with a single set of login credentials. {link}",
+	"settings.sso.info.link": "More info.",
 	"sso.login.divider": "or",
 	"sso.login.button": "Continue with SSO"
 }
diff --git a/packages/editor-ui/src/plugins/icons.ts b/packages/editor-ui/src/plugins/icons.ts
index 3d67c20fc2d42..8c0a82d4db008 100644
--- a/packages/editor-ui/src/plugins/icons.ts
+++ b/packages/editor-ui/src/plugins/icons.ts
@@ -125,6 +125,7 @@ import {
 	faVideo,
 	faTree,
 	faStickyNote as faSolidStickyNote,
+	faUserLock,
 } from '@fortawesome/free-solid-svg-icons';
 import { faStickyNote } from '@fortawesome/free-regular-svg-icons';
 import { FontAwesomeIcon } from '@fortawesome/vue-fontawesome';
@@ -258,5 +259,6 @@ addIcon(faUserFriends);
 addIcon(faUsers);
 addIcon(faVideo);
 addIcon(faTree);
+addIcon(faUserLock);
 
 Vue.component('font-awesome-icon', FontAwesomeIcon);
diff --git a/packages/editor-ui/src/router.ts b/packages/editor-ui/src/router.ts
index 3b007a32853d8..2b44adc37fb19 100644
--- a/packages/editor-ui/src/router.ts
+++ b/packages/editor-ui/src/router.ts
@@ -34,7 +34,9 @@ import { RouteConfigSingleView } from 'vue-router/types/router';
 import { VIEWS } from './constants';
 import { useSettingsStore } from './stores/settings';
 import { useTemplatesStore } from './stores/templates';
+import { useSSOStore } from './stores/sso';
 import SettingsUsageAndPlanVue from './views/SettingsUsageAndPlan.vue';
+import SettingsSso from './views/SettingsSso.vue';
 import SignoutView from '@/views/SignoutView.vue';
 
 Vue.use(Router);
@@ -563,6 +565,36 @@ const router = new Router({
 						},
 					},
 				},
+				{
+					path: 'sso',
+					name: VIEWS.SSO_SETTINGS,
+					components: {
+						settingsView: SettingsSso,
+					},
+					meta: {
+						telemetry: {
+							pageCategory: 'settings',
+							getProperties(route: Route) {
+								return {
+									feature: 'sso',
+								};
+							},
+						},
+						permissions: {
+							allow: {
+								loginStatus: [LOGIN_STATUS.LoggedIn],
+								role: [ROLE.Owner],
+							},
+							deny: {
+								role: [ROLE.Default],
+								shouldDeny: () => {
+									const ssoStore = useSSOStore();
+									return !ssoStore.isEnterpriseSamlEnabled;
+								},
+							},
+						},
+					},
+				},
 				{
 					path: 'log-streaming',
 					name: VIEWS.LOG_STREAMING_SETTINGS,
diff --git a/packages/editor-ui/src/stores/sso.ts b/packages/editor-ui/src/stores/sso.ts
index 52779c4608c7d..1fbe43867833f 100644
--- a/packages/editor-ui/src/stores/sso.ts
+++ b/packages/editor-ui/src/stores/sso.ts
@@ -36,6 +36,7 @@ export const useSSOStore = defineStore('sso', () => {
 	return {
 		isLoading,
 		setLoading,
+		isEnterpriseSamlEnabled,
 		showSsoLoginButton,
 		getSSORedirectUrl,
 	};
diff --git a/packages/editor-ui/src/views/SettingsSso.vue b/packages/editor-ui/src/views/SettingsSso.vue
new file mode 100644
index 0000000000000..3dae525cd4577
--- /dev/null
+++ b/packages/editor-ui/src/views/SettingsSso.vue
@@ -0,0 +1,33 @@
+<script lang="ts" setup>
+import { useSSOStore } from '@/stores/sso';
+import { i18n as locale } from '@/plugins/i18n';
+
+const ssoStore = useSSOStore();
+</script>
+
+<template>
+	<div>
+		<n8n-heading size="2xlarge">{{ locale.baseText('settings.sso.title') }}</n8n-heading>
+		<div>
+			<n8n-heading :class="$style.subtitle" size="medium">{{
+				locale.baseText('settings.sso.subtitle')
+			}}</n8n-heading>
+		</div>
+		<n8n-info-tip>
+			<i18n :class="$style.count" path="settings.sso.info">
+				<template #link>
+					<a href="https://docs.n8n.io/user-management/sso/" target="_blank">
+						{{ locale.baseText('settings.sso.info.link') }}
+					</a>
+				</template>
+			</i18n>
+		</n8n-info-tip>
+	</div>
+</template>
+
+<style lang="scss" module>
+.subtitle {
+	display: block;
+	padding: var(--spacing-2xl) 0 var(--spacing-m);
+}
+</style>

From 47772e913bfef856179427f1028059619104b057 Mon Sep 17 00:00:00 2001
From: Csaba Tuncsik <csaba@n8n.io>
Date: Wed, 22 Mar 2023 14:17:33 +0100
Subject: [PATCH 02/25] feat(editor): SSO settings page

---
 .../src/sso/saml/routes/saml.controller.ee.ts |  1 -
 .../cli/src/sso/saml/views/initSsoRedirect.ts | 12 ---
 packages/editor-ui/src/Interface.ts           | 36 +++++++++
 packages/editor-ui/src/api/sso.ts             | 28 ++++++-
 .../src/plugins/i18n/locales/en.json          |  4 +
 packages/editor-ui/src/stores/sso.ts          | 38 +++++++++-
 packages/editor-ui/src/utils/typeHelpers.ts   |  1 +
 packages/editor-ui/src/views/SettingsSso.vue  | 74 +++++++++++++++++--
 8 files changed, 170 insertions(+), 24 deletions(-)
 delete mode 100644 packages/cli/src/sso/saml/views/initSsoRedirect.ts
 create mode 100644 packages/editor-ui/src/utils/typeHelpers.ts

diff --git a/packages/cli/src/sso/saml/routes/saml.controller.ee.ts b/packages/cli/src/sso/saml/routes/saml.controller.ee.ts
index d5cc9969d2621..536ee38cafdd1 100644
--- a/packages/cli/src/sso/saml/routes/saml.controller.ee.ts
+++ b/packages/cli/src/sso/saml/routes/saml.controller.ee.ts
@@ -10,7 +10,6 @@ import { SamlService } from '../saml.service.ee';
 import { SamlConfiguration } from '../types/requests';
 import { AuthError, BadRequestError } from '../../../ResponseHelper';
 import { getInitSSOFormView } from '../views/initSsoPost';
-import { getInitSSOPostView } from '../views/initSsoRedirect';
 import { issueCookie } from '../../../auth/jwt';
 import { validate } from 'class-validator';
 import type { PostBindingContext } from 'samlify/types/src/entity';
diff --git a/packages/cli/src/sso/saml/views/initSsoRedirect.ts b/packages/cli/src/sso/saml/views/initSsoRedirect.ts
deleted file mode 100644
index 56db9ce0838d7..0000000000000
--- a/packages/cli/src/sso/saml/views/initSsoRedirect.ts
+++ /dev/null
@@ -1,12 +0,0 @@
-import type { BindingContext } from 'samlify/types/src/entity';
-
-export function getInitSSOPostView(context: BindingContext): string {
-	return `
-  <html></html>
-  <script type="text/javascript">
-    // Automatic redirect
-    (function(){
-        location.href = "${context.context}";
-    })();
-  </script>`;
-}
diff --git a/packages/editor-ui/src/Interface.ts b/packages/editor-ui/src/Interface.ts
index d0394414a20f9..22cde852dd909 100644
--- a/packages/editor-ui/src/Interface.ts
+++ b/packages/editor-ui/src/Interface.ts
@@ -37,6 +37,7 @@ import {
 import { SignInType } from './constants';
 import { FAKE_DOOR_FEATURES, TRIGGER_NODE_FILTER, REGULAR_NODE_FILTER } from './constants';
 import { BulkCommand, Undoable } from '@/models/history';
+import { PartialBy } from '@/utils/typeHelpers';
 
 export * from 'n8n-design-system/types';
 
@@ -1455,3 +1456,38 @@ export type NodeAuthenticationOption = {
 	value: string;
 	displayOptions?: IDisplayOptions;
 };
+
+export type SamlAttributeMapping = {
+	email: string;
+	firstName: string;
+	lastName: string;
+	userPrincipalName: string;
+};
+
+export type SamlLoginBinding = 'post' | 'redirect';
+
+export type SamlSignatureConfig = {
+	prefix: 'ds';
+	location: {
+		reference: '/samlp:Response/saml:Issuer';
+		action: 'after';
+	};
+};
+
+export type SamlPreferencesLoginEnabled = {
+	loginEnabled: boolean;
+};
+
+export type SamlPreferences = {
+	mapping?: SamlAttributeMapping;
+	metadata?: string;
+	metadataUrl?: string;
+	ignoreSSL?: boolean;
+	loginBinding?: SamlLoginBinding;
+	acsBinding?: SamlLoginBinding;
+	authnRequestsSigned?: boolean;
+	loginLabel?: string;
+	wantAssertionsSigned?: boolean;
+	wantMessageSigned?: boolean;
+	signatureConfig?: SamlSignatureConfig;
+} & PartialBy<SamlPreferencesLoginEnabled, 'loginEnabled'>;
diff --git a/packages/editor-ui/src/api/sso.ts b/packages/editor-ui/src/api/sso.ts
index 5019335d35eb3..c154839482431 100644
--- a/packages/editor-ui/src/api/sso.ts
+++ b/packages/editor-ui/src/api/sso.ts
@@ -1,6 +1,32 @@
 import { makeRestApiRequest } from '@/utils';
-import { IRestApiContext } from '@/Interface';
+import { IRestApiContext, SamlPreferencesLoginEnabled, SamlPreferences } from '@/Interface';
 
 export const initSSO = (context: IRestApiContext): Promise<string> => {
 	return makeRestApiRequest(context, 'GET', '/sso/saml/initsso');
 };
+
+export const getSamlMetadata = (context: IRestApiContext): Promise<string> => {
+	return makeRestApiRequest(context, 'GET', '/sso/saml/metadata');
+};
+
+export const getSamlConfig = (context: IRestApiContext): Promise<SamlPreferences> => {
+	return makeRestApiRequest(context, 'GET', '/sso/saml/config');
+};
+
+export const saveSamlConfig = (
+	context: IRestApiContext,
+	data: SamlPreferences,
+): Promise<SamlPreferences | undefined> => {
+	return makeRestApiRequest(context, 'POST', '/sso/saml/config', data);
+};
+
+export const toggleSamlConfig = (
+	context: IRestApiContext,
+	data: SamlPreferencesLoginEnabled,
+): Promise<void> => {
+	return makeRestApiRequest(context, 'POST', '/sso/saml/config/toggle', data);
+};
+
+export const testSamlConfig = (context: IRestApiContext): Promise<void> => {
+	return makeRestApiRequest(context, 'GET', '/sso/saml/config/test');
+};
diff --git a/packages/editor-ui/src/plugins/i18n/locales/en.json b/packages/editor-ui/src/plugins/i18n/locales/en.json
index df4301fcd9703..dbec626dd48e2 100644
--- a/packages/editor-ui/src/plugins/i18n/locales/en.json
+++ b/packages/editor-ui/src/plugins/i18n/locales/en.json
@@ -1698,6 +1698,10 @@
 	"settings.sso.subtitle": "SAML 2.0",
 	"settings.sso.info": "SAML SSO (Security Assertion Markup Language Single Sign-On) is a type of authentication process that enables users to access multiple applications with a single set of login credentials. {link}",
 	"settings.sso.info.link": "More info.",
+	"settings.sso.activated": "Activated",
+	"settings.sso.deactivated": "Deactivated",
+	"settings.sso.settings.test": "Test settings",
+	"settings.sso.settings.save": "Save settings",
 	"sso.login.divider": "or",
 	"sso.login.button": "Continue with SSO"
 }
diff --git a/packages/editor-ui/src/stores/sso.ts b/packages/editor-ui/src/stores/sso.ts
index 1fbe43867833f..229bf99ec4316 100644
--- a/packages/editor-ui/src/stores/sso.ts
+++ b/packages/editor-ui/src/stores/sso.ts
@@ -1,9 +1,10 @@
-import { computed, reactive } from 'vue';
+import { computed, reactive, ref } from 'vue';
 import { defineStore } from 'pinia';
 import { EnterpriseEditionFeature } from '@/constants';
 import { useRootStore } from '@/stores/n8nRootStore';
 import { useSettingsStore } from '@/stores/settings';
-import { initSSO } from '@/api/sso';
+import * as ssoApi from '@/api/sso';
+import { SamlPreferences } from '@/Interface';
 
 export const useSSOStore = defineStore('sso', () => {
 	const rootStore = useRootStore();
@@ -19,7 +20,22 @@ export const useSSOStore = defineStore('sso', () => {
 		state.loading = loading;
 	};
 
-	const isSamlLoginEnabled = computed(() => settingsStore.isSamlLoginEnabled);
+	const isSamlLoginEnabled = computed({
+		get: () => settingsStore.isSamlLoginEnabled,
+		set: (value: boolean) => {
+			settingsStore.setSettings({
+				...settingsStore.settings,
+				sso: {
+					...settingsStore.settings.sso,
+					saml: {
+						...settingsStore.settings.sso.saml,
+						loginEnabled: value,
+					},
+				},
+			});
+			toggleLoginEnabled(value);
+		},
+	});
 	const isEnterpriseSamlEnabled = computed(() =>
 		settingsStore.isEnterpriseFeatureEnabled(EnterpriseEditionFeature.Saml),
 	);
@@ -31,13 +47,27 @@ export const useSSOStore = defineStore('sso', () => {
 			isDefaultAuthenticationSaml.value,
 	);
 
-	const getSSORedirectUrl = () => initSSO(rootStore.getRestApiContext);
+	const getSSORedirectUrl = () => ssoApi.initSSO(rootStore.getRestApiContext);
+
+	const toggleLoginEnabled = (enabled: boolean) =>
+		ssoApi.toggleSamlConfig(rootStore.getRestApiContext, { loginEnabled: enabled });
+
+	const getSamlMetadata = () => ssoApi.getSamlMetadata(rootStore.getRestApiContext);
+	const getSamlConfig = () => ssoApi.getSamlConfig(rootStore.getRestApiContext);
+	const saveSamlConfig = (config: SamlPreferences) =>
+		ssoApi.saveSamlConfig(rootStore.getRestApiContext, config);
+	const testSamlConfig = () => ssoApi.testSamlConfig(rootStore.getRestApiContext);
 
 	return {
 		isLoading,
 		setLoading,
+		isSamlLoginEnabled,
 		isEnterpriseSamlEnabled,
 		showSsoLoginButton,
 		getSSORedirectUrl,
+		getSamlMetadata,
+		getSamlConfig,
+		saveSamlConfig,
+		testSamlConfig,
 	};
 });
diff --git a/packages/editor-ui/src/utils/typeHelpers.ts b/packages/editor-ui/src/utils/typeHelpers.ts
new file mode 100644
index 0000000000000..ce7e0b412773a
--- /dev/null
+++ b/packages/editor-ui/src/utils/typeHelpers.ts
@@ -0,0 +1 @@
+export type PartialBy<T, K extends keyof T> = Omit<T, K> & Partial<Pick<T, K>>;
diff --git a/packages/editor-ui/src/views/SettingsSso.vue b/packages/editor-ui/src/views/SettingsSso.vue
index 3dae525cd4577..bf29ab9881781 100644
--- a/packages/editor-ui/src/views/SettingsSso.vue
+++ b/packages/editor-ui/src/views/SettingsSso.vue
@@ -1,17 +1,51 @@
 <script lang="ts" setup>
+import { computed, ref } from 'vue';
 import { useSSOStore } from '@/stores/sso';
 import { i18n as locale } from '@/plugins/i18n';
 
 const ssoStore = useSSOStore();
+
+const ssoActivatedLabel = computed(() =>
+	ssoStore.isSamlLoginEnabled
+		? locale.baseText('settings.sso.activated')
+		: locale.baseText('settings.sso.deactivated'),
+);
+
+const ssoSettingsSaved = ref(false);
+const metadata = ref('');
+
+const onSave = async () => {
+	try {
+		await ssoStore.saveSamlConfig({ metadata: metadata.value });
+		ssoSettingsSaved.value = true;
+	} catch (error) {
+		console.error(error);
+	}
+};
+
+const onTest = () => {
+	console.log('test');
+};
 </script>
 
 <template>
 	<div>
 		<n8n-heading size="2xlarge">{{ locale.baseText('settings.sso.title') }}</n8n-heading>
-		<div>
-			<n8n-heading :class="$style.subtitle" size="medium">{{
-				locale.baseText('settings.sso.subtitle')
-			}}</n8n-heading>
+		<div :class="$style.top">
+			<n8n-heading size="medium">{{ locale.baseText('settings.sso.subtitle') }}</n8n-heading>
+			<n8n-tooltip :disabled="ssoStore.isSamlLoginEnabled">
+				<template #content>
+					<span>
+						{{ locale.baseText('settings.sso.activation.tooltip') }}
+					</span>
+				</template>
+				<el-switch
+					v-model="ssoStore.isSamlLoginEnabled"
+					:disabled="!ssoSettingsSaved && !ssoStore.isSamlLoginEnabled"
+					:class="$style.switch"
+					:inactive-text="ssoActivatedLabel"
+				/>
+			</n8n-tooltip>
 		</div>
 		<n8n-info-tip>
 			<i18n :class="$style.count" path="settings.sso.info">
@@ -22,12 +56,40 @@ const ssoStore = useSSOStore();
 				</template>
 			</i18n>
 		</n8n-info-tip>
+		<div :class="$style.buttons">
+			<n8n-button type="tertiary" @click="onTest">
+				{{ locale.baseText('settings.sso.settings.test') }}
+			</n8n-button>
+			<n8n-button @click="onSave">
+				{{ locale.baseText('settings.sso.settings.save') }}
+			</n8n-button>
+		</div>
 	</div>
 </template>
 
 <style lang="scss" module>
-.subtitle {
-	display: block;
+.top {
+	display: flex;
+	align-items: center;
+	justify-content: space-between;
 	padding: var(--spacing-2xl) 0 var(--spacing-m);
 }
+
+.switch {
+	span {
+		font-size: var(--font-size-2xs);
+		font-weight: var(--font-weight-bold);
+		color: var(--color-text-light);
+	}
+}
+
+.buttons {
+	display: flex;
+	justify-content: flex-start;
+	padding: var(--spacing-xl) 0 0;
+
+	button {
+		margin: 0 var(--spacing-s) 0 0;
+	}
+}
 </style>

From bc6fcee3b123f408db4dbbf6d2b6963479b76890 Mon Sep 17 00:00:00 2001
From: Csaba Tuncsik <csaba@n8n.io>
Date: Wed, 22 Mar 2023 14:36:14 +0100
Subject: [PATCH 03/25] feat(editor): SSO settings page

---
 .../src/plugins/i18n/locales/en.json          |  6 ++++
 packages/editor-ui/src/views/SettingsSso.vue  | 32 ++++++++++++++++++-
 2 files changed, 37 insertions(+), 1 deletion(-)

diff --git a/packages/editor-ui/src/plugins/i18n/locales/en.json b/packages/editor-ui/src/plugins/i18n/locales/en.json
index dbec626dd48e2..b1f0d51e3eafe 100644
--- a/packages/editor-ui/src/plugins/i18n/locales/en.json
+++ b/packages/editor-ui/src/plugins/i18n/locales/en.json
@@ -1700,6 +1700,12 @@
 	"settings.sso.info.link": "More info.",
 	"settings.sso.activated": "Activated",
 	"settings.sso.deactivated": "Deactivated",
+	"settings.sso.settings.redirectUrl.label": "Redirect URL",
+	"settings.sso.settings.redirectUrl.help": "Save the Redirect URL as you’ll need it to configure these in the SAML provider’s settings.",
+	"settings.sso.settings.entityId.label": "Entity ID",
+	"settings.sso.settings.entityId.help": "Save the Entity URL as you’ll need it to configure these in the SAML provider’s settings.",
+	"settings.sso.settings.ips.label": "Identity Provider Settings",
+	"settings.sso.settings.ips.help": "Add the raw Metadata XML provided by your Identity Provider",
 	"settings.sso.settings.test": "Test settings",
 	"settings.sso.settings.save": "Save settings",
 	"sso.login.divider": "or",
diff --git a/packages/editor-ui/src/views/SettingsSso.vue b/packages/editor-ui/src/views/SettingsSso.vue
index bf29ab9881781..4ccebb3a75344 100644
--- a/packages/editor-ui/src/views/SettingsSso.vue
+++ b/packages/editor-ui/src/views/SettingsSso.vue
@@ -2,6 +2,7 @@
 import { computed, ref } from 'vue';
 import { useSSOStore } from '@/stores/sso';
 import { i18n as locale } from '@/plugins/i18n';
+import CopyInput from '@/components/CopyInput.vue';
 
 const ssoStore = useSSOStore();
 
@@ -13,6 +14,8 @@ const ssoActivatedLabel = computed(() =>
 
 const ssoSettingsSaved = ref(false);
 const metadata = ref('');
+const redirectUrl = ref('');
+const entityId = ref('');
 
 const onSave = async () => {
 	try {
@@ -56,6 +59,29 @@ const onTest = () => {
 				</template>
 			</i18n>
 		</n8n-info-tip>
+		<div :class="$style.group">
+			<label>{{ locale.baseText('settings.sso.settings.redirectUrl.label') }}</label>
+			<CopyInput
+				:value="redirectUrl"
+				:copy-button-text="locale.baseText('generic.clickToCopy')"
+				:toast-title="locale.baseText('settings.api.view.copy.toast')"
+			/>
+			<span>{{ locale.baseText('settings.sso.settings.redirectUrl.help') }}</span>
+		</div>
+		<div :class="$style.group">
+			<label>{{ locale.baseText('settings.sso.settings.entityId.label') }}</label>
+			<CopyInput
+				:value="entityId"
+				:copy-button-text="locale.baseText('generic.clickToCopy')"
+				:toast-title="locale.baseText('settings.api.view.copy.toast')"
+			/>
+			<span>{{ locale.baseText('settings.sso.settings.entityId.help') }}</span>
+		</div>
+		<div :class="$style.group">
+			<label>{{ locale.baseText('settings.sso.settings.ips.label') }}</label>
+			<n8n-input v-model="metadata" type="textarea" />
+			<span>{{ locale.baseText('settings.sso.settings.ips.help') }}</span>
+		</div>
 		<div :class="$style.buttons">
 			<n8n-button type="tertiary" @click="onTest">
 				{{ locale.baseText('settings.sso.settings.test') }}
@@ -86,10 +112,14 @@ const onTest = () => {
 .buttons {
 	display: flex;
 	justify-content: flex-start;
-	padding: var(--spacing-xl) 0 0;
+	padding: var(--spacing-2xl) 0 0;
 
 	button {
 		margin: 0 var(--spacing-s) 0 0;
 	}
 }
+
+.group {
+	padding: var(--spacing-2xl) 0 0;
+}
 </style>

From 9dd767957501fba1741d875d9149d8f1ceec2269 Mon Sep 17 00:00:00 2001
From: Csaba Tuncsik <csaba@n8n.io>
Date: Wed, 22 Mar 2023 16:55:06 +0100
Subject: [PATCH 04/25] feat(editor): SSO settings page

---
 .../src/plugins/i18n/locales/en.json          |  2 ++
 packages/editor-ui/src/views/SettingsSso.vue  | 28 +++++++++++++++----
 2 files changed, 24 insertions(+), 6 deletions(-)

diff --git a/packages/editor-ui/src/plugins/i18n/locales/en.json b/packages/editor-ui/src/plugins/i18n/locales/en.json
index b1f0d51e3eafe..a417b0727e25b 100644
--- a/packages/editor-ui/src/plugins/i18n/locales/en.json
+++ b/packages/editor-ui/src/plugins/i18n/locales/en.json
@@ -1701,8 +1701,10 @@
 	"settings.sso.activated": "Activated",
 	"settings.sso.deactivated": "Deactivated",
 	"settings.sso.settings.redirectUrl.label": "Redirect URL",
+	"settings.sso.settings.redirectUrl.copied": "Redirect URL copied to clipboard",
 	"settings.sso.settings.redirectUrl.help": "Save the Redirect URL as you’ll need it to configure these in the SAML provider’s settings.",
 	"settings.sso.settings.entityId.label": "Entity ID",
+	"settings.sso.settings.entityId.copied": "Entity ID copied to clipboard",
 	"settings.sso.settings.entityId.help": "Save the Entity URL as you’ll need it to configure these in the SAML provider’s settings.",
 	"settings.sso.settings.ips.label": "Identity Provider Settings",
 	"settings.sso.settings.ips.help": "Add the raw Metadata XML provided by your Identity Provider",
diff --git a/packages/editor-ui/src/views/SettingsSso.vue b/packages/editor-ui/src/views/SettingsSso.vue
index 4ccebb3a75344..c8ab671ebd5d9 100644
--- a/packages/editor-ui/src/views/SettingsSso.vue
+++ b/packages/editor-ui/src/views/SettingsSso.vue
@@ -62,25 +62,27 @@ const onTest = () => {
 		<div :class="$style.group">
 			<label>{{ locale.baseText('settings.sso.settings.redirectUrl.label') }}</label>
 			<CopyInput
+				:class="$style.copyInput"
 				:value="redirectUrl"
 				:copy-button-text="locale.baseText('generic.clickToCopy')"
-				:toast-title="locale.baseText('settings.api.view.copy.toast')"
+				:toast-title="locale.baseText('settings.sso.settings.redirectUrl.copied')"
 			/>
-			<span>{{ locale.baseText('settings.sso.settings.redirectUrl.help') }}</span>
+			<small>{{ locale.baseText('settings.sso.settings.redirectUrl.help') }}</small>
 		</div>
 		<div :class="$style.group">
 			<label>{{ locale.baseText('settings.sso.settings.entityId.label') }}</label>
 			<CopyInput
+				:class="$style.copyInput"
 				:value="entityId"
 				:copy-button-text="locale.baseText('generic.clickToCopy')"
-				:toast-title="locale.baseText('settings.api.view.copy.toast')"
+				:toast-title="locale.baseText('settings.sso.settings.entityId.copied')"
 			/>
-			<span>{{ locale.baseText('settings.sso.settings.entityId.help') }}</span>
+			<small>{{ locale.baseText('settings.sso.settings.entityId.help') }}</small>
 		</div>
 		<div :class="$style.group">
 			<label>{{ locale.baseText('settings.sso.settings.ips.label') }}</label>
 			<n8n-input v-model="metadata" type="textarea" />
-			<span>{{ locale.baseText('settings.sso.settings.ips.help') }}</span>
+			<small>{{ locale.baseText('settings.sso.settings.ips.help') }}</small>
 		</div>
 		<div :class="$style.buttons">
 			<n8n-button type="tertiary" @click="onTest">
@@ -120,6 +122,20 @@ const onTest = () => {
 }
 
 .group {
-	padding: var(--spacing-2xl) 0 0;
+	padding: var(--spacing-xl) 0 0;
+
+	label {
+		display: inline-block;
+		font-size: var(--font-size-s);
+		font-weight: var(--font-weight-bold);
+		padding: 0 0 var(--spacing-2xs);
+	}
+
+	small {
+		display: block;
+		padding: var(--spacing-2xs) 0 0;
+		font-size: var(--font-size-2xs);
+		color: var(--color-text-base);
+	}
 }
 </style>

From f659b3bca644f59a0a18dfec5799a5a284991c84 Mon Sep 17 00:00:00 2001
From: Csaba Tuncsik <csaba@n8n.io>
Date: Wed, 22 Mar 2023 21:57:21 +0100
Subject: [PATCH 05/25] feat(editor): SSO settings page

---
 packages/editor-ui/src/views/SettingsSso.vue | 45 ++++++++++++++++----
 1 file changed, 36 insertions(+), 9 deletions(-)

diff --git a/packages/editor-ui/src/views/SettingsSso.vue b/packages/editor-ui/src/views/SettingsSso.vue
index c8ab671ebd5d9..16d678d097ac3 100644
--- a/packages/editor-ui/src/views/SettingsSso.vue
+++ b/packages/editor-ui/src/views/SettingsSso.vue
@@ -1,5 +1,6 @@
 <script lang="ts" setup>
-import { computed, ref } from 'vue';
+import { computed, ref, onBeforeMount } from 'vue';
+import { Notification } from 'element-ui';
 import { useSSOStore } from '@/stores/sso';
 import { i18n as locale } from '@/plugins/i18n';
 import CopyInput from '@/components/CopyInput.vue';
@@ -13,22 +14,48 @@ const ssoActivatedLabel = computed(() =>
 );
 
 const ssoSettingsSaved = ref(false);
-const metadata = ref('');
-const redirectUrl = ref('');
-const entityId = ref('');
+const metadata = ref();
+const redirectUrl = ref();
+const entityId = ref();
 
 const onSave = async () => {
 	try {
 		await ssoStore.saveSamlConfig({ metadata: metadata.value });
 		ssoSettingsSaved.value = true;
 	} catch (error) {
-		console.error(error);
+		Notification.error({
+			title: 'Error',
+			message: error.message,
+			position: 'bottom-right',
+		});
 	}
 };
 
-const onTest = () => {
-	console.log('test');
+const onTest = async () => {
+	try {
+		await ssoStore.testSamlConfig();
+	} catch (error) {
+		Notification.error({
+			title: 'Error',
+			message: error.message,
+			position: 'bottom-right',
+		});
+	}
 };
+
+onBeforeMount(async () => {
+	try {
+		const config = await ssoStore.getSamlConfig();
+		metadata.value = config.metadata;
+		ssoSettingsSaved.value = !!config.metadata;
+	} catch (error) {
+		Notification.error({
+			title: 'Error',
+			message: error.message,
+			position: 'bottom-right',
+		});
+	}
+});
 </script>
 
 <template>
@@ -44,7 +71,7 @@ const onTest = () => {
 				</template>
 				<el-switch
 					v-model="ssoStore.isSamlLoginEnabled"
-					:disabled="!ssoSettingsSaved && !ssoStore.isSamlLoginEnabled"
+					:disabled="!ssoSettingsSaved"
 					:class="$style.switch"
 					:inactive-text="ssoActivatedLabel"
 				/>
@@ -100,7 +127,7 @@ const onTest = () => {
 	display: flex;
 	align-items: center;
 	justify-content: space-between;
-	padding: var(--spacing-2xl) 0 var(--spacing-m);
+	padding: var(--spacing-2xl) 0 var(--spacing-xl);
 }
 
 .switch {

From 438cb67b28f53b6d4a39ef6a89907d89fd017a05 Mon Sep 17 00:00:00 2001
From: Csaba Tuncsik <csaba@n8n.io>
Date: Wed, 22 Mar 2023 22:03:05 +0100
Subject: [PATCH 06/25] feat(editor): SSO settings page

---
 packages/editor-ui/src/api/sso.ts            | 2 +-
 packages/editor-ui/src/views/SettingsSso.vue | 3 ++-
 2 files changed, 3 insertions(+), 2 deletions(-)

diff --git a/packages/editor-ui/src/api/sso.ts b/packages/editor-ui/src/api/sso.ts
index c154839482431..8927c3305a706 100644
--- a/packages/editor-ui/src/api/sso.ts
+++ b/packages/editor-ui/src/api/sso.ts
@@ -27,6 +27,6 @@ export const toggleSamlConfig = (
 	return makeRestApiRequest(context, 'POST', '/sso/saml/config/toggle', data);
 };
 
-export const testSamlConfig = (context: IRestApiContext): Promise<void> => {
+export const testSamlConfig = (context: IRestApiContext): Promise<string> => {
 	return makeRestApiRequest(context, 'GET', '/sso/saml/config/test');
 };
diff --git a/packages/editor-ui/src/views/SettingsSso.vue b/packages/editor-ui/src/views/SettingsSso.vue
index 16d678d097ac3..513d18cd89405 100644
--- a/packages/editor-ui/src/views/SettingsSso.vue
+++ b/packages/editor-ui/src/views/SettingsSso.vue
@@ -33,7 +33,8 @@ const onSave = async () => {
 
 const onTest = async () => {
 	try {
-		await ssoStore.testSamlConfig();
+		const url = await ssoStore.testSamlConfig();
+		window.open(url, '_blank');
 	} catch (error) {
 		Notification.error({
 			title: 'Error',

From 9f7aaf06d2b322b4beb800065f4b66f3afbfc0d4 Mon Sep 17 00:00:00 2001
From: Csaba Tuncsik <csaba@n8n.io>
Date: Thu, 23 Mar 2023 14:19:00 +0100
Subject: [PATCH 07/25] Merge remote-tracking branch 'origin/master' into
 pay-170-sso-set-up-page

# Conflicts:
#	packages/cli/src/sso/saml/routes/saml.controller.ee.ts
---
 packages/editor-ui/package.json              |  2 ++
 packages/editor-ui/src/Interface.ts          |  5 +++++
 packages/editor-ui/src/api/sso.ts            | 11 ++++++++---
 packages/editor-ui/src/views/SettingsSso.vue | 12 ++++++++++--
 pnpm-lock.yaml                               | 14 ++++++++++++++
 5 files changed, 39 insertions(+), 5 deletions(-)

diff --git a/packages/editor-ui/package.json b/packages/editor-ui/package.json
index 88a66e96eafa1..fa4e87680a811 100644
--- a/packages/editor-ui/package.json
+++ b/packages/editor-ui/package.json
@@ -47,6 +47,7 @@
     "codemirror-lang-html-n8n": "^1.0.0",
     "codemirror-lang-n8n-expression": "^0.2.0",
     "dateformat": "^3.0.3",
+    "dompurify": "^3.0.1",
     "esprima-next": "5.8.4",
     "fast-json-stable-stringify": "^2.1.0",
     "file-saver": "^2.0.2",
@@ -89,6 +90,7 @@
     "@testing-library/user-event": "^14.4.3",
     "@testing-library/vue": "^5.8.3",
     "@types/dateformat": "^3.0.0",
+    "@types/dompurify": "^3.0.0",
     "@types/express": "^4.17.6",
     "@types/file-saver": "^2.0.1",
     "@types/humanize-duration": "^3.27.1",
diff --git a/packages/editor-ui/src/Interface.ts b/packages/editor-ui/src/Interface.ts
index 22cde852dd909..b4e30313d286f 100644
--- a/packages/editor-ui/src/Interface.ts
+++ b/packages/editor-ui/src/Interface.ts
@@ -1491,3 +1491,8 @@ export type SamlPreferences = {
 	wantMessageSigned?: boolean;
 	signatureConfig?: SamlSignatureConfig;
 } & PartialBy<SamlPreferencesLoginEnabled, 'loginEnabled'>;
+
+export type SamlPreferencesExtractedData = {
+	entityID: string;
+	returnUrl: string;
+};
diff --git a/packages/editor-ui/src/api/sso.ts b/packages/editor-ui/src/api/sso.ts
index 8927c3305a706..430d0836285f8 100644
--- a/packages/editor-ui/src/api/sso.ts
+++ b/packages/editor-ui/src/api/sso.ts
@@ -1,15 +1,20 @@
 import { makeRestApiRequest } from '@/utils';
-import { IRestApiContext, SamlPreferencesLoginEnabled, SamlPreferences } from '@/Interface';
+import {
+	IRestApiContext,
+	SamlPreferencesLoginEnabled,
+	SamlPreferences,
+	SamlPreferencesExtractedData,
+} from '@/Interface';
 
 export const initSSO = (context: IRestApiContext): Promise<string> => {
 	return makeRestApiRequest(context, 'GET', '/sso/saml/initsso');
 };
 
-export const getSamlMetadata = (context: IRestApiContext): Promise<string> => {
+export const getSamlMetadata = (context: IRestApiContext): Promise<SamlPreferences> => {
 	return makeRestApiRequest(context, 'GET', '/sso/saml/metadata');
 };
 
-export const getSamlConfig = (context: IRestApiContext): Promise<SamlPreferences> => {
+export const getSamlConfig = (context: IRestApiContext): Promise<SamlPreferences & SamlPreferencesExtractedData> => {
 	return makeRestApiRequest(context, 'GET', '/sso/saml/config');
 };
 
diff --git a/packages/editor-ui/src/views/SettingsSso.vue b/packages/editor-ui/src/views/SettingsSso.vue
index 513d18cd89405..026ebc3c3ab05 100644
--- a/packages/editor-ui/src/views/SettingsSso.vue
+++ b/packages/editor-ui/src/views/SettingsSso.vue
@@ -1,5 +1,6 @@
 <script lang="ts" setup>
 import { computed, ref, onBeforeMount } from 'vue';
+import dompurify from 'dompurify'
 import { Notification } from 'element-ui';
 import { useSSOStore } from '@/stores/sso';
 import { i18n as locale } from '@/plugins/i18n';
@@ -12,15 +13,20 @@ const ssoActivatedLabel = computed(() =>
 		? locale.baseText('settings.sso.activated')
 		: locale.baseText('settings.sso.deactivated'),
 );
-
 const ssoSettingsSaved = ref(false);
 const metadata = ref();
 const redirectUrl = ref();
 const entityId = ref();
+const metadataSanitized = computed(() => {
+	if (!metadata.value) {
+		return '';
+	}
+	return dompurify.sanitize(metadata.value, {PARSER_MEDIA_TYPE: 'application/xhtml+xml'});
+});
 
 const onSave = async () => {
 	try {
-		await ssoStore.saveSamlConfig({ metadata: metadata.value });
+		await ssoStore.saveSamlConfig({ metadata: metadataSanitized.value });
 		ssoSettingsSaved.value = true;
 	} catch (error) {
 		Notification.error({
@@ -47,6 +53,8 @@ const onTest = async () => {
 onBeforeMount(async () => {
 	try {
 		const config = await ssoStore.getSamlConfig();
+		entityId.value = config.entityID;
+		redirectUrl.value = config.returnUrl;
 		metadata.value = config.metadata;
 		ssoSettingsSaved.value = !!config.metadata;
 	} catch (error) {
diff --git a/pnpm-lock.yaml b/pnpm-lock.yaml
index affaa1999f0d5..3c485818ee039 100644
--- a/pnpm-lock.yaml
+++ b/pnpm-lock.yaml
@@ -584,6 +584,7 @@ importers:
       '@testing-library/user-event': ^14.4.3
       '@testing-library/vue': ^5.8.3
       '@types/dateformat': ^3.0.0
+      '@types/dompurify': ^3.0.0
       '@types/express': ^4.17.6
       '@types/file-saver': ^2.0.1
       '@types/humanize-duration': ^3.27.1
@@ -602,6 +603,7 @@ importers:
       codemirror-lang-html-n8n: ^1.0.0
       codemirror-lang-n8n-expression: ^0.2.0
       dateformat: ^3.0.3
+      dompurify: ^3.0.1
       esprima-next: 5.8.4
       fast-json-stable-stringify: ^2.1.0
       file-saver: ^2.0.2
@@ -667,6 +669,7 @@ importers:
       codemirror-lang-html-n8n: 1.0.0
       codemirror-lang-n8n-expression: 0.2.0_zyklskjzaprvz25ee7sq7godcq
       dateformat: 3.0.3
+      dompurify: 3.0.1
       esprima-next: 5.8.4
       fast-json-stable-stringify: 2.1.0
       file-saver: 2.0.5
@@ -708,6 +711,7 @@ importers:
       '@testing-library/user-event': 14.4.3_7izb363m7fjrh7ob6q4a2yqaqe
       '@testing-library/vue': 5.8.3_rhqkolmkwunxzlyyxxsuwaiuri
       '@types/dateformat': 3.0.1
+      '@types/dompurify': 3.0.0
       '@types/express': 4.17.14
       '@types/file-saver': 2.0.5
       '@types/humanize-duration': 3.27.1
@@ -5556,6 +5560,12 @@ packages:
     resolution: {integrity: sha512-w5jZ0ee+HaPOaX25X2/2oGR/7rgAQSYII7X7pp0m9KgBfMP7uKfMfTvcpl5Dj+eDBbpxKGiqE+flqDr6XTd2RA==}
     dev: true
 
+  /@types/dompurify/3.0.0:
+    resolution: {integrity: sha512-EcSqmgm/xJwH8CcJPy9AHNypp/j58CYga3nWdl93/wLxX6OH+rSD3aAj75NQazcZd1YKHJ/pjNZ9qmgVajggwQ==}
+    dependencies:
+      '@types/trusted-types': 2.0.2
+    dev: true
+
   /@types/ejs/3.1.1:
     resolution: {integrity: sha512-RQul5wEfY7BjWm0sYY86cmUN/pcXWGyVxWX93DFFJvcrxax5zKlieLwA3T77xJGwNcZW0YW6CYG70p1m8xPFmA==}
     dev: true
@@ -10100,6 +10110,10 @@ packages:
     dependencies:
       domelementtype: 2.3.0
 
+  /dompurify/3.0.1:
+    resolution: {integrity: sha512-60tsgvPKwItxZZdfLmamp0MTcecCta3avOhsLgPZ0qcWt96OasFfhkeIRbJ6br5i0fQawT1/RBGB5L58/Jpwuw==}
+    dev: false
+
   /domutils/1.5.1:
     resolution: {integrity: sha512-gSu5Oi/I+3wDENBsOWBiRK1eoGxcywYSqg3rR960/+EfY0CF4EX1VPkgHOZ3WiS/Jg2DtliF6BhWcHlfpYUcGw==}
     dependencies:

From 416b6544365eea85b42848520a124b7b60c566e9 Mon Sep 17 00:00:00 2001
From: Csaba Tuncsik <csaba@n8n.io>
Date: Thu, 23 Mar 2023 14:29:07 +0100
Subject: [PATCH 08/25] feat(editor): Prevent SSO settings page route

---
 packages/editor-ui/src/router.ts | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/packages/editor-ui/src/router.ts b/packages/editor-ui/src/router.ts
index 2b44adc37fb19..af4bbc3d79d1d 100644
--- a/packages/editor-ui/src/router.ts
+++ b/packages/editor-ui/src/router.ts
@@ -588,8 +588,9 @@ const router = new Router({
 							deny: {
 								role: [ROLE.Default],
 								shouldDeny: () => {
+									const settingsStore = useSettingsStore();
 									const ssoStore = useSSOStore();
-									return !ssoStore.isEnterpriseSamlEnabled;
+									return !ssoStore.isEnterpriseSamlEnabled || settingsStore.isCloudDeployment || settingsStore.isDesktopDeployment;
 								},
 							},
 						},

From ec3a1cc1f12a87eeaff7bed5d97898e920dcbf03 Mon Sep 17 00:00:00 2001
From: Csaba Tuncsik <csaba@n8n.io>
Date: Thu, 23 Mar 2023 14:54:11 +0100
Subject: [PATCH 09/25] feat(editor): some UI improvements

---
 packages/editor-ui/src/views/SettingsSso.vue | 20 ++++++++++++--------
 1 file changed, 12 insertions(+), 8 deletions(-)

diff --git a/packages/editor-ui/src/views/SettingsSso.vue b/packages/editor-ui/src/views/SettingsSso.vue
index 026ebc3c3ab05..113098462582f 100644
--- a/packages/editor-ui/src/views/SettingsSso.vue
+++ b/packages/editor-ui/src/views/SettingsSso.vue
@@ -24,10 +24,18 @@ const metadataSanitized = computed(() => {
 	return dompurify.sanitize(metadata.value, {PARSER_MEDIA_TYPE: 'application/xhtml+xml'});
 });
 
+const getSamlConfig = async () => {
+	const config = await ssoStore.getSamlConfig();
+	entityId.value = config.entityID;
+	redirectUrl.value = config.returnUrl;
+	metadata.value = config.metadata;
+	ssoSettingsSaved.value = !!config.metadata;
+};
+
 const onSave = async () => {
 	try {
 		await ssoStore.saveSamlConfig({ metadata: metadataSanitized.value });
-		ssoSettingsSaved.value = true;
+		await getSamlConfig();
 	} catch (error) {
 		Notification.error({
 			title: 'Error',
@@ -52,11 +60,7 @@ const onTest = async () => {
 
 onBeforeMount(async () => {
 	try {
-		const config = await ssoStore.getSamlConfig();
-		entityId.value = config.entityID;
-		redirectUrl.value = config.returnUrl;
-		metadata.value = config.metadata;
-		ssoSettingsSaved.value = !!config.metadata;
+		await getSamlConfig();
 	} catch (error) {
 		Notification.error({
 			title: 'Error',
@@ -121,10 +125,10 @@ onBeforeMount(async () => {
 			<small>{{ locale.baseText('settings.sso.settings.ips.help') }}</small>
 		</div>
 		<div :class="$style.buttons">
-			<n8n-button type="tertiary" @click="onTest">
+			<n8n-button :disabled="!ssoSettingsSaved" type="tertiary" @click="onTest">
 				{{ locale.baseText('settings.sso.settings.test') }}
 			</n8n-button>
-			<n8n-button @click="onSave">
+			<n8n-button :disabled="!metadata" @click="onSave">
 				{{ locale.baseText('settings.sso.settings.save') }}
 			</n8n-button>
 		</div>

From fecdb065c52edf4f502fe42cb83327a994ba8b12 Mon Sep 17 00:00:00 2001
From: Csaba Tuncsik <csaba@n8n.io>
Date: Thu, 23 Mar 2023 19:50:33 +0100
Subject: [PATCH 10/25] fix(editor): SSO settings saml config optional chaining

---
 packages/editor-ui/src/api/sso.ts            |  4 +++-
 packages/editor-ui/src/views/SettingsSso.vue | 12 ++++++------
 2 files changed, 9 insertions(+), 7 deletions(-)

diff --git a/packages/editor-ui/src/api/sso.ts b/packages/editor-ui/src/api/sso.ts
index 430d0836285f8..5fc90c8a2e4e9 100644
--- a/packages/editor-ui/src/api/sso.ts
+++ b/packages/editor-ui/src/api/sso.ts
@@ -14,7 +14,9 @@ export const getSamlMetadata = (context: IRestApiContext): Promise<SamlPreferenc
 	return makeRestApiRequest(context, 'GET', '/sso/saml/metadata');
 };
 
-export const getSamlConfig = (context: IRestApiContext): Promise<SamlPreferences & SamlPreferencesExtractedData> => {
+export const getSamlConfig = (
+	context: IRestApiContext,
+): Promise<SamlPreferences & SamlPreferencesExtractedData> => {
 	return makeRestApiRequest(context, 'GET', '/sso/saml/config');
 };
 
diff --git a/packages/editor-ui/src/views/SettingsSso.vue b/packages/editor-ui/src/views/SettingsSso.vue
index 113098462582f..0bfd65a0a99e4 100644
--- a/packages/editor-ui/src/views/SettingsSso.vue
+++ b/packages/editor-ui/src/views/SettingsSso.vue
@@ -1,6 +1,6 @@
 <script lang="ts" setup>
 import { computed, ref, onBeforeMount } from 'vue';
-import dompurify from 'dompurify'
+import dompurify from 'dompurify';
 import { Notification } from 'element-ui';
 import { useSSOStore } from '@/stores/sso';
 import { i18n as locale } from '@/plugins/i18n';
@@ -21,15 +21,15 @@ const metadataSanitized = computed(() => {
 	if (!metadata.value) {
 		return '';
 	}
-	return dompurify.sanitize(metadata.value, {PARSER_MEDIA_TYPE: 'application/xhtml+xml'});
+	return dompurify.sanitize(metadata.value, { PARSER_MEDIA_TYPE: 'application/xhtml+xml' });
 });
 
 const getSamlConfig = async () => {
 	const config = await ssoStore.getSamlConfig();
-	entityId.value = config.entityID;
-	redirectUrl.value = config.returnUrl;
-	metadata.value = config.metadata;
-	ssoSettingsSaved.value = !!config.metadata;
+	entityId.value = config?.entityID;
+	redirectUrl.value = config?.returnUrl;
+	metadata.value = config?.metadata;
+	ssoSettingsSaved.value = !!config?.metadata;
 };
 
 const onSave = async () => {

From f957815a7511a661437298141e88b7b857b8f35b Mon Sep 17 00:00:00 2001
From: Michael Auerswald <michael.auerswald@gmail.com>
Date: Wed, 29 Mar 2023 15:00:48 +0200
Subject: [PATCH 11/25] fix return values saml controller

---
 .../cli/src/sso/saml/routes/saml.controller.ee.ts    | 12 ++++++------
 1 file changed, 6 insertions(+), 6 deletions(-)

diff --git a/packages/cli/src/sso/saml/routes/saml.controller.ee.ts b/packages/cli/src/sso/saml/routes/saml.controller.ee.ts
index 28b9d3c5223f9..a5ba82699bd0b 100644
--- a/packages/cli/src/sso/saml/routes/saml.controller.ee.ts
+++ b/packages/cli/src/sso/saml/routes/saml.controller.ee.ts
@@ -34,13 +34,13 @@ export class SamlController {
 	 * Return SAML config
 	 */
 	@Get(SamlUrls.config, { middlewares: [samlLicensedOwnerMiddleware] })
-	async configGet(req: AuthenticatedRequest, res: express.Response) {
+	async configGet() {
 		const prefs = this.samlService.samlPreferences;
-		return res.send({
+		return {
 			...prefs,
 			entityID: getServiceProviderEntityId(),
 			returnUrl: getServiceProviderReturnUrl(),
-		});
+		};
 	}
 
 	/**
@@ -48,11 +48,11 @@ export class SamlController {
 	 * Set SAML config
 	 */
 	@Post(SamlUrls.config, { middlewares: [samlLicensedOwnerMiddleware] })
-	async configPost(req: SamlConfiguration.Update, res: express.Response) {
+	async configPost(req: SamlConfiguration.Update) {
 		const validationResult = await validate(req.body);
 		if (validationResult.length === 0) {
 			const result = await this.samlService.setSamlPreferences(req.body);
-			return res.send(result);
+			return result;
 		} else {
 			throw new BadRequestError(
 				'Body is not a valid SamlPreferences object: ' +
@@ -140,7 +140,7 @@ export class SamlController {
 	private async handleInitSSO(res: express.Response) {
 		const result = this.samlService.getLoginRequestUrl();
 		if (result?.binding === 'redirect') {
-			return res.send(result.context.context);
+			return result.context.context;
 		} else if (result?.binding === 'post') {
 			return res.send(getInitSSOFormView(result.context as PostBindingContext));
 		} else {

From c9e253501b2722db6e889c5d01549dac8d715fad Mon Sep 17 00:00:00 2001
From: Csaba Tuncsik <csaba@n8n.io>
Date: Wed, 29 Mar 2023 15:16:14 +0200
Subject: [PATCH 12/25] fix(editor): drop dompurify

---
 packages/editor-ui/package.json              |  2 --
 packages/editor-ui/src/views/SettingsSso.vue |  3 +--
 pnpm-lock.yaml                               | 14 --------------
 3 files changed, 1 insertion(+), 18 deletions(-)

diff --git a/packages/editor-ui/package.json b/packages/editor-ui/package.json
index 38fe6b8a93c2a..a2330f14cbd0d 100644
--- a/packages/editor-ui/package.json
+++ b/packages/editor-ui/package.json
@@ -47,7 +47,6 @@
     "codemirror-lang-html-n8n": "^1.0.0",
     "codemirror-lang-n8n-expression": "^0.2.0",
     "dateformat": "^3.0.3",
-    "dompurify": "^3.0.1",
     "esprima-next": "5.8.4",
     "fast-json-stable-stringify": "^2.1.0",
     "file-saver": "^2.0.2",
@@ -90,7 +89,6 @@
     "@testing-library/user-event": "^14.4.3",
     "@testing-library/vue": "^5.8.3",
     "@types/dateformat": "^3.0.0",
-    "@types/dompurify": "^3.0.0",
     "@types/express": "^4.17.6",
     "@types/file-saver": "^2.0.1",
     "@types/humanize-duration": "^3.27.1",
diff --git a/packages/editor-ui/src/views/SettingsSso.vue b/packages/editor-ui/src/views/SettingsSso.vue
index 0bfd65a0a99e4..70dba2fd80e65 100644
--- a/packages/editor-ui/src/views/SettingsSso.vue
+++ b/packages/editor-ui/src/views/SettingsSso.vue
@@ -1,6 +1,5 @@
 <script lang="ts" setup>
 import { computed, ref, onBeforeMount } from 'vue';
-import dompurify from 'dompurify';
 import { Notification } from 'element-ui';
 import { useSSOStore } from '@/stores/sso';
 import { i18n as locale } from '@/plugins/i18n';
@@ -21,7 +20,7 @@ const metadataSanitized = computed(() => {
 	if (!metadata.value) {
 		return '';
 	}
-	return dompurify.sanitize(metadata.value, { PARSER_MEDIA_TYPE: 'application/xhtml+xml' });
+	return JSON.stringify(metadata.value);
 });
 
 const getSamlConfig = async () => {
diff --git a/pnpm-lock.yaml b/pnpm-lock.yaml
index 3c485818ee039..affaa1999f0d5 100644
--- a/pnpm-lock.yaml
+++ b/pnpm-lock.yaml
@@ -584,7 +584,6 @@ importers:
       '@testing-library/user-event': ^14.4.3
       '@testing-library/vue': ^5.8.3
       '@types/dateformat': ^3.0.0
-      '@types/dompurify': ^3.0.0
       '@types/express': ^4.17.6
       '@types/file-saver': ^2.0.1
       '@types/humanize-duration': ^3.27.1
@@ -603,7 +602,6 @@ importers:
       codemirror-lang-html-n8n: ^1.0.0
       codemirror-lang-n8n-expression: ^0.2.0
       dateformat: ^3.0.3
-      dompurify: ^3.0.1
       esprima-next: 5.8.4
       fast-json-stable-stringify: ^2.1.0
       file-saver: ^2.0.2
@@ -669,7 +667,6 @@ importers:
       codemirror-lang-html-n8n: 1.0.0
       codemirror-lang-n8n-expression: 0.2.0_zyklskjzaprvz25ee7sq7godcq
       dateformat: 3.0.3
-      dompurify: 3.0.1
       esprima-next: 5.8.4
       fast-json-stable-stringify: 2.1.0
       file-saver: 2.0.5
@@ -711,7 +708,6 @@ importers:
       '@testing-library/user-event': 14.4.3_7izb363m7fjrh7ob6q4a2yqaqe
       '@testing-library/vue': 5.8.3_rhqkolmkwunxzlyyxxsuwaiuri
       '@types/dateformat': 3.0.1
-      '@types/dompurify': 3.0.0
       '@types/express': 4.17.14
       '@types/file-saver': 2.0.5
       '@types/humanize-duration': 3.27.1
@@ -5560,12 +5556,6 @@ packages:
     resolution: {integrity: sha512-w5jZ0ee+HaPOaX25X2/2oGR/7rgAQSYII7X7pp0m9KgBfMP7uKfMfTvcpl5Dj+eDBbpxKGiqE+flqDr6XTd2RA==}
     dev: true
 
-  /@types/dompurify/3.0.0:
-    resolution: {integrity: sha512-EcSqmgm/xJwH8CcJPy9AHNypp/j58CYga3nWdl93/wLxX6OH+rSD3aAj75NQazcZd1YKHJ/pjNZ9qmgVajggwQ==}
-    dependencies:
-      '@types/trusted-types': 2.0.2
-    dev: true
-
   /@types/ejs/3.1.1:
     resolution: {integrity: sha512-RQul5wEfY7BjWm0sYY86cmUN/pcXWGyVxWX93DFFJvcrxax5zKlieLwA3T77xJGwNcZW0YW6CYG70p1m8xPFmA==}
     dev: true
@@ -10110,10 +10100,6 @@ packages:
     dependencies:
       domelementtype: 2.3.0
 
-  /dompurify/3.0.1:
-    resolution: {integrity: sha512-60tsgvPKwItxZZdfLmamp0MTcecCta3avOhsLgPZ0qcWt96OasFfhkeIRbJ6br5i0fQawT1/RBGB5L58/Jpwuw==}
-    dev: false
-
   /domutils/1.5.1:
     resolution: {integrity: sha512-gSu5Oi/I+3wDENBsOWBiRK1eoGxcywYSqg3rR960/+EfY0CF4EX1VPkgHOZ3WiS/Jg2DtliF6BhWcHlfpYUcGw==}
     dependencies:

From d28ac3e2a9a42d06a1f9718847e49406c5717432 Mon Sep 17 00:00:00 2001
From: Csaba Tuncsik <csaba@n8n.io>
Date: Wed, 29 Mar 2023 15:25:09 +0200
Subject: [PATCH 13/25] fix(editor): save xml as is

---
 packages/editor-ui/src/views/SettingsSso.vue | 8 +-------
 1 file changed, 1 insertion(+), 7 deletions(-)

diff --git a/packages/editor-ui/src/views/SettingsSso.vue b/packages/editor-ui/src/views/SettingsSso.vue
index 70dba2fd80e65..3f7f250c6c660 100644
--- a/packages/editor-ui/src/views/SettingsSso.vue
+++ b/packages/editor-ui/src/views/SettingsSso.vue
@@ -16,12 +16,6 @@ const ssoSettingsSaved = ref(false);
 const metadata = ref();
 const redirectUrl = ref();
 const entityId = ref();
-const metadataSanitized = computed(() => {
-	if (!metadata.value) {
-		return '';
-	}
-	return JSON.stringify(metadata.value);
-});
 
 const getSamlConfig = async () => {
 	const config = await ssoStore.getSamlConfig();
@@ -33,7 +27,7 @@ const getSamlConfig = async () => {
 
 const onSave = async () => {
 	try {
-		await ssoStore.saveSamlConfig({ metadata: metadataSanitized.value });
+		await ssoStore.saveSamlConfig({ metadata: metadata.value });
 		await getSamlConfig();
 	} catch (error) {
 		Notification.error({

From 2b525567084349d610450cc1e4894dadb690b953 Mon Sep 17 00:00:00 2001
From: Michael Auerswald <michael.auerswald@gmail.com>
Date: Wed, 29 Mar 2023 15:39:15 +0200
Subject: [PATCH 14/25] return authenticationMethod with settings

---
 packages/cli/src/Interfaces.ts     | 2 ++
 packages/cli/src/Server.ts         | 2 ++
 packages/cli/src/sso/ssoHelpers.ts | 5 +++++
 3 files changed, 9 insertions(+)

diff --git a/packages/cli/src/Interfaces.ts b/packages/cli/src/Interfaces.ts
index 02f15ea5182e3..a18091484092c 100644
--- a/packages/cli/src/Interfaces.ts
+++ b/packages/cli/src/Interfaces.ts
@@ -24,6 +24,7 @@ import type {
 	IExecutionsSummary,
 	FeatureFlags,
 	WorkflowSettings,
+	AuthenticationMethod,
 } from 'n8n-workflow';
 
 import type { ActiveWorkflowRunner } from '@/ActiveWorkflowRunner';
@@ -549,6 +550,7 @@ export interface IUserManagementSettings {
 	enabled: boolean;
 	showSetupOnFirstLoad?: boolean;
 	smtpSetup: boolean;
+	authenticationMethod: AuthenticationMethod;
 }
 export interface IActiveDirectorySettings {
 	enabled: boolean;
diff --git a/packages/cli/src/Server.ts b/packages/cli/src/Server.ts
index 62d7096087720..fc53dd318d561 100644
--- a/packages/cli/src/Server.ts
+++ b/packages/cli/src/Server.ts
@@ -157,6 +157,7 @@ import { getSamlLoginLabel, isSamlLoginEnabled, isSamlLicensed } from './sso/sam
 import { SamlController } from './sso/saml/routes/saml.controller.ee';
 import { SamlService } from './sso/saml/saml.service.ee';
 import { LdapManager } from './Ldap/LdapManager.ee';
+import { getCurrentAuthenticationMethod } from './sso/ssoHelpers';
 
 const exec = promisify(callbackExec);
 
@@ -328,6 +329,7 @@ class Server extends AbstractServer {
 		// refresh user management status
 		Object.assign(this.frontendSettings.userManagement, {
 			enabled: isUserManagementEnabled(),
+			authenticationMethod: getCurrentAuthenticationMethod(),
 			showSetupOnFirstLoad:
 				config.getEnv('userManagement.disabled') === false &&
 				config.getEnv('userManagement.isInstanceOwnerSetUp') === false &&
diff --git a/packages/cli/src/sso/ssoHelpers.ts b/packages/cli/src/sso/ssoHelpers.ts
index 99cf43cfd85fc..c894561a1d7b4 100644
--- a/packages/cli/src/sso/ssoHelpers.ts
+++ b/packages/cli/src/sso/ssoHelpers.ts
@@ -1,6 +1,7 @@
 import config from '@/config';
 import * as Db from '@/Db';
 import type { AuthProviderType } from '@/databases/entities/AuthIdentity';
+import type { AuthenticationMethod } from 'n8n-workflow';
 
 export function isSamlCurrentAuthenticationMethod(): boolean {
 	return config.getEnv('userManagement.authenticationMethod') === 'saml';
@@ -18,6 +19,10 @@ export function doRedirectUsersFromLoginToSsoFlow(): boolean {
 	return config.getEnv('sso.redirectLoginToSso');
 }
 
+export function getCurrentAuthenticationMethod(): AuthenticationMethod {
+	return config.getEnv('userManagement.authenticationMethod');
+}
+
 export async function setCurrentAuthenticationMethod(
 	authenticationMethod: AuthProviderType,
 ): Promise<void> {

From 71410f1256c66840c7ff21578edbc3d72abad93c Mon Sep 17 00:00:00 2001
From: Csaba Tuncsik <csaba@n8n.io>
Date: Wed, 29 Mar 2023 15:45:49 +0200
Subject: [PATCH 15/25] fix(editor): add missing prop to server

---
 packages/cli/src/Server.ts | 1 +
 1 file changed, 1 insertion(+)

diff --git a/packages/cli/src/Server.ts b/packages/cli/src/Server.ts
index fc53dd318d561..b4003f471536e 100644
--- a/packages/cli/src/Server.ts
+++ b/packages/cli/src/Server.ts
@@ -270,6 +270,7 @@ class Server extends AbstractServer {
 					config.getEnv('userManagement.isInstanceOwnerSetUp') === false &&
 					config.getEnv('userManagement.skipInstanceOwnerSetup') === false,
 				smtpSetup: isEmailSetUp(),
+				authenticationMethod: getCurrentAuthenticationMethod(),
 			},
 			sso: {
 				saml: {

From af80235bbfd4dc01dd6440157785618153cf729e Mon Sep 17 00:00:00 2001
From: Csaba Tuncsik <csaba@n8n.io>
Date: Mon, 3 Apr 2023 10:49:41 +0200
Subject: [PATCH 16/25] chore(editor): code formatting

---
 packages/editor-ui/src/router.ts | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/packages/editor-ui/src/router.ts b/packages/editor-ui/src/router.ts
index af4bbc3d79d1d..ed3882c94a99a 100644
--- a/packages/editor-ui/src/router.ts
+++ b/packages/editor-ui/src/router.ts
@@ -590,7 +590,11 @@ const router = new Router({
 								shouldDeny: () => {
 									const settingsStore = useSettingsStore();
 									const ssoStore = useSSOStore();
-									return !ssoStore.isEnterpriseSamlEnabled || settingsStore.isCloudDeployment || settingsStore.isDesktopDeployment;
+									return (
+										!ssoStore.isEnterpriseSamlEnabled ||
+										settingsStore.isCloudDeployment ||
+										settingsStore.isDesktopDeployment
+									);
 								},
 							},
 						},

From ca91d95381a8098ef9d60905b2f40d45a41d0857 Mon Sep 17 00:00:00 2001
From: Michael Auerswald <michael.auerswald@gmail.com>
Date: Mon, 3 Apr 2023 11:55:28 +0200
Subject: [PATCH 17/25] fix ldap/saml enable toggle endpoint

---
 packages/cli/src/Ldap/helpers.ts         | 29 +++++++++++-------------
 packages/cli/src/sso/saml/samlHelpers.ts | 25 ++++++++++----------
 2 files changed, 25 insertions(+), 29 deletions(-)

diff --git a/packages/cli/src/Ldap/helpers.ts b/packages/cli/src/Ldap/helpers.ts
index 0785f7fdd1fb5..0b6310e2a6376 100644
--- a/packages/cli/src/Ldap/helpers.ts
+++ b/packages/cli/src/Ldap/helpers.ts
@@ -30,6 +30,7 @@ import {
 	isLdapCurrentAuthenticationMethod,
 	setCurrentAuthenticationMethod,
 } from '@/sso/ssoHelpers';
+import { InternalServerError } from '../ResponseHelper';
 
 /**
  *  Check whether the LDAP feature is disabled in the instance
@@ -54,25 +55,21 @@ export const setLdapLoginLabel = (value: string): void => {
 /**
  * Set the LDAP login enabled to the configuration object
  */
-export const setLdapLoginEnabled = async (value: boolean): Promise<void> => {
-	if (config.get(LDAP_LOGIN_ENABLED) === value) {
-		return;
-	}
-	// only one auth method can be active at a time, with email being the default
-	if (value && isEmailCurrentAuthenticationMethod()) {
-		// enable ldap login and disable email login, but only if email is the current auth method
-		config.set(LDAP_LOGIN_ENABLED, true);
-		await setCurrentAuthenticationMethod('ldap');
-	} else if (!value && isLdapCurrentAuthenticationMethod()) {
-		// disable ldap login, but only if ldap is the current auth method
-		config.set(LDAP_LOGIN_ENABLED, false);
-		await setCurrentAuthenticationMethod('email');
+export async function setLdapLoginEnabled(enabled: boolean): Promise<void> {
+	if (isEmailCurrentAuthenticationMethod() || isLdapCurrentAuthenticationMethod()) {
+		if (enabled) {
+			config.set(LDAP_LOGIN_ENABLED, true);
+			await setCurrentAuthenticationMethod('ldap');
+		} else if (!enabled) {
+			config.set(LDAP_LOGIN_ENABLED, false);
+			await setCurrentAuthenticationMethod('email');
+		}
 	} else {
-		Logger.warn(
-			'Cannot switch LDAP login enabled state when an authentication method other than email is active',
+		throw new InternalServerError(
+			`Cannot switch LDAP login enabled state when an authentication method other than email or ldap is active (current: ${getCurrentAuthenticationMethod()})`,
 		);
 	}
-};
+}
 
 /**
  * Retrieve the LDAP login label from the configuration object
diff --git a/packages/cli/src/sso/saml/samlHelpers.ts b/packages/cli/src/sso/saml/samlHelpers.ts
index 5975c02653c34..e401d0457a30d 100644
--- a/packages/cli/src/sso/saml/samlHelpers.ts
+++ b/packages/cli/src/sso/saml/samlHelpers.ts
@@ -4,7 +4,7 @@ import * as Db from '@/Db';
 import { AuthIdentity } from '@db/entities/AuthIdentity';
 import { User } from '@db/entities/User';
 import { License } from '@/License';
-import { AuthError } from '@/ResponseHelper';
+import { AuthError, InternalServerError } from '@/ResponseHelper';
 import { hashPassword, isUserManagementEnabled } from '@/UserManagement/UserManagementHelper';
 import type { SamlPreferences } from './types/samlPreferences';
 import type { SamlUserAttributes } from './types/samlUserAttributes';
@@ -12,11 +12,11 @@ import type { FlowResult } from 'samlify/types/src/flow';
 import type { SamlAttributeMapping } from './types/samlAttributeMapping';
 import { SAML_LOGIN_ENABLED, SAML_LOGIN_LABEL } from './constants';
 import {
+	getCurrentAuthenticationMethod,
 	isEmailCurrentAuthenticationMethod,
 	isSamlCurrentAuthenticationMethod,
 	setCurrentAuthenticationMethod,
 } from '../ssoHelpers';
-import { LoggerProxy } from 'n8n-workflow';
 /**
  *  Check whether the SAML feature is licensed and enabled in the instance
  */
@@ -30,18 +30,17 @@ export function getSamlLoginLabel(): string {
 
 // can only toggle between email and saml, not directly to e.g. ldap
 export async function setSamlLoginEnabled(enabled: boolean): Promise<void> {
-	if (config.get(SAML_LOGIN_ENABLED) === enabled) {
-		return;
-	}
-	if (enabled && isEmailCurrentAuthenticationMethod()) {
-		config.set(SAML_LOGIN_ENABLED, true);
-		await setCurrentAuthenticationMethod('saml');
-	} else if (!enabled && isSamlCurrentAuthenticationMethod()) {
-		config.set(SAML_LOGIN_ENABLED, false);
-		await setCurrentAuthenticationMethod('email');
+	if (isEmailCurrentAuthenticationMethod() || isSamlCurrentAuthenticationMethod()) {
+		if (enabled) {
+			config.set(SAML_LOGIN_ENABLED, true);
+			await setCurrentAuthenticationMethod('saml');
+		} else if (!enabled) {
+			config.set(SAML_LOGIN_ENABLED, false);
+			await setCurrentAuthenticationMethod('email');
+		}
 	} else {
-		LoggerProxy.warn(
-			'Cannot switch SAML login enabled state when an authentication method other than email is active',
+		throw new InternalServerError(
+			`Cannot switch SAML login enabled state when an authentication method other than email or saml is active (current: ${getCurrentAuthenticationMethod()})`,
 		);
 	}
 }

From 1c80871841760abd952b467c40bf1bd66ad9b8c1 Mon Sep 17 00:00:00 2001
From: Michael Auerswald <michael.auerswald@gmail.com>
Date: Mon, 3 Apr 2023 12:02:15 +0200
Subject: [PATCH 18/25] fix missing import

---
 packages/cli/src/Ldap/helpers.ts | 1 +
 1 file changed, 1 insertion(+)

diff --git a/packages/cli/src/Ldap/helpers.ts b/packages/cli/src/Ldap/helpers.ts
index 0b6310e2a6376..55594023ed927 100644
--- a/packages/cli/src/Ldap/helpers.ts
+++ b/packages/cli/src/Ldap/helpers.ts
@@ -26,6 +26,7 @@ import { jsonParse, LoggerProxy as Logger } from 'n8n-workflow';
 import { License } from '@/License';
 import { InternalHooks } from '@/InternalHooks';
 import {
+	getCurrentAuthenticationMethod,
 	isEmailCurrentAuthenticationMethod,
 	isLdapCurrentAuthenticationMethod,
 	setCurrentAuthenticationMethod,

From 60173e02b515436ab3c773c08a55a1ba42ba5773 Mon Sep 17 00:00:00 2001
From: Michael Auerswald <michael.auerswald@gmail.com>
Date: Mon, 3 Apr 2023 12:07:19 +0200
Subject: [PATCH 19/25] prevent faulty ldap setting from breaking startup

---
 packages/cli/src/Ldap/helpers.ts | 10 +++++++++-
 1 file changed, 9 insertions(+), 1 deletion(-)

diff --git a/packages/cli/src/Ldap/helpers.ts b/packages/cli/src/Ldap/helpers.ts
index 55594023ed927..21779d21a03ac 100644
--- a/packages/cli/src/Ldap/helpers.ts
+++ b/packages/cli/src/Ldap/helpers.ts
@@ -215,7 +215,15 @@ export const handleLdapInit = async (): Promise<void> => {
 
 	const ldapConfig = await getLdapConfig();
 
-	await setGlobalLdapConfigVariables(ldapConfig);
+	try {
+		await setGlobalLdapConfigVariables(ldapConfig);
+	} catch (error) {
+		Logger.error(
+			`Cannot set LDAP login enabled state when an authentication method other than email or ldap is active (current: ${getCurrentAuthenticationMethod()})`,
+			// eslint-disable-next-line @typescript-eslint/no-unsafe-argument
+			error,
+		);
+	}
 
 	// init LDAP manager with the current
 	// configuration

From b558a4c028a07d62675c69c5944103fb4474bbcb Mon Sep 17 00:00:00 2001
From: Romain Minaud <romain.minaud@gmail.com>
Date: Mon, 3 Apr 2023 13:53:33 +0200
Subject: [PATCH 20/25] remove sso fake-door from users page

---
 packages/editor-ui/src/views/SettingsUsersView.vue | 14 +-------------
 1 file changed, 1 insertion(+), 13 deletions(-)

diff --git a/packages/editor-ui/src/views/SettingsUsersView.vue b/packages/editor-ui/src/views/SettingsUsersView.vue
index 71afbfe4ebe34..87d24e2b6580c 100644
--- a/packages/editor-ui/src/views/SettingsUsersView.vue
+++ b/packages/editor-ui/src/views/SettingsUsersView.vue
@@ -47,13 +47,6 @@
 				@copyInviteLink="onCopyInviteLink"
 			/>
 		</div>
-		<feature-coming-soon
-			v-for="fakeDoorFeature in fakeDoorFeatures"
-			:key="fakeDoorFeature.id"
-			:featureId="fakeDoorFeature.id"
-			class="pb-3xl"
-			showTitle
-		/>
 	</div>
 </template>
 
@@ -61,8 +54,7 @@
 import { EnterpriseEditionFeature, INVITE_USER_MODAL_KEY, VIEWS } from '@/constants';
 
 import PageAlert from '../components/PageAlert.vue';
-import FeatureComingSoon from '@/components/FeatureComingSoon.vue';
-import { IFakeDoor, IUser, IUserListAction } from '@/Interface';
+import { IUser, IUserListAction } from '@/Interface';
 import mixins from 'vue-typed-mixins';
 import { showMessage } from '@/mixins/showMessage';
 import { copyPaste } from '@/mixins/copyPaste';
@@ -77,7 +69,6 @@ export default mixins(showMessage, copyPaste).extend({
 	name: 'SettingsUsersView',
 	components: {
 		PageAlert,
-		FeatureComingSoon,
 	},
 	async mounted() {
 		if (!this.usersStore.showUMSetupWarning) {
@@ -107,9 +98,6 @@ export default mixins(showMessage, copyPaste).extend({
 				},
 			];
 		},
-		fakeDoorFeatures(): IFakeDoor[] {
-			return this.uiStore.getFakeDoorByLocation('settings/users');
-		},
 	},
 	methods: {
 		redirectToSetup() {

From 3ee992f08ad96af6b169ecfa6fd94ba8d5f6aebf Mon Sep 17 00:00:00 2001
From: Csaba Tuncsik <csaba@n8n.io>
Date: Mon, 3 Apr 2023 18:38:19 +0200
Subject: [PATCH 21/25] fix(editor): update SSO settings route permissions +
 unit testing

---
 packages/editor-ui/src/router.ts              | 1036 ++++++++---------
 .../src/utils/__tests__/userUtils.test.ts     |  124 ++
 packages/editor-ui/vite.config.ts             |    6 +
 3 files changed, 648 insertions(+), 518 deletions(-)
 create mode 100644 packages/editor-ui/src/utils/__tests__/userUtils.test.ts

diff --git a/packages/editor-ui/src/router.ts b/packages/editor-ui/src/router.ts
index ed3882c94a99a..701cb1388fb82 100644
--- a/packages/editor-ui/src/router.ts
+++ b/packages/editor-ui/src/router.ts
@@ -65,647 +65,647 @@ function getTemplatesRedirect() {
 	return false;
 }
 
-const router = new Router({
-	mode: 'history',
-	base: import.meta.env.DEV ? '/' : window.BASE_PATH ?? '/',
-	scrollBehavior(to, from, savedPosition) {
-		// saved position == null means the page is NOT visited from history (back button)
-		if (savedPosition === null && to.name === VIEWS.TEMPLATES && to.meta) {
-			// for templates view, reset scroll position in this case
-			to.meta.setScrollPosition(0);
-		}
-	},
-	routes: [
-		{
-			path: '/',
-			name: VIEWS.HOMEPAGE,
-			meta: {
-				getRedirect() {
-					return { name: VIEWS.WORKFLOWS };
-				},
-				permissions: {
-					allow: {
-						loginStatus: [LOGIN_STATUS.LoggedIn],
-					},
+export const routes = [
+	{
+		path: '/',
+		name: VIEWS.HOMEPAGE,
+		meta: {
+			getRedirect() {
+				return { name: VIEWS.WORKFLOWS };
+			},
+			permissions: {
+				allow: {
+					loginStatus: [LOGIN_STATUS.LoggedIn],
 				},
 			},
 		},
-		{
-			path: '/collections/:id',
-			name: VIEWS.COLLECTION,
-			components: {
-				default: TemplatesCollectionView,
-				sidebar: MainSidebar,
-			},
-			meta: {
-				templatesEnabled: true,
-				telemetry: {
-					getProperties(route: Route) {
-						const templatesStore = useTemplatesStore();
-						return {
-							collection_id: route.params.id,
-							wf_template_repo_session_id: templatesStore.currentSessionId,
-						};
-					},
+	},
+	{
+		path: '/collections/:id',
+		name: VIEWS.COLLECTION,
+		components: {
+			default: TemplatesCollectionView,
+			sidebar: MainSidebar,
+		},
+		meta: {
+			templatesEnabled: true,
+			telemetry: {
+				getProperties(route: Route) {
+					const templatesStore = useTemplatesStore();
+					return {
+						collection_id: route.params.id,
+						wf_template_repo_session_id: templatesStore.currentSessionId,
+					};
 				},
-				getRedirect: getTemplatesRedirect,
-				permissions: {
-					allow: {
-						loginStatus: [LOGIN_STATUS.LoggedIn],
-					},
+			},
+			getRedirect: getTemplatesRedirect,
+			permissions: {
+				allow: {
+					loginStatus: [LOGIN_STATUS.LoggedIn],
 				},
 			},
 		},
-		{
-			path: '/templates/:id',
-			name: VIEWS.TEMPLATE,
-			components: {
-				default: TemplatesWorkflowView,
-				sidebar: MainSidebar,
-			},
-			meta: {
-				templatesEnabled: true,
-				getRedirect: getTemplatesRedirect,
-				telemetry: {
-					getProperties(route: Route) {
-						const templatesStore = useTemplatesStore();
-						return {
-							template_id: route.params.id,
-							wf_template_repo_session_id: templatesStore.currentSessionId,
-						};
-					},
+	},
+	{
+		path: '/templates/:id',
+		name: VIEWS.TEMPLATE,
+		components: {
+			default: TemplatesWorkflowView,
+			sidebar: MainSidebar,
+		},
+		meta: {
+			templatesEnabled: true,
+			getRedirect: getTemplatesRedirect,
+			telemetry: {
+				getProperties(route: Route) {
+					const templatesStore = useTemplatesStore();
+					return {
+						template_id: route.params.id,
+						wf_template_repo_session_id: templatesStore.currentSessionId,
+					};
 				},
-				permissions: {
-					allow: {
-						loginStatus: [LOGIN_STATUS.LoggedIn],
-					},
+			},
+			permissions: {
+				allow: {
+					loginStatus: [LOGIN_STATUS.LoggedIn],
 				},
 			},
 		},
-		{
-			path: '/templates/',
-			name: VIEWS.TEMPLATES,
-			components: {
-				default: TemplatesSearchView,
-				sidebar: MainSidebar,
-			},
-			meta: {
-				templatesEnabled: true,
-				getRedirect: getTemplatesRedirect,
-				// Templates view remembers it's scroll position on back
-				scrollOffset: 0,
-				telemetry: {
-					getProperties(route: Route) {
-						const templatesStore = useTemplatesStore();
-						return {
-							wf_template_repo_session_id: templatesStore.currentSessionId,
-						};
-					},
-				},
-				setScrollPosition(pos: number) {
-					this.scrollOffset = pos;
-				},
-				permissions: {
-					allow: {
-						loginStatus: [LOGIN_STATUS.LoggedIn],
-					},
+	},
+	{
+		path: '/templates/',
+		name: VIEWS.TEMPLATES,
+		components: {
+			default: TemplatesSearchView,
+			sidebar: MainSidebar,
+		},
+		meta: {
+			templatesEnabled: true,
+			getRedirect: getTemplatesRedirect,
+			// Templates view remembers it's scroll position on back
+			scrollOffset: 0,
+			telemetry: {
+				getProperties(route: Route) {
+					const templatesStore = useTemplatesStore();
+					return {
+						wf_template_repo_session_id: templatesStore.currentSessionId,
+					};
 				},
 			},
-		},
-		{
-			path: '/credentials',
-			name: VIEWS.CREDENTIALS,
-			components: {
-				default: CredentialsView,
-				sidebar: MainSidebar,
+			setScrollPosition(pos: number) {
+				this.scrollOffset = pos;
 			},
-			meta: {
-				permissions: {
-					allow: {
-						loginStatus: [LOGIN_STATUS.LoggedIn],
-					},
+			permissions: {
+				allow: {
+					loginStatus: [LOGIN_STATUS.LoggedIn],
 				},
 			},
 		},
-		{
-			path: '/executions',
-			name: VIEWS.EXECUTIONS,
-			components: {
-				default: ExecutionsView,
-				sidebar: MainSidebar,
-			},
-			meta: {
-				permissions: {
-					allow: {
-						loginStatus: [LOGIN_STATUS.LoggedIn],
-					},
+	},
+	{
+		path: '/credentials',
+		name: VIEWS.CREDENTIALS,
+		components: {
+			default: CredentialsView,
+			sidebar: MainSidebar,
+		},
+		meta: {
+			permissions: {
+				allow: {
+					loginStatus: [LOGIN_STATUS.LoggedIn],
 				},
 			},
 		},
-		{
-			path: '/workflow',
-			redirect: '/workflow/new',
+	},
+	{
+		path: '/executions',
+		name: VIEWS.EXECUTIONS,
+		components: {
+			default: ExecutionsView,
+			sidebar: MainSidebar,
 		},
-		{
-			path: '/workflows',
-			name: VIEWS.WORKFLOWS,
-			components: {
-				default: WorkflowsView,
-				sidebar: MainSidebar,
-			},
-			meta: {
-				permissions: {
-					allow: {
-						loginStatus: [LOGIN_STATUS.LoggedIn],
-					},
+		meta: {
+			permissions: {
+				allow: {
+					loginStatus: [LOGIN_STATUS.LoggedIn],
 				},
 			},
 		},
-		{
-			path: '/workflow/new',
-			name: VIEWS.NEW_WORKFLOW,
-			components: {
-				default: NodeView,
-				header: MainHeader,
-				sidebar: MainSidebar,
-			},
-			meta: {
-				nodeView: true,
-				permissions: {
-					allow: {
-						loginStatus: [LOGIN_STATUS.LoggedIn],
-					},
+	},
+	{
+		path: '/workflow',
+		redirect: '/workflow/new',
+	},
+	{
+		path: '/workflows',
+		name: VIEWS.WORKFLOWS,
+		components: {
+			default: WorkflowsView,
+			sidebar: MainSidebar,
+		},
+		meta: {
+			permissions: {
+				allow: {
+					loginStatus: [LOGIN_STATUS.LoggedIn],
 				},
 			},
 		},
-		{
-			path: '/workflow/:name',
-			name: VIEWS.WORKFLOW,
-			components: {
-				default: NodeView,
-				header: MainHeader,
-				sidebar: MainSidebar,
-			},
-			meta: {
-				nodeView: true,
-				permissions: {
-					allow: {
-						loginStatus: [LOGIN_STATUS.LoggedIn],
-					},
+	},
+	{
+		path: '/workflow/new',
+		name: VIEWS.NEW_WORKFLOW,
+		components: {
+			default: NodeView,
+			header: MainHeader,
+			sidebar: MainSidebar,
+		},
+		meta: {
+			nodeView: true,
+			permissions: {
+				allow: {
+					loginStatus: [LOGIN_STATUS.LoggedIn],
 				},
 			},
 		},
-		{
-			path: '/workflow/:name/executions',
-			name: VIEWS.WORKFLOW_EXECUTIONS,
-			components: {
-				default: WorkflowExecutionsList,
-				header: MainHeader,
-				sidebar: MainSidebar,
+	},
+	{
+		path: '/workflow/:name',
+		name: VIEWS.WORKFLOW,
+		components: {
+			default: NodeView,
+			header: MainHeader,
+			sidebar: MainSidebar,
+		},
+		meta: {
+			nodeView: true,
+			permissions: {
+				allow: {
+					loginStatus: [LOGIN_STATUS.LoggedIn],
+				},
 			},
-			meta: {
-				keepWorkflowAlive: true,
-				permissions: {
-					allow: {
-						loginStatus: [LOGIN_STATUS.LoggedIn],
-					},
+		},
+	},
+	{
+		path: '/workflow/:name/executions',
+		name: VIEWS.WORKFLOW_EXECUTIONS,
+		components: {
+			default: WorkflowExecutionsList,
+			header: MainHeader,
+			sidebar: MainSidebar,
+		},
+		meta: {
+			keepWorkflowAlive: true,
+			permissions: {
+				allow: {
+					loginStatus: [LOGIN_STATUS.LoggedIn],
 				},
 			},
-			children: [
-				{
-					path: '',
-					name: VIEWS.EXECUTION_HOME,
-					components: {
-						executionPreview: ExecutionsLandingPage,
-					},
-					meta: {
-						keepWorkflowAlive: true,
-						permissions: {
-							allow: {
-								loginStatus: [LOGIN_STATUS.LoggedIn],
-							},
+		},
+		children: [
+			{
+				path: '',
+				name: VIEWS.EXECUTION_HOME,
+				components: {
+					executionPreview: ExecutionsLandingPage,
+				},
+				meta: {
+					keepWorkflowAlive: true,
+					permissions: {
+						allow: {
+							loginStatus: [LOGIN_STATUS.LoggedIn],
 						},
 					},
 				},
-				{
-					path: ':executionId',
-					name: VIEWS.EXECUTION_PREVIEW,
-					components: {
-						executionPreview: ExecutionPreview,
-					},
-					meta: {
-						keepWorkflowAlive: true,
-						permissions: {
-							allow: {
-								loginStatus: [LOGIN_STATUS.LoggedIn],
-							},
+			},
+			{
+				path: ':executionId',
+				name: VIEWS.EXECUTION_PREVIEW,
+				components: {
+					executionPreview: ExecutionPreview,
+				},
+				meta: {
+					keepWorkflowAlive: true,
+					permissions: {
+						allow: {
+							loginStatus: [LOGIN_STATUS.LoggedIn],
 						},
 					},
 				},
-			],
-		},
-		{
-			path: '/workflows/demo',
-			name: VIEWS.DEMO,
-			components: {
-				default: NodeView,
 			},
-			meta: {
-				permissions: {
-					allow: {
-						loginStatus: [LOGIN_STATUS.LoggedIn],
-					},
+		],
+	},
+	{
+		path: '/workflows/demo',
+		name: VIEWS.DEMO,
+		components: {
+			default: NodeView,
+		},
+		meta: {
+			permissions: {
+				allow: {
+					loginStatus: [LOGIN_STATUS.LoggedIn],
 				},
 			},
 		},
-		{
-			path: '/workflows/templates/:id',
-			name: VIEWS.TEMPLATE_IMPORT,
-			components: {
-				default: NodeView,
-				header: MainHeader,
-				sidebar: MainSidebar,
-			},
-			meta: {
-				templatesEnabled: true,
-				getRedirect: getTemplatesRedirect,
-				permissions: {
-					allow: {
-						loginStatus: [LOGIN_STATUS.LoggedIn],
-					},
+	},
+	{
+		path: '/workflows/templates/:id',
+		name: VIEWS.TEMPLATE_IMPORT,
+		components: {
+			default: NodeView,
+			header: MainHeader,
+			sidebar: MainSidebar,
+		},
+		meta: {
+			templatesEnabled: true,
+			getRedirect: getTemplatesRedirect,
+			permissions: {
+				allow: {
+					loginStatus: [LOGIN_STATUS.LoggedIn],
 				},
 			},
 		},
-		{
-			path: '/signin',
-			name: VIEWS.SIGNIN,
-			components: {
-				default: SigninView,
+	},
+	{
+		path: '/signin',
+		name: VIEWS.SIGNIN,
+		components: {
+			default: SigninView,
+		},
+		meta: {
+			telemetry: {
+				pageCategory: 'auth',
 			},
-			meta: {
-				telemetry: {
-					pageCategory: 'auth',
-				},
-				permissions: {
-					allow: {
-						loginStatus: [LOGIN_STATUS.LoggedOut],
-					},
+			permissions: {
+				allow: {
+					loginStatus: [LOGIN_STATUS.LoggedOut],
 				},
 			},
 		},
-		{
-			path: '/signup',
-			name: VIEWS.SIGNUP,
-			components: {
-				default: SignupView,
+	},
+	{
+		path: '/signup',
+		name: VIEWS.SIGNUP,
+		components: {
+			default: SignupView,
+		},
+		meta: {
+			telemetry: {
+				pageCategory: 'auth',
 			},
-			meta: {
-				telemetry: {
-					pageCategory: 'auth',
-				},
-				permissions: {
-					allow: {
-						loginStatus: [LOGIN_STATUS.LoggedOut],
-					},
+			permissions: {
+				allow: {
+					loginStatus: [LOGIN_STATUS.LoggedOut],
 				},
 			},
 		},
-		{
-			path: '/signout',
-			name: VIEWS.SIGNOUT,
-			components: {
-				default: SignoutView,
+	},
+	{
+		path: '/signout',
+		name: VIEWS.SIGNOUT,
+		components: {
+			default: SignoutView,
+		},
+		meta: {
+			telemetry: {
+				pageCategory: 'auth',
 			},
-			meta: {
-				telemetry: {
-					pageCategory: 'auth',
-				},
-				permissions: {
-					allow: {
-						loginStatus: [LOGIN_STATUS.LoggedIn],
-					},
+			permissions: {
+				allow: {
+					loginStatus: [LOGIN_STATUS.LoggedIn],
 				},
 			},
 		},
-		{
-			path: '/setup',
-			name: VIEWS.SETUP,
-			components: {
-				default: SetupView,
+	},
+	{
+		path: '/setup',
+		name: VIEWS.SETUP,
+		components: {
+			default: SetupView,
+		},
+		meta: {
+			telemetry: {
+				pageCategory: 'auth',
 			},
-			meta: {
-				telemetry: {
-					pageCategory: 'auth',
+			permissions: {
+				allow: {
+					role: [ROLE.Default],
 				},
-				permissions: {
-					allow: {
-						role: [ROLE.Default],
-					},
-					deny: {
-						shouldDeny: () => {
-							const settingsStore = useSettingsStore();
-							return settingsStore.isUserManagementEnabled === false;
-						},
+				deny: {
+					shouldDeny: () => {
+						const settingsStore = useSettingsStore();
+						return settingsStore.isUserManagementEnabled === false;
 					},
 				},
 			},
 		},
-		{
-			path: '/forgot-password',
-			name: VIEWS.FORGOT_PASSWORD,
-			components: {
-				default: ForgotMyPasswordView,
+	},
+	{
+		path: '/forgot-password',
+		name: VIEWS.FORGOT_PASSWORD,
+		components: {
+			default: ForgotMyPasswordView,
+		},
+		meta: {
+			telemetry: {
+				pageCategory: 'auth',
 			},
-			meta: {
-				telemetry: {
-					pageCategory: 'auth',
-				},
-				permissions: {
-					allow: {
-						loginStatus: [LOGIN_STATUS.LoggedOut],
-					},
+			permissions: {
+				allow: {
+					loginStatus: [LOGIN_STATUS.LoggedOut],
 				},
 			},
 		},
-		{
-			path: '/change-password',
-			name: VIEWS.CHANGE_PASSWORD,
-			components: {
-				default: ChangePasswordView,
+	},
+	{
+		path: '/change-password',
+		name: VIEWS.CHANGE_PASSWORD,
+		components: {
+			default: ChangePasswordView,
+		},
+		meta: {
+			telemetry: {
+				pageCategory: 'auth',
 			},
-			meta: {
-				telemetry: {
-					pageCategory: 'auth',
-				},
-				permissions: {
-					allow: {
-						loginStatus: [LOGIN_STATUS.LoggedOut],
-					},
+			permissions: {
+				allow: {
+					loginStatus: [LOGIN_STATUS.LoggedOut],
 				},
 			},
 		},
-		{
-			path: '/settings',
-			component: SettingsView,
-			props: true,
-			children: [
-				{
-					path: 'usage',
-					name: VIEWS.USAGE,
-					components: {
-						settingsView: SettingsUsageAndPlanVue,
+	},
+	{
+		path: '/settings',
+		component: SettingsView,
+		props: true,
+		children: [
+			{
+				path: 'usage',
+				name: VIEWS.USAGE,
+				components: {
+					settingsView: SettingsUsageAndPlanVue,
+				},
+				meta: {
+					telemetry: {
+						pageCategory: 'settings',
+						getProperties(route: Route) {
+							return {
+								feature: 'usage',
+							};
+						},
 					},
-					meta: {
-						telemetry: {
-							pageCategory: 'settings',
-							getProperties(route: Route) {
-								return {
-									feature: 'usage',
-								};
-							},
+					permissions: {
+						allow: {
+							loginStatus: [LOGIN_STATUS.LoggedIn],
 						},
-						permissions: {
-							allow: {
-								loginStatus: [LOGIN_STATUS.LoggedIn],
-							},
-							deny: {
-								shouldDeny: () => {
-									const settingsStore = useSettingsStore();
-									return (
-										settingsStore.settings.hideUsagePage === true ||
-										settingsStore.settings.deployment?.type === 'cloud'
-									);
-								},
+						deny: {
+							shouldDeny: () => {
+								const settingsStore = useSettingsStore();
+								return (
+									settingsStore.settings.hideUsagePage === true ||
+									settingsStore.settings.deployment?.type === 'cloud'
+								);
 							},
 						},
 					},
 				},
-				{
-					path: 'personal',
-					name: VIEWS.PERSONAL_SETTINGS,
-					components: {
-						settingsView: SettingsPersonalView,
+			},
+			{
+				path: 'personal',
+				name: VIEWS.PERSONAL_SETTINGS,
+				components: {
+					settingsView: SettingsPersonalView,
+				},
+				meta: {
+					telemetry: {
+						pageCategory: 'settings',
+						getProperties(route: Route) {
+							return {
+								feature: 'personal',
+							};
+						},
 					},
-					meta: {
-						telemetry: {
-							pageCategory: 'settings',
-							getProperties(route: Route) {
-								return {
-									feature: 'personal',
-								};
-							},
+					permissions: {
+						allow: {
+							loginStatus: [LOGIN_STATUS.LoggedIn],
 						},
-						permissions: {
-							allow: {
-								loginStatus: [LOGIN_STATUS.LoggedIn],
-							},
-							deny: {
-								role: [ROLE.Default],
-							},
+						deny: {
+							role: [ROLE.Default],
 						},
 					},
 				},
-				{
-					path: 'users',
-					name: VIEWS.USERS_SETTINGS,
-					components: {
-						settingsView: SettingsUsersView,
+			},
+			{
+				path: 'users',
+				name: VIEWS.USERS_SETTINGS,
+				components: {
+					settingsView: SettingsUsersView,
+				},
+				meta: {
+					telemetry: {
+						pageCategory: 'settings',
+						getProperties(route: Route) {
+							return {
+								feature: 'users',
+							};
+						},
 					},
-					meta: {
-						telemetry: {
-							pageCategory: 'settings',
-							getProperties(route: Route) {
-								return {
-									feature: 'users',
-								};
-							},
+					permissions: {
+						allow: {
+							role: [ROLE.Default, ROLE.Owner],
 						},
-						permissions: {
-							allow: {
-								role: [ROLE.Default, ROLE.Owner],
-							},
-							deny: {
-								shouldDeny: () => {
-									const settingsStore = useSettingsStore();
+						deny: {
+							shouldDeny: () => {
+								const settingsStore = useSettingsStore();
 
-									return (
-										settingsStore.isUserManagementEnabled === false &&
-										!(settingsStore.isCloudDeployment || settingsStore.isDesktopDeployment)
-									);
-								},
+								return (
+									settingsStore.isUserManagementEnabled === false &&
+									!(settingsStore.isCloudDeployment || settingsStore.isDesktopDeployment)
+								);
 							},
 						},
 					},
 				},
-				{
-					path: 'api',
-					name: VIEWS.API_SETTINGS,
-					components: {
-						settingsView: SettingsApiView,
+			},
+			{
+				path: 'api',
+				name: VIEWS.API_SETTINGS,
+				components: {
+					settingsView: SettingsApiView,
+				},
+				meta: {
+					telemetry: {
+						pageCategory: 'settings',
+						getProperties(route: Route) {
+							return {
+								feature: 'api',
+							};
+						},
 					},
-					meta: {
-						telemetry: {
-							pageCategory: 'settings',
-							getProperties(route: Route) {
-								return {
-									feature: 'api',
-								};
-							},
+					permissions: {
+						allow: {
+							loginStatus: [LOGIN_STATUS.LoggedIn],
 						},
-						permissions: {
-							allow: {
-								loginStatus: [LOGIN_STATUS.LoggedIn],
-							},
-							deny: {
-								shouldDeny: () => {
-									const settingsStore = useSettingsStore();
-									return settingsStore.isPublicApiEnabled === false;
-								},
+						deny: {
+							shouldDeny: () => {
+								const settingsStore = useSettingsStore();
+								return settingsStore.isPublicApiEnabled === false;
 							},
 						},
 					},
 				},
-				{
-					path: 'sso',
-					name: VIEWS.SSO_SETTINGS,
-					components: {
-						settingsView: SettingsSso,
+			},
+			{
+				path: 'sso',
+				name: VIEWS.SSO_SETTINGS,
+				components: {
+					settingsView: SettingsSso,
+				},
+				meta: {
+					telemetry: {
+						pageCategory: 'settings',
+						getProperties(route: Route) {
+							return {
+								feature: 'sso',
+							};
+						},
 					},
-					meta: {
-						telemetry: {
-							pageCategory: 'settings',
-							getProperties(route: Route) {
-								return {
-									feature: 'sso',
-								};
-							},
+					permissions: {
+						allow: {
+							role: [ROLE.Owner],
 						},
-						permissions: {
-							allow: {
-								loginStatus: [LOGIN_STATUS.LoggedIn],
-								role: [ROLE.Owner],
-							},
-							deny: {
-								role: [ROLE.Default],
-								shouldDeny: () => {
-									const settingsStore = useSettingsStore();
-									const ssoStore = useSSOStore();
-									return (
-										!ssoStore.isEnterpriseSamlEnabled ||
-										settingsStore.isCloudDeployment ||
-										settingsStore.isDesktopDeployment
-									);
-								},
+						deny: {
+							shouldDeny: () => {
+								const settingsStore = useSettingsStore();
+								const ssoStore = useSSOStore();
+								return (
+									!ssoStore.isEnterpriseSamlEnabled ||
+									settingsStore.isCloudDeployment ||
+									settingsStore.isDesktopDeployment
+								);
 							},
 						},
 					},
 				},
-				{
-					path: 'log-streaming',
-					name: VIEWS.LOG_STREAMING_SETTINGS,
-					components: {
-						settingsView: SettingsLogStreamingView,
+			},
+			{
+				path: 'log-streaming',
+				name: VIEWS.LOG_STREAMING_SETTINGS,
+				components: {
+					settingsView: SettingsLogStreamingView,
+				},
+				meta: {
+					telemetry: {
+						pageCategory: 'settings',
 					},
-					meta: {
-						telemetry: {
-							pageCategory: 'settings',
+					permissions: {
+						allow: {
+							loginStatus: [LOGIN_STATUS.LoggedIn],
+							role: [ROLE.Owner],
 						},
-						permissions: {
-							allow: {
-								loginStatus: [LOGIN_STATUS.LoggedIn],
-								role: [ROLE.Owner],
-							},
-							deny: {
-								role: [ROLE.Default],
-							},
+						deny: {
+							role: [ROLE.Default],
 						},
 					},
 				},
-				{
-					path: 'community-nodes',
-					name: VIEWS.COMMUNITY_NODES,
-					components: {
-						settingsView: SettingsCommunityNodesView,
+			},
+			{
+				path: 'community-nodes',
+				name: VIEWS.COMMUNITY_NODES,
+				components: {
+					settingsView: SettingsCommunityNodesView,
+				},
+				meta: {
+					telemetry: {
+						pageCategory: 'settings',
 					},
-					meta: {
-						telemetry: {
-							pageCategory: 'settings',
+					permissions: {
+						allow: {
+							role: [ROLE.Default, ROLE.Owner],
 						},
-						permissions: {
-							allow: {
-								role: [ROLE.Default, ROLE.Owner],
-							},
-							deny: {
-								shouldDeny: () => {
-									const settingsStore = useSettingsStore();
-									return settingsStore.isCommunityNodesFeatureEnabled === false;
-								},
+						deny: {
+							shouldDeny: () => {
+								const settingsStore = useSettingsStore();
+								return settingsStore.isCommunityNodesFeatureEnabled === false;
 							},
 						},
 					},
 				},
-				{
-					path: 'coming-soon/:featureId',
-					name: VIEWS.FAKE_DOOR,
-					components: {
-						settingsView: SettingsFakeDoorView,
-					},
-					meta: {
-						telemetry: {
-							pageCategory: 'settings',
-							getProperties(route: Route) {
-								return {
-									feature: route.params['featureId'],
-								};
-							},
+			},
+			{
+				path: 'coming-soon/:featureId',
+				name: VIEWS.FAKE_DOOR,
+				components: {
+					settingsView: SettingsFakeDoorView,
+				},
+				meta: {
+					telemetry: {
+						pageCategory: 'settings',
+						getProperties(route: Route) {
+							return {
+								feature: route.params['featureId'],
+							};
 						},
-						permissions: {
-							allow: {
-								loginStatus: [LOGIN_STATUS.LoggedIn],
-							},
+					},
+					permissions: {
+						allow: {
+							loginStatus: [LOGIN_STATUS.LoggedIn],
 						},
 					},
 				},
-				{
-					path: 'ldap',
-					name: VIEWS.LDAP_SETTINGS,
-					components: {
-						settingsView: SettingsLdapView,
-					},
-					meta: {
-						permissions: {
-							allow: {
-								role: [ROLE.Owner],
-							},
+			},
+			{
+				path: 'ldap',
+				name: VIEWS.LDAP_SETTINGS,
+				components: {
+					settingsView: SettingsLdapView,
+				},
+				meta: {
+					permissions: {
+						allow: {
+							role: [ROLE.Owner],
 						},
 					},
 				},
-			],
-		},
-		{
-			path: '*',
-			name: VIEWS.NOT_FOUND,
-			component: ErrorView,
-			props: {
-				messageKey: 'error.pageNotFound',
-				errorCode: 404,
-				redirectTextKey: 'error.goBack',
-				redirectPage: VIEWS.HOMEPAGE,
-			},
-			meta: {
-				nodeView: true,
-				telemetry: {
-					disabled: true,
-				},
-				permissions: {
-					allow: {
-						// TODO: Once custom permissions are merged, this needs to be updated with index validation
-						loginStatus: [LOGIN_STATUS.LoggedIn, LOGIN_STATUS.LoggedOut],
-					},
+			},
+		],
+	},
+	{
+		path: '*',
+		name: VIEWS.NOT_FOUND,
+		component: ErrorView,
+		props: {
+			messageKey: 'error.pageNotFound',
+			errorCode: 404,
+			redirectTextKey: 'error.goBack',
+			redirectPage: VIEWS.HOMEPAGE,
+		},
+		meta: {
+			nodeView: true,
+			telemetry: {
+				disabled: true,
+			},
+			permissions: {
+				allow: {
+					// TODO: Once custom permissions are merged, this needs to be updated with index validation
+					loginStatus: [LOGIN_STATUS.LoggedIn, LOGIN_STATUS.LoggedOut],
 				},
 			},
 		},
-	] as IRouteConfig[],
+	},
+] as IRouteConfig[];
+
+const router = new Router({
+	mode: 'history',
+	base: import.meta.env.DEV ? '/' : window.BASE_PATH ?? '/',
+	scrollBehavior(to, from, savedPosition) {
+		// saved position == null means the page is NOT visited from history (back button)
+		if (savedPosition === null && to.name === VIEWS.TEMPLATES && to.meta) {
+			// for templates view, reset scroll position in this case
+			to.meta.setScrollPosition(0);
+		}
+	},
+	routes,
 });
 
 export default router;
diff --git a/packages/editor-ui/src/utils/__tests__/userUtils.test.ts b/packages/editor-ui/src/utils/__tests__/userUtils.test.ts
new file mode 100644
index 0000000000000..e2fb83d3a8557
--- /dev/null
+++ b/packages/editor-ui/src/utils/__tests__/userUtils.test.ts
@@ -0,0 +1,124 @@
+import { beforeAll } from 'vitest';
+import { setActivePinia, createPinia } from 'pinia';
+import { isAuthorized } from '@/utils';
+import { useSettingsStore } from '@/stores/settings';
+import { useSSOStore } from '@/stores/sso';
+import { IN8nUISettings, IUser, UserManagementAuthenticationMethod } from '@/Interface';
+import { routes } from '@/router';
+import { VIEWS } from '@/constants';
+
+const DEFAULT_SETTINGS: IN8nUISettings = {
+	allowedModules: {},
+	communityNodesEnabled: false,
+	defaultLocale: '',
+	endpointWebhook: '',
+	endpointWebhookTest: '',
+	enterprise: {
+		advancedExecutionFilters: false,
+		sharing: false,
+		ldap: false,
+		saml: false,
+		logStreaming: false,
+	},
+	executionMode: '',
+	executionTimeout: 0,
+	hideUsagePage: false,
+	hiringBannerEnabled: false,
+	instanceId: '',
+	isNpmAvailable: false,
+	license: { environment: 'production' },
+	logLevel: 'info',
+	maxExecutionTimeout: 0,
+	oauthCallbackUrls: { oauth1: '', oauth2: '' },
+	onboardingCallPromptEnabled: false,
+	personalizationSurveyEnabled: false,
+	posthog: {
+		apiHost: '',
+		apiKey: '',
+		autocapture: false,
+		debug: false,
+		disableSessionRecording: false,
+		enabled: false,
+	},
+	publicApi: { enabled: false, latestVersion: 0, path: '', swaggerUi: { enabled: false } },
+	pushBackend: 'sse',
+	saveDataErrorExecution: '',
+	saveDataSuccessExecution: '',
+	saveManualExecutions: false,
+	sso: {
+		ldap: { loginEnabled: false, loginLabel: '' },
+		saml: { loginEnabled: false, loginLabel: '' },
+	},
+	telemetry: { enabled: false },
+	templates: { enabled: false, host: '' },
+	timezone: '',
+	urlBaseEditor: '',
+	urlBaseWebhook: '',
+	userManagement: {
+		enabled: false,
+		smtpSetup: false,
+		authenticationMethod: UserManagementAuthenticationMethod.Email,
+	},
+	versionCli: '',
+	versionNotifications: {
+		enabled: false,
+		endpoint: '',
+		infoUrl: '',
+	},
+	workflowCallerPolicyDefaultOption: 'any',
+	workflowTagsDisabled: false,
+	deployment: {
+		type: 'default',
+	},
+};
+
+const DEFAULT_USER: IUser = {
+	id: '1',
+	isPending: false,
+	isDefaultUser: true,
+	isOwner: false,
+	isPendingUser: false,
+	globalRole: {
+		name: 'default',
+		id: '1',
+		createdAt: new Date(),
+	},
+};
+
+describe('userUtils', () => {
+	let settingsStore: ReturnType<typeof useSettingsStore>;
+	let ssoStore: ReturnType<typeof useSSOStore>;
+
+	describe('isAuthorized', () => {
+		beforeAll(() => {
+			setActivePinia(createPinia());
+			settingsStore = useSettingsStore();
+			ssoStore = useSSOStore();
+		});
+
+		it('should check SSO settings route permissions', () => {
+			const ssoSettingsPermissions = routes
+				.find((route) => route.path.startsWith('/settings'))
+				?.children?.find((route) => route.name === VIEWS.SSO_SETTINGS)?.meta?.permissions;
+
+			const user: IUser = {
+				...DEFAULT_USER,
+				isDefaultUser: false,
+				isOwner: true,
+				globalRole: {
+					...DEFAULT_USER.globalRole,
+					id: '1',
+					name: 'owner',
+					createdAt: new Date(),
+				},
+			};
+
+			settingsStore.setSettings({
+				...DEFAULT_SETTINGS,
+				enterprise: { ...DEFAULT_SETTINGS.enterprise, saml: true },
+			});
+
+			expect(isAuthorized(ssoSettingsPermissions, user)).toBe(true);
+		});
+	});
+});
diff --git a/packages/editor-ui/vite.config.ts b/packages/editor-ui/vite.config.ts
index 763ac18008f25..012e7f77343ce 100644
--- a/packages/editor-ui/vite.config.ts
+++ b/packages/editor-ui/vite.config.ts
@@ -90,6 +90,12 @@ export default mergeConfig(
 						'design-system/src/components/N8nButton/overrides/ElButton.ts',
 					),
 				},
+				// https://github.com/vitest-dev/vitest/discussions/1806
+				{
+					find: /^monaco-editor$/,
+					replacement:
+						__dirname + "/node_modules/monaco-editor/esm/vs/editor/editor.api",
+				},
 			],
 		},
 		base: publicPath,

From 3a14a10bc8d8cd221dd70ae5ca32f7f79ddf0672 Mon Sep 17 00:00:00 2001
From: Csaba Tuncsik <csaba@n8n.io>
Date: Mon, 3 Apr 2023 19:08:27 +0200
Subject: [PATCH 22/25] fix(editor): update vite config for test

---
 packages/editor-ui/vite.config.ts | 16 ++++++++++------
 1 file changed, 10 insertions(+), 6 deletions(-)

diff --git a/packages/editor-ui/vite.config.ts b/packages/editor-ui/vite.config.ts
index 012e7f77343ce..92054f873c6db 100644
--- a/packages/editor-ui/vite.config.ts
+++ b/packages/editor-ui/vite.config.ts
@@ -90,12 +90,6 @@ export default mergeConfig(
 						'design-system/src/components/N8nButton/overrides/ElButton.ts',
 					),
 				},
-				// https://github.com/vitest-dev/vitest/discussions/1806
-				{
-					find: /^monaco-editor$/,
-					replacement:
-						__dirname + "/node_modules/monaco-editor/esm/vs/editor/editor.api",
-				},
 			],
 		},
 		base: publicPath,
@@ -138,5 +132,15 @@ export default mergeConfig(
 				},
 			},
 		},
+		resolve: {
+			alias: [
+				// https://github.com/vitest-dev/vitest/discussions/1806
+				{
+					find: /^monaco-editor$/,
+					replacement:
+						__dirname + "/node_modules/monaco-editor/esm/vs/editor/editor.api",
+				},
+			],
+		},
 	}),
 );

From 3dfd14f2efaaa4e07cb16c20101e3d2a79d7b160 Mon Sep 17 00:00:00 2001
From: Csaba Tuncsik <csaba@n8n.io>
Date: Tue, 4 Apr 2023 11:07:32 +0200
Subject: [PATCH 23/25] fix(editor): add paddings to SSO settings page buttons,
 add translation

---
 packages/editor-ui/src/plugins/i18n/locales/en.json | 1 +
 packages/editor-ui/src/views/SettingsSso.vue        | 2 +-
 2 files changed, 2 insertions(+), 1 deletion(-)

diff --git a/packages/editor-ui/src/plugins/i18n/locales/en.json b/packages/editor-ui/src/plugins/i18n/locales/en.json
index c2cbfd183a6e2..c686503ff3b00 100644
--- a/packages/editor-ui/src/plugins/i18n/locales/en.json
+++ b/packages/editor-ui/src/plugins/i18n/locales/en.json
@@ -1723,6 +1723,7 @@
 	"settings.sso.subtitle": "SAML 2.0",
 	"settings.sso.info": "SAML SSO (Security Assertion Markup Language Single Sign-On) is a type of authentication process that enables users to access multiple applications with a single set of login credentials. {link}",
 	"settings.sso.info.link": "More info.",
+	"settings.sso.activation.tooltip": "You need to save the settings first before activating SAML",
 	"settings.sso.activated": "Activated",
 	"settings.sso.deactivated": "Deactivated",
 	"settings.sso.settings.redirectUrl.label": "Redirect URL",
diff --git a/packages/editor-ui/src/views/SettingsSso.vue b/packages/editor-ui/src/views/SettingsSso.vue
index 3f7f250c6c660..280e38cae925f 100644
--- a/packages/editor-ui/src/views/SettingsSso.vue
+++ b/packages/editor-ui/src/views/SettingsSso.vue
@@ -147,7 +147,7 @@ onBeforeMount(async () => {
 .buttons {
 	display: flex;
 	justify-content: flex-start;
-	padding: var(--spacing-2xl) 0 0;
+	padding: var(--spacing-2xl) 0 var(--spacing-3xl);
 
 	button {
 		margin: 0 var(--spacing-s) 0 0;

From f6bbb94253ff88d745c33f09cb4d721d4a6150c0 Mon Sep 17 00:00:00 2001
From: Csaba Tuncsik <csaba@n8n.io>
Date: Tue, 4 Apr 2023 11:38:51 +0200
Subject: [PATCH 24/25] fix(editor): fix saml unit test

---
 packages/cli/test/integration/saml/saml.api.test.ts | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/packages/cli/test/integration/saml/saml.api.test.ts b/packages/cli/test/integration/saml/saml.api.test.ts
index d02bd95c68ac8..40f19995c1305 100644
--- a/packages/cli/test/integration/saml/saml.api.test.ts
+++ b/packages/cli/test/integration/saml/saml.api.test.ts
@@ -127,7 +127,7 @@ describe('Instance owner', () => {
 				.send({
 					loginEnabled: true,
 				})
-				.expect(200);
+				.expect(500);
 
 			expect(getCurrentAuthenticationMethod()).toBe('ldap');
 		});

From e1a730a08fe83f140b0a2a25b79c1b9f414ebb44 Mon Sep 17 00:00:00 2001
From: Michael Auerswald <michael.auerswald@gmail.com>
Date: Tue, 4 Apr 2023 13:28:00 +0200
Subject: [PATCH 25/25] fix(core): Improve saml test connection function
 (#5899)

improve-saml-test-connection return
---
 packages/cli/src/sso/saml/constants.ts        |  6 ++--
 .../src/sso/saml/routes/saml.controller.ee.ts | 16 ++++++++---
 packages/cli/src/sso/saml/saml.service.ee.ts  | 28 +++++++++++--------
 .../cli/src/sso/saml/serviceProvider.ee.ts    |  5 ++++
 .../cli/src/sso/saml/types/samlPreferences.ts |  4 +++
 5 files changed, 40 insertions(+), 19 deletions(-)

diff --git a/packages/cli/src/sso/saml/constants.ts b/packages/cli/src/sso/saml/constants.ts
index 3729f3ce51660..4b1bca0fce510 100644
--- a/packages/cli/src/sso/saml/constants.ts
+++ b/packages/cli/src/sso/saml/constants.ts
@@ -3,8 +3,6 @@ export class SamlUrls {
 
 	static readonly initSSO = '/initsso';
 
-	static readonly restInitSSO = this.samlRESTRoot + this.initSSO;
-
 	static readonly acs = '/acs';
 
 	static readonly restAcs = this.samlRESTRoot + this.acs;
@@ -17,9 +15,9 @@ export class SamlUrls {
 
 	static readonly configTest = '/config/test';
 
-	static readonly configToggleEnabled = '/config/toggle';
+	static readonly configTestReturn = '/config/test/return';
 
-	static readonly restConfig = this.samlRESTRoot + this.config;
+	static readonly configToggleEnabled = '/config/toggle';
 
 	static readonly defaultRedirect = '/';
 
diff --git a/packages/cli/src/sso/saml/routes/saml.controller.ee.ts b/packages/cli/src/sso/saml/routes/saml.controller.ee.ts
index a5ba82699bd0b..731d67f3753df 100644
--- a/packages/cli/src/sso/saml/routes/saml.controller.ee.ts
+++ b/packages/cli/src/sso/saml/routes/saml.controller.ee.ts
@@ -16,7 +16,11 @@ import type { PostBindingContext } from 'samlify/types/src/entity';
 import { isSamlLicensedAndEnabled } from '../samlHelpers';
 import type { SamlLoginBinding } from '../types';
 import { AuthenticatedRequest } from '@/requests';
-import { getServiceProviderEntityId, getServiceProviderReturnUrl } from '../serviceProvider.ee';
+import {
+	getServiceProviderConfigTestReturnUrl,
+	getServiceProviderEntityId,
+	getServiceProviderReturnUrl,
+} from '../serviceProvider.ee';
 
 @RestController('/sso/saml')
 export class SamlController {
@@ -100,6 +104,10 @@ export class SamlController {
 	private async acsHandler(req: express.Request, res: express.Response, binding: SamlLoginBinding) {
 		const loginResult = await this.samlService.handleSamlLogin(req, binding);
 		if (loginResult) {
+			// eslint-disable-next-line @typescript-eslint/no-unsafe-member-access
+			if (req.body.RelayState && req.body.RelayState === getServiceProviderConfigTestReturnUrl()) {
+				return res.status(202).send(loginResult.attributes);
+			}
 			if (loginResult.authenticatedUser) {
 				// Only sign in user if SAML is enabled, otherwise treat as test connection
 				if (isSamlLicensedAndEnabled()) {
@@ -134,11 +142,11 @@ export class SamlController {
 	 */
 	@Get(SamlUrls.configTest, { middlewares: [samlLicensedOwnerMiddleware] })
 	async configTestGet(req: AuthenticatedRequest, res: express.Response) {
-		return this.handleInitSSO(res);
+		return this.handleInitSSO(res, getServiceProviderConfigTestReturnUrl());
 	}
 
-	private async handleInitSSO(res: express.Response) {
-		const result = this.samlService.getLoginRequestUrl();
+	private async handleInitSSO(res: express.Response, relayState?: string) {
+		const result = this.samlService.getLoginRequestUrl(relayState);
 		if (result?.binding === 'redirect') {
 			return result.context.context;
 		} else if (result?.binding === 'post') {
diff --git a/packages/cli/src/sso/saml/saml.service.ee.ts b/packages/cli/src/sso/saml/saml.service.ee.ts
index 1bf8e36b9ffc2..436aae8e03404 100644
--- a/packages/cli/src/sso/saml/saml.service.ee.ts
+++ b/packages/cli/src/sso/saml/saml.service.ee.ts
@@ -20,12 +20,13 @@ import {
 	setSamlLoginLabel,
 	updateUserFromSamlAttributes,
 } from './samlHelpers';
-import type { Settings } from '../../databases/entities/Settings';
+import type { Settings } from '@/databases/entities/Settings';
 import axios from 'axios';
 import https from 'https';
 import type { SamlLoginBinding } from './types';
 import type { BindingContext, PostBindingContext } from 'samlify/types/src/entity';
 import { validateMetadata, validateResponse } from './samlValidator';
+import { getInstanceBaseUrl } from '@/UserManagement/UserManagementHelper';
 
 @Service()
 export class SamlService {
@@ -48,6 +49,7 @@ export class SamlService {
 		loginLabel: 'SAML',
 		wantAssertionsSigned: true,
 		wantMessageSigned: true,
+		relayState: getInstanceBaseUrl(),
 		signatureConfig: {
 			prefix: 'ds',
 			location: {
@@ -92,7 +94,10 @@ export class SamlService {
 		return getServiceProviderInstance(this._samlPreferences);
 	}
 
-	getLoginRequestUrl(binding?: SamlLoginBinding): {
+	getLoginRequestUrl(
+		relayState?: string,
+		binding?: SamlLoginBinding,
+	): {
 		binding: SamlLoginBinding;
 		context: BindingContext | PostBindingContext;
 	} {
@@ -100,28 +105,29 @@ export class SamlService {
 		if (binding === 'post') {
 			return {
 				binding,
-				context: this.getPostLoginRequestUrl(),
+				context: this.getPostLoginRequestUrl(relayState),
 			};
 		} else {
 			return {
 				binding,
-				context: this.getRedirectLoginRequestUrl(),
+				context: this.getRedirectLoginRequestUrl(relayState),
 			};
 		}
 	}
 
-	private getRedirectLoginRequestUrl(): BindingContext {
-		const loginRequest = this.getServiceProviderInstance().createLoginRequest(
-			this.getIdentityProviderInstance(),
-			'redirect',
-		);
+	private getRedirectLoginRequestUrl(relayState?: string): BindingContext {
+		const sp = this.getServiceProviderInstance();
+		sp.entitySetting.relayState = relayState ?? getInstanceBaseUrl();
+		const loginRequest = sp.createLoginRequest(this.getIdentityProviderInstance(), 'redirect');
 		//TODO:SAML: debug logging
 		LoggerProxy.debug(loginRequest.context);
 		return loginRequest;
 	}
 
-	private getPostLoginRequestUrl(): PostBindingContext {
-		const loginRequest = this.getServiceProviderInstance().createLoginRequest(
+	private getPostLoginRequestUrl(relayState?: string): PostBindingContext {
+		const sp = this.getServiceProviderInstance();
+		sp.entitySetting.relayState = relayState ?? getInstanceBaseUrl();
+		const loginRequest = sp.createLoginRequest(
 			this.getIdentityProviderInstance(),
 			'post',
 		) as PostBindingContext;
diff --git a/packages/cli/src/sso/saml/serviceProvider.ee.ts b/packages/cli/src/sso/saml/serviceProvider.ee.ts
index 5d992830120a0..f6d707eaf86be 100644
--- a/packages/cli/src/sso/saml/serviceProvider.ee.ts
+++ b/packages/cli/src/sso/saml/serviceProvider.ee.ts
@@ -15,6 +15,10 @@ export function getServiceProviderReturnUrl(): string {
 	return getInstanceBaseUrl() + SamlUrls.restAcs;
 }
 
+export function getServiceProviderConfigTestReturnUrl(): string {
+	return getInstanceBaseUrl() + SamlUrls.configTestReturn;
+}
+
 // TODO:SAML: make these configurable for the end user
 export function getServiceProviderInstance(prefs: SamlPreferences): ServiceProviderInstance {
 	if (serviceProviderInstance === undefined) {
@@ -24,6 +28,7 @@ export function getServiceProviderInstance(prefs: SamlPreferences): ServiceProvi
 			wantAssertionsSigned: prefs.wantAssertionsSigned,
 			wantMessageSigned: prefs.wantMessageSigned,
 			signatureConfig: prefs.signatureConfig,
+			relayState: prefs.relayState,
 			nameIDFormat: ['urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress'],
 			assertionConsumerService: [
 				{
diff --git a/packages/cli/src/sso/saml/types/samlPreferences.ts b/packages/cli/src/sso/saml/types/samlPreferences.ts
index c5c72bcd0f85e..da02f1ebc4cef 100644
--- a/packages/cli/src/sso/saml/types/samlPreferences.ts
+++ b/packages/cli/src/sso/saml/types/samlPreferences.ts
@@ -57,4 +57,8 @@ export class SamlPreferences {
 			action: 'after',
 		},
 	};
+
+	@IsString()
+	@IsOptional()
+	relayState?: string = '';
 }