How do I set up n8n Business (self-hosted) for my team—license key, SSO (SAML/LDAP), and RBAC?
Workflow Automation Platforms

How do I set up n8n Business (self-hosted) for my team—license key, SSO (SAML/LDAP), and RBAC?

7 min read

Quick Answer: To set up n8n Business self-hosted for your team, you apply your Business license key to your existing instance, then configure SSO (SAML or LDAP) for centralized login and use RBAC to control which users can build, run, and manage workflows and credentials.

Frequently Asked Questions

How do I upgrade my self-hosted n8n instance to the Business plan and apply the license key?

Short Answer: After you purchase n8n Business, you’ll receive a license key by email; apply it to your existing self-hosted Community instance, and it will unlock Business features like SSO, RBAC, and enterprise controls.

Expanded Explanation:
Once your Business subscription is active and payment is complete, n8n emails you a license key. You don’t need to reinstall or rebuild your instance—Business is an upgrade on top of your existing self-hosted n8n. You add the license key via environment variable or the UI (depending on how you deployed n8n), then the instance pings the n8n license server daily to validate the key and track your production executions.

Keep in mind that n8n doesn’t automatically cancel any other active n8n subscriptions you may have (Starter, Pro, Startup, Enterprise, or other Business plans). If you’re migrating from a different paid plan, you must cancel that separately or contact sales if you’re mid-cycle on an annual contract.

Key Takeaways:

  • Your Business license key is emailed after purchase and unlocks enterprise features on your existing self-hosted instance.
  • The license needs a daily ping to the n8n license server and does not cancel other active subscriptions automatically.

What’s the process to set up SSO (SAML/LDAP) for my team on n8n Business?

Short Answer: Configure SSO by enabling SAML or LDAP in your n8n Business instance, then connect it to your identity provider (IdP) so users can log in with existing corporate credentials.

Expanded Explanation:
On n8n Business, SSO is part of the enterprise control surface: you centralize authentication in your IdP and let n8n delegate login and group membership. For SAML, you’ll typically integrate with providers like Okta, Azure AD, or Google Workspace. For LDAP, you connect n8n to your directory server (e.g., Active Directory or OpenLDAP), define the bind settings, and map groups or attributes to roles.

From an operational standpoint, you want to test SSO in a staging or non-production environment first. Once SSO is enabled and verified, you can enforce SSO-only access so local passwords aren’t used at all. That gives you one place to revoke access when someone leaves the company and a single audit trail for login events.

Steps:

  1. Enable SSO in n8n Business: Access the admin or owner settings on your self-hosted instance and turn on SAML or LDAP integration.
  2. Configure your IdP/Directory: Add n8n as a SAML application or LDAP client, set redirect/ACS URLs, and configure certificates, attributes, and group claims.
  3. Test and enforce: Log in with a test user, verify role mappings, then roll out to your wider team and optionally require SSO for all users.

What’s the difference between SAML SSO, LDAP SSO, and local accounts in n8n Business?

Short Answer: SAML and LDAP both centralize authentication via your identity systems, while local accounts live only in n8n; SAML is best for modern IdPs, LDAP fits legacy directory-backed environments, and local accounts are mainly for small teams or break-glass access.

Expanded Explanation:
Local accounts are simple—users sign up with email and password directly in n8n—but they don’t scale well for compliance-heavy teams. You end up manually creating and removing accounts, which is how orphaned access slips through.

SAML SSO connects n8n to cloud or modern IdPs like Okta or Azure AD. You manage everything—password policies, MFA, device rules—in the IdP and n8n trusts that authentication. SAML is usually easier to govern at scale, especially when you already manage app assignments and groups in your IdP.

LDAP SSO is more common when your source of truth is an on-prem directory like Active Directory. n8n authenticates users against LDAP using bind credentials and group filters. It’s a good fit if your security model is tightly coupled to AD groups or if you operate in a constrained network where SAML is less practical.

Comparison Snapshot:

  • Option A: SAML SSO: Works with modern IdPs (Okta, Azure AD, Google). Strong MFA and conditional access support. Clean for cloud-first teams.
  • Option B: LDAP SSO: Integrates directly with directory servers (AD/OpenLDAP). Useful where AD groups drive access or where SAML isn’t standard.
  • Best for: Use SAML when you already run a cloud IdP; use LDAP when your identity source of truth is on-prem AD and SAML isn’t your primary integration pattern.

How do I set up RBAC in n8n Business so the right people can access the right workflows and credentials?

Short Answer: Use n8n Business RBAC to define roles, assign them to users or groups, and restrict access to workflows, credentials, and admin features so builders, operators, and auditors each get the minimum access they need.

Expanded Explanation:
RBAC is where you turn SSO into actual guardrails. In n8n Business, you create or use predefined roles (for example, Admin, Editor, Viewer) and map them to your users. You can also tie roles to SSO groups so your IdP becomes the single place where you manage who can build or operate workflows.

Operationally, you should separate responsibilities: a small admin group with full access (SSO, environment, license, log streaming), a builder group that can create workflows and use shared credentials, and a read-only group for audits and incident review. This limits blast radius, especially when workflows handle production systems, AI decisions, or sensitive data. For credentials, use encrypted secret storage and role-based sharing so not every user can see or edit API keys.

What You Need:

  • Defined roles and access model: Decide which responsibilities (admin, builder, operator, auditor) you need and how they map to groups in your IdP.
  • Shared, secure secrets: Use n8n’s encrypted credential store and RBAC to share credentials without exposing raw keys to every user.

How should I think about usage, scaling, and governance when running n8n Business self-hosted?

Short Answer: Plan around n8n’s execution-based billing, daily license checks, and enterprise controls (SSO, RBAC, audit/log streaming) so you can scale workflows while keeping costs predictable and access auditable.

Expanded Explanation:
On Business and Enterprise plans, n8n charges per full workflow execution, not per step, operation, or task. A workflow with 3 nodes costs the same as one with 30 nodes, as long as it’s a single run from trigger to completion. This matters for complex, branching automations—your cost model stays predictable even as workflows grow.

Your self-hosted instance sends a daily ping to the n8n license server with data such as production executions, which is how usage is monitored. For annual Business plans, the n8n team reaches out as you approach ~80% of your execution quota so you can adjust capacity before you hit limits.

From a governance standpoint, use the full stack: SSO (SAML/LDAP) for centralized authentication, RBAC for least-privilege access, audit logs and log streaming to your SIEM for monitoring, and Git-backed version control plus environments for safe rollout. That combination is what keeps automation from becoming an invisible “shadow system” that you can’t debug or audit when something breaks.

Why It Matters:

  • Cost control with complexity: Execution-based pricing lets you implement rich branching, retries, and AI steps without being penalized per node.
  • Operational trust: Enterprise controls—SSO, RBAC, audit logs, log streaming—turn n8n into an observable, governable part of your stack rather than a black-box integration tool.

Quick Recap

To set up n8n Business self-hosted for your team, start by applying your Business license key to your existing instance so it can validate with the license server and unlock enterprise features. Then configure SSO via SAML or LDAP to centralize authentication, and layer RBAC on top so only the right people can modify workflows and credentials. With execution-based pricing, daily usage monitoring, and governance features like audit logs and log streaming, you can run complex automations at scale without losing visibility or control.

Next Step

Get Started

Back to Workflow Automation Platforms

Keep Reading

More from Workflow Automation Platforms

Automation platforms with strong execution logs and easy troubleshooting (not “set and forget”)

Read more

How do I talk to n8n about Enterprise or n8n Embed pricing for embedding automation in our SaaS?

Read more

How do I enable Git version control in n8n and promote workflows across dev/staging/prod environments?

Read more