Release 2026.2
Highlights
- Object Lifecycle Management: Enterprise Preview Admins can now automatically schedule periodic reviews of authentik objects (applications, groups, roles) for compliance and auditing purposes.
- WS-Federation: Enterprise authentik now supports WS-Federation, a single sign-on and identity federation protocol common in some Microsoft environments.
- SCIM provider: Major improvements to the SCIM provider have been made by community contributions from @ImmanuelVonNeumann and @bitpavel-l25 in the form of sync improvements and group imports. Thank you!
Release frequency change
In recent years, a new authentik release was cut roughly every two months. We will be extending this to target a three-month release cycle, with the next release being 2026.5 in May. We will keep to our current practice of supporting the two most recently released versions with security coverage, which will therefore result in a longer coverage period as well.
Breaking changes
SCIM group syncing behavior
Users will now be filtered based on the policies bound to the application the SCIM provider is used with. There is now an option to select groups in the SCIM provider, which, if selected, will only sync those groups, and if no groups are selected, all groups will be synced. If you have a SCIM provider with a group filter setup, it will be deactivated and a configuration warning will be created, for you to review the configuration.
Policies / Property mappings
User.ak_groups has been deprecated. Users' groups are now accessed through User.groups. Usage of .ak_groups will continue to function, but will create a configuration warning event, at most every 30 days. We recommend you check any custom code (e.g. expression policies, property mappings) that deals with group memberships to update them if necessary.
New features and improvements
Object lifecycle management Enterprise Preview
Object Lifecycle Management (TODO: Link docs) allows Admins to schedule and track periodic reviews for Applications, Groups, and Roles. Reviewing access privileges to specific applications is an important best practice, as is reviewing other settings such as your branding settings, group and role membership, application entitlements, and current policy bindings.
WS-Federation Enterprise
We now have a provider to integrate authentik with applications and service providers that use the WS-Fed protocol. (WS-Fed) is an XML-based identity federation protocol that uses token exchange for federated Single Sign-On (SSO) and IdP authentication, specifically for Windows applications such as Sharepoint. Note that we only support the SAML2 token type within WS-Federation providers, and that using the WS-Fed provider with Entra ID is not supported because Entra ID requires a SAML 1.0 token.
TODO: Link docs @tanberrry
Endpoints and authentik agent Enterprise
Endpoints now has a FleetDM connector integration. You can now pull in device facts and signals data from Fleet into authentik to implement Conditional Access rules.
TODO: Link docs currently being written by @dewi-tik
Local Device Login now works on Linux too and also supports webauthn/FIDO2.
Certificate builder
authentik's certificate builder now supports ED25519 and ED448 certificate generation.
Documentation page: First steps
We now have a tutorial for your First steps after installing authentik! This document walks you through adding a new application and provider, then adding your first user, with Tips to explain more complex concepts. Best practices and troubleshooting tips are also included.
πthon
authentik now uses Python 3.14 under the hood. This means absolutely nothing as we use none of its features, but it has a cool name.
New integration guides
An integration is how authentik connects to third-party applications, directories, and other identity providers. The following integration guides were recently added. A big thanks to our contributors!
- Arcane
- Datadog (Thanks to @dominic-r!)
- Elastic Cloud (Thanks to @dominic-r!)
Upgrading
This release does not introduce any new requirements. You can follow the upgrade instructions below; for more detailed information about upgrading authentik, refer to our Upgrade documentation.
When you upgrade, be aware that the version of the authentik instance and of any outposts must be the same. We recommended that you always upgrade any outposts at the same time you upgrade your authentik instance.
Docker Compose
To upgrade, download the new docker-compose file and update the Docker stack with the new version, using these commands:
wget -O docker-compose.yml https://goauthentik.io/version/2026.2/docker-compose.yml
docker compose up -d
The -O flag retains the downloaded file's name, overwriting any existing local file with the same name.
Kubernetes
Upgrade the Helm Chart to the new version, using the following commands:
helm repo update
helm upgrade authentik authentik/authentik -f values.yaml --version ^2026.2