diff --git a/website/docs/releases/2026/v2026.2.md b/website/docs/releases/2026/v2026.2.md index 95fdbe76edf5..44bf2d359d3c 100644 --- a/website/docs/releases/2026/v2026.2.md +++ b/website/docs/releases/2026/v2026.2.md @@ -1,25 +1,73 @@ --- title: Release 2026.2 slug: "/releases/2026.2" -draft: true +beta: true --- -:::info -2026.2 has not been released yet! We're publishing these release notes as a preview of what's to come, and for our awesome beta testers trying out release candidates. +## Highlights -To try out the release candidate, replace your Docker image tag with the latest release candidate number, such as 2026.2.0-rc1. You can find the latest one in [the latest releases on GitHub](https://github.com/goauthentik/authentik/releases). If you don't find any, it means we haven't released one yet. -::: +- **Object Lifecycle Management**: :ak-enterprise :ak-preview Admins can now automatically schedule periodic reviews of authentik objects (applications, groups, roles) for compliance and auditing purposes. +- **WS-Federation**: :ak-enterprise authentik now supports WS-Federation, a single sign-on and identity federation protocol common in some Microsoft environments. +- **SCIM provider**: Major improvements to the SCIM provider have been made by community contributions from @ImmanuelVonNeumann and @bitpavel-l25 in the form of [sync improvements](https://github.com/goauthentik/authentik/pull/13947) and [group imports](https://github.com/goauthentik/authentik/pull/19846). Thank you! -## Highlights +### Release frequency change + +In recent years, a new authentik release was cut roughly every two months. We will be extending this to target a three-month release cycle, with the next release being 2026.5 in May. We will keep to our current practice of supporting the two most recently released versions with security coverage, which will therefore result in a longer coverage period as well. ## Breaking changes -### RBAC +### SCIM group syncing behavior -`User.ak_groups` has been deprecated. Users' groups are now accessed through `User.groups`. Usage of `.ak_groups` will continue to function, but will create a configuration warning event. We recommend you check any custom code (e.g. expression policies, property mappings) that deals with group memberships to update them if necessary. +Users will now be filtered based on the policies bound to the application the SCIM provider is used with. There is now an option to select groups in the SCIM provider, which, if selected, will only sync those groups, and if no groups are selected, all groups will be synced. If you have a SCIM provider with a group filter setup, it will be deactivated and a configuration warning will be created, for you to review the configuration. + +### Policies / Property mappings + +`User.ak_groups` has been deprecated. Users' groups are now accessed through `User.groups`. Usage of `.ak_groups` will continue to function, but will create a configuration warning event, at most every 30 days. We recommend you check any custom code (e.g. expression policies, property mappings) that deals with group memberships to update them if necessary. ## New features and improvements +### Object lifecycle management :ak-enterprise :ak-preview + +Object Lifecycle Management (TODO: Link docs) allows Admins to schedule and track periodic reviews for Applications, Groups, and Roles. Reviewing access privileges to specific applications is an important best practice, as is reviewing other settings such as your branding settings, group and role membership, application entitlements, and current policy bindings. + +### WS-Federation :ak-enterprise + +TODO: @tanberry + +WS-Federation added for compatibility with legacy software, we only support the SAML2 token type within WS-Federation providers. + +> And mention that it doesn't work with Entra, because Entra needs a SAML 1.0 token + +TODO: Link docs + +### Endpoints and authentik agent :ak-enterprise + +Endpoints now has a FleetDM connector integration. You can now pull in device facts and signals data from Fleet into authentik to implement Conditional Access rules. + +TODO: Link docs currently being written by @dewi-tik + +Local Device Login now works on Linux too and also supports webauthn/FIDO2. + +### Certificate builder + +authentik's certificate builder now supports ED25519 and ED448 certificate generation. + +### Documentation page: First steps + +We now have a tutorial for your [First steps](../../install-config/first-steps/index.mdx) after installing authentik! This document walks you through adding a new application and provider, then adding your first user, with Tips to explain more complex concepts. Best practices and troubleshooting tips are also included. + +### πthon + +authentik now uses [Python 3.14](https://docs.python.org/3/whatsnew/3.14.html) under the hood. This means absolutely nothing as we use none of its features, but it has a cool name. + +## New integration guides + +An integration is how authentik connects to third-party applications, directories, and other identity providers. The following integration guides were recently added. A big thanks to our contributors! + +- [Arcane](https://integrations.goauthentik.io/integrations/hypervisors-orchestrators/arcane/) +- [Datadog](https://integrations.goauthentik.io/integrations/monitoring/datadog/) (Thanks to [@dominic-r](https://github.com/dominic-r)!) +- [Elastic Cloud](https://integrations.goauthentik.io/integrations/platforms/elastic-cloud/) (Thanks to [@dominic-r](https://github.com/dominic-r)!) + ## Upgrading This release does not introduce any new requirements. You can follow the upgrade instructions below; for more detailed information about upgrading authentik, refer to our [Upgrade documentation](../../install-config/upgrade.mdx).