WIP

Co-authored-by: Marc 'risson' Schmitt <marc.schmitt@risson.space>

authentik/core/migrations/0051_group_authentik_c_is_supe_1e5a97_idx.py

@@ -0,0 +1,18 @@
+# Generated by Django 5.1.12 on 2025-09-25 13:39
+
+from django.db import migrations, models
+
+
+class Migration(migrations.Migration):
+
+    dependencies = [
+        ("authentik_core", "0050_user_last_updated_and_more"),
+        ("authentik_rbac", "0006_alter_role_options"),
+    ]
+
+    operations = [
+        migrations.AddIndex(
+            model_name="group",
+            index=models.Index(fields=["is_superuser"], name="authentik_c_is_supe_1e5a97_idx"),
+        ),
+    ]

authentik/core/models.py

@@ -206,7 +206,10 @@ class Group(SerializerModel, AttributesMixin):
                 "parent",
             ),
         )
-        indexes = [models.Index(fields=["name"])]
+        indexes = (
+            models.Index(fields=["name"]),
+            models.Index(fields=["is_superuser"]),
+        )
         verbose_name = _("Group")
         verbose_name_plural = _("Groups")
         permissions = [

authentik/flows/stage.py

@@ -286,6 +286,12 @@ class SessionEndStage(ChallengeStageView):
     that the user is likely to take after signing out of a provider."""
 
     def get_challenge(self, *args, **kwargs) -> Challenge:
+        if not self.request.user.is_authenticated:
+            return RedirectChallenge(
+                data={
+                    "to": reverse("authentik_core:root-redirect"),
+                },
+            )
         application: Application | None = self.executor.plan.context.get(PLAN_CONTEXT_APPLICATION)
         data = {
             "component": "ak-stage-session-end",

authentik/lib/debug.py

@@ -19,7 +19,7 @@ def start_debug_server(**kwargs) -> bool:
         )
         return False
 
-    listen: str = CONFIG.get("listen.listen_debug_py", "127.0.0.1:9901")
+    listen: str = CONFIG.get("listen.debug_py", "127.0.0.1:9901")
     host, _, port = listen.rpartition(":")
     try:
         debugpy.listen((host, int(port)), **kwargs)  # nosec

authentik/lib/default.yml

@@ -31,14 +31,14 @@ postgresql:
   #   host: replica1.example.com
 
 listen:
-  listen_http: 0.0.0.0:9000
-  listen_https: 0.0.0.0:9443
-  listen_ldap: 0.0.0.0:3389
-  listen_ldaps: 0.0.0.0:6636
-  listen_radius: 0.0.0.0:1812
-  listen_metrics: 0.0.0.0:9300
-  listen_debug: 0.0.0.0:9900
-  listen_debug_py: 0.0.0.0:9901
+  http: 0.0.0.0:9000
+  https: 0.0.0.0:9443
+  ldap: 0.0.0.0:3389
+  ldaps: 0.0.0.0:6636
+  radius: 0.0.0.0:1812
+  metrics: 0.0.0.0:9300
+  debug: 0.0.0.0:9900
+  debug_py: 0.0.0.0:9901
   trusted_proxy_cidrs:
     - 127.0.0.0/8
     - 10.0.0.0/8

authentik/lib/utils/errors.py

@@ -4,9 +4,11 @@ from traceback import extract_tb
 
 from structlog.tracebacks import ExceptionDictTransformer
 
+from authentik.lib.config import CONFIG
 from authentik.lib.utils.reflection import class_to_path
 
 TRACEBACK_HEADER = "Traceback (most recent call last):"
+_exception_transformer = ExceptionDictTransformer(show_locals=CONFIG.get_bool("debug"))
 
 
 def exception_to_string(exc: Exception) -> str:
@@ -23,4 +25,4 @@ def exception_to_string(exc: Exception) -> str:
 
 def exception_to_dict(exc: Exception) -> dict:
     """Format exception as a dictionary"""
-    return ExceptionDictTransformer()((type(exc), exc, exc.__traceback__))
+    return _exception_transformer((type(exc), exc, exc.__traceback__))

authentik/outposts/models.py

@@ -357,7 +357,7 @@ class Outpost(ScheduledModel, SerializerModel, ManagedModel):
                             message=(
                                 "While setting the permissions for the service-account, a "
                                 "permission was not found: Check "
-                                "https://goauthentik.io/docs/troubleshooting/missing_permission"
+                                "https://docs.goauthentik.io/troubleshooting/missing_permission"
                             ),
                         ).with_exception(exc).set_user(user).save()
                 else:

authentik/providers/scim/clients/base.py

@@ -88,10 +88,11 @@ class SCIMClient[TModel: "Model", TConnection: "Model", TSchema: "BaseModel"](
     def get_service_provider_config(self):
         """Get Service provider config"""
         default_config = ServiceProviderConfiguration.default()
+        path = "/ServiceProviderConfig"
+        if self.provider.compatibility_mode == SCIMCompatibilityMode.SALESFORCE:
+            path = "/ServiceProviderConfigs"
         try:
-            config = ServiceProviderConfiguration.model_validate(
-                self._request("GET", "/ServiceProviderConfig")
-            )
+            config = ServiceProviderConfiguration.model_validate(self._request("GET", path))
             if self.provider.compatibility_mode == SCIMCompatibilityMode.AWS:
                 config.patch.supported = False
             if self.provider.compatibility_mode == SCIMCompatibilityMode.SLACK:

authentik/providers/scim/migrations/0015_alter_scimprovider_compatibility_mode.py

@@ -0,0 +1,32 @@
+# Generated by Django 5.1.12 on 2025-09-24 12:10
+
+from django.db import migrations, models
+
+
+class Migration(migrations.Migration):
+
+    dependencies = [
+        (
+            "authentik_providers_scim",
+            "0014_scimprovider_auth_mode_scimprovider_auth_oauth_and_more",
+        ),
+    ]
+
+    operations = [
+        migrations.AlterField(
+            model_name="scimprovider",
+            name="compatibility_mode",
+            field=models.CharField(
+                choices=[
+                    ("default", "Default"),
+                    ("aws", "AWS"),
+                    ("slack", "Slack"),
+                    ("sfdc", "Salesforce"),
+                ],
+                default="default",
+                help_text="Alter authentik behavior for vendor-specific SCIM implementations.",
+                max_length=30,
+                verbose_name="SCIM Compatibility Mode",
+            ),
+        ),
+    ]

authentik/providers/scim/models.py

@@ -78,6 +78,7 @@ class SCIMCompatibilityMode(models.TextChoices):
     DEFAULT = "default", _("Default")
     AWS = "aws", _("AWS")
     SLACK = "slack", _("Slack")
+    SALESFORCE = "sfdc", _("Salesforce")
 
 
 class SCIMProvider(OutgoingSyncProvider, BackchannelProvider):

authentik/sources/oauth/tests/test_views.py

@@ -1,10 +1,17 @@
 """OAuth Source tests"""
 
+from urllib.parse import parse_qs
+
 from django.urls import reverse
 from requests_mock import Mocker
 from rest_framework.test import APITestCase
 
+from authentik.core.models import User
 from authentik.core.tests.utils import create_test_admin_user
+from authentik.flows.planner import PLAN_CONTEXT_PENDING_USER, FlowPlan
+from authentik.flows.stage import PLAN_CONTEXT_PENDING_USER_IDENTIFIER
+from authentik.flows.views.executor import SESSION_KEY_PLAN
+from authentik.lib.generators import generate_id
 from authentik.sources.oauth.api.source import OAuthSourceSerializer
 from authentik.sources.oauth.models import OAuthSource
 
@@ -124,20 +131,68 @@ class TestOAuthSource(APITestCase):
             )
             self.assertFalse(serializer.is_valid())
 
-    def test_source_redirect(self):
-        """test redirect view"""
-        self.client.get(
+    def test_source_redirect_login_hint_user(self):
+        """test redirect view with login hint"""
+        user = User(email="foo@authentik.company")
+        session = self.client.session
+        plan = FlowPlan(generate_id())
+        plan.context[PLAN_CONTEXT_PENDING_USER] = user
+        session[SESSION_KEY_PLAN] = plan
+        session.save()
+
+        res = self.client.get(
             reverse(
                 "authentik_sources_oauth:oauth-client-login",
                 kwargs={"source_slug": self.source.slug},
             )
         )
+        self.assertEqual(res.status_code, 302)
+        qs = parse_qs(res.url)
+        self.assertEqual(qs["login_hint"], ["foo@authentik.company"])
+
+    def test_source_redirect_login_hint_user_identifier(self):
+        """test redirect view with login hint"""
+        session = self.client.session
+        plan = FlowPlan(generate_id())
+        plan.context[PLAN_CONTEXT_PENDING_USER_IDENTIFIER] = "foo@authentik.company"
+        session[SESSION_KEY_PLAN] = plan
+        session.save()
+
+        res = self.client.get(
+            reverse(
+                "authentik_sources_oauth:oauth-client-login",
+                kwargs={"source_slug": self.source.slug},
+            )
+        )
+        self.assertEqual(res.status_code, 302)
+        qs = parse_qs(res.url)
+        self.assertEqual(qs["login_hint"], ["foo@authentik.company"])
+
+    def test_source_redirect(self):
+        """test redirect view"""
+        res = self.client.get(
+            reverse(
+                "authentik_sources_oauth:oauth-client-login",
+                kwargs={"source_slug": self.source.slug},
+            )
+        )
+        self.assertEqual(res.status_code, 302)
+        qs = parse_qs(res.url)
+
+        session = self.client.session
+        state = session[f"oauth-client-{self.source.name}-request-state"]
+
+        self.assertEqual(qs["redirect_uri"], ["http://testserver/source/oauth/callback/test/"])
+        self.assertEqual(qs["response_type"], ["code"])
+        self.assertEqual(qs["state"], [state])
+        self.assertEqual(qs["scope"], ["email openid profile"])
 
     def test_source_callback(self):
         """test callback view"""
-        self.client.get(
+        res = self.client.get(
             reverse(
                 "authentik_sources_oauth:oauth-client-callback",
                 kwargs={"source_slug": self.source.slug},
             )
         )
+        self.assertEqual(res.status_code, 302)

authentik/sources/oauth/views/redirect.py

@@ -7,6 +7,9 @@ from django.urls import reverse
 from django.views.generic import RedirectView
 from structlog.stdlib import get_logger
 
+from authentik.flows.planner import PLAN_CONTEXT_PENDING_USER, FlowPlan
+from authentik.flows.stage import PLAN_CONTEXT_PENDING_USER_IDENTIFIER
+from authentik.flows.views.executor import SESSION_KEY_PLAN
 from authentik.sources.oauth.models import OAuthSource
 from authentik.sources.oauth.views.base import OAuthClientMixin
 
@@ -30,6 +33,19 @@ class OAuthRedirect(OAuthClientMixin, RedirectView):
             kwargs={"source_slug": source.slug},
         )
 
+    def _try_login_hint_extract(self) -> dict[str, str]:
+        """Check if we're running in a flow and if we have a pending user, use that
+        as login_hint"""
+        params = {}
+        plan: FlowPlan = self.request.session.get(SESSION_KEY_PLAN, None)
+        if not plan:
+            return params
+        if user := plan.context.get(PLAN_CONTEXT_PENDING_USER):
+            params["login_hint"] = user.email
+        if identifier := plan.context.get(PLAN_CONTEXT_PENDING_USER_IDENTIFIER):
+            params["login_hint"] = identifier
+        return params
+
     def get_redirect_url(self, **kwargs) -> str:
         "Build redirect url for a given source."
         slug = kwargs.get("source_slug", "")
@@ -47,4 +63,5 @@ class OAuthRedirect(OAuthClientMixin, RedirectView):
                 params["scope"] = source.additional_scopes[1:].split(" ")
             else:
                 params["scope"] += source.additional_scopes.split(" ")
+        params.update(self._try_login_hint_extract())
         return client.get_redirect_url(params)

authentik/tasks/forks.py

@@ -11,7 +11,7 @@ def worker_healthcheck():
     import authentik.tasks.setup  # noqa
     from authentik.tasks.middleware import WorkerHealthcheckMiddleware
 
-    host, _, port = CONFIG.get("listen.listen_http").rpartition(":")
+    host, _, port = CONFIG.get("listen.http").rpartition(":")
 
     try:
         port = int(port)
@@ -33,7 +33,7 @@ def worker_metrics():
     import authentik.tasks.setup  # noqa
     from authentik.tasks.middleware import MetricsMiddleware
 
-    addr, _, port = CONFIG.get("listen.listen_metrics").rpartition(":")
+    addr, _, port = CONFIG.get("listen.metrics").rpartition(":")
 
     try:
         port = int(port)

blueprints/schema.json

@@ -9428,7 +9428,8 @@
                     "enum": [
                         "default",
                         "aws",
-                        "slack"
+                        "slack",
+                        "sfdc"
                     ],
                     "title": "SCIM Compatibility Mode",
                     "description": "Alter authentik behavior for vendor-specific SCIM implementations."

go.mod

@@ -32,7 +32,7 @@ require (
 	github.com/spf13/cobra v1.10.1
 	github.com/stretchr/testify v1.11.1
 	github.com/wwt/guac v1.3.2
-	goauthentik.io/api/v3 v3.2025100.8
+	goauthentik.io/api/v3 v3.2025100.10
 	golang.org/x/exp v0.0.0-20230210204819-062eb4c674ab
 	golang.org/x/oauth2 v0.31.0
 	golang.org/x/sync v0.17.0

go.sum

@@ -190,8 +190,8 @@ go.uber.org/goleak v1.3.0 h1:2K3zAYmnTNqV73imy9J1T3WC+gmCePx2hEGkimedGto=
 go.uber.org/goleak v1.3.0/go.mod h1:CoHD4mav9JJNrW/WLlf7HGZPjdw8EucARQHekz1X6bE=
 go.yaml.in/yaml/v2 v2.4.2 h1:DzmwEr2rDGHl7lsFgAHxmNz/1NlQ7xLIrlN2h5d1eGI=
 go.yaml.in/yaml/v2 v2.4.2/go.mod h1:081UH+NErpNdqlCXm3TtEran0rJZGxAYx9hb/ELlsPU=
-goauthentik.io/api/v3 v3.2025100.8 h1:Uc9NYSrbUVwcAIO4XRpf1DhnZRAU+QDwHaFuI+U5nlk=
-goauthentik.io/api/v3 v3.2025100.8/go.mod h1:82lqAz4jxzl6Cg0YDbhNtvvTG2rm6605ZhdJFnbbsl8=
+goauthentik.io/api/v3 v3.2025100.10 h1:NdWtH0AgHNBc8yAmk0A+8AoQMyQR62OrZL7ds21ErdY=
+goauthentik.io/api/v3 v3.2025100.10/go.mod h1:82lqAz4jxzl6Cg0YDbhNtvvTG2rm6605ZhdJFnbbsl8=
 golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w=
 golang.org/x/crypto v0.0.0-20210921155107-089bfa567519/go.mod h1:GvvjBRRGRdwPK5ydBHafDWAxML/pGHZbMvKqRZ5+Abc=
 golang.org/x/crypto v0.13.0/go.mod h1:y6Z2r+Rw4iayiXXAIxJIDAJ1zMW4yaTpebo8fPOliYc=

internal/config/struct.go

@@ -37,13 +37,13 @@ type RedisConfig struct {
 }
 
 type ListenConfig struct {
-	HTTP              string   `yaml:"listen_http" env:"HTTP, overwrite"`
-	HTTPS             string   `yaml:"listen_https" env:"HTTPS, overwrite"`
-	LDAP              string   `yaml:"listen_ldap" env:"LDAP, overwrite"`
-	LDAPS             string   `yaml:"listen_ldaps" env:"LDAPS, overwrite"`
-	Radius            string   `yaml:"listen_radius" env:"RADIUS, overwrite"`
-	Metrics           string   `yaml:"listen_metrics" env:"METRICS, overwrite"`
-	Debug             string   `yaml:"listen_debug" env:"DEBUG, overwrite"`
+	HTTP              string   `yaml:"http" env:"HTTP, overwrite"`
+	HTTPS             string   `yaml:"https" env:"HTTPS, overwrite"`
+	LDAP              string   `yaml:"ldap" env:"LDAP, overwrite"`
+	LDAPS             string   `yaml:"ldaps" env:"LDAPS, overwrite"`
+	Radius            string   `yaml:"radius" env:"RADIUS, overwrite"`
+	Metrics           string   `yaml:"metrics" env:"METRICS, overwrite"`
+	Debug             string   `yaml:"debug" env:"DEBUG, overwrite"`
 	TrustedProxyCIDRs []string `yaml:"trusted_proxy_cidrs" env:"TRUSTED_PROXY_CIDRS, overwrite"`
 }
 

internal/outpost/flow/executor.go

@@ -82,6 +82,11 @@ func NewFlowExecutor(ctx context.Context, flowSlug string, refConfig *api.Config
 	config := api.NewConfiguration()
 	config.Host = refConfig.Host
 	config.Scheme = refConfig.Scheme
+	config.Servers = api.ServerConfigurations{
+		{
+			URL: refConfig.Servers[0].URL,
+		},
+	}
 	config.HTTPClient = &http.Client{
 		Jar:       jar,
 		Transport: fe,

internal/outpost/ldap/entries.go

@@ -4,6 +4,7 @@ import (
 	"fmt"
 	"strconv"
 	"strings"
+	"time"
 
 	"beryju.io/ldap"
 
@@ -50,10 +51,13 @@ func (pi *ProviderInstance) UserEntry(u api.User) *ldap.Entry {
 			constants.OCPosixAccount,
 			constants.OCAKUser,
 		},
-		"uidNumber":     {pi.GetUserUidNumber(u)},
-		"gidNumber":     {pi.GetUserGidNumber(u)},
-		"homeDirectory": {fmt.Sprintf("/home/%s", u.Username)},
-		"sn":            {u.Name},
+		"uidNumber":       {pi.GetUserUidNumber(u)},
+		"gidNumber":       {pi.GetUserGidNumber(u)},
+		"homeDirectory":   {fmt.Sprintf("/home/%s", u.Username)},
+		"sn":              {u.Name},
+		"pwdChangedTime":  {u.PasswordChangeDate.In(time.UTC).Format("20060102150405Z")},
+		"createTimestamp": {u.DateJoined.In(time.UTC).Format("20060102150405Z")},
+		"modifyTimestamp": {u.LastUpdated.In(time.UTC).Format("20060102150405Z")},
 	})
 	return &ldap.Entry{DN: dn, Attributes: attrs}
 }

internal/outpost/ldap/search/direct/schema.go

@@ -58,6 +58,7 @@ func (ds *DirectSearcher) SearchSubschema(req *search.Request) (ldap.ServerSearc
 							"( 1.2.840.113556.1.4.44 NAME 'homeDirectory' SYNTAX '1.3.6.1.4.1.1466.115.121.1.15' SINGLE-VALUE )",
 							"( 1.2.840.113556.1.4.750 NAME 'groupType' SYNTAX '1.3.6.1.4.1.1466.115.121.1.27' SINGLE-VALUE )",
 							"( 1.2.840.113556.1.4.782 NAME 'objectCategory' SYNTAX '1.3.6.1.4.1.1466.115.121.1.12' SINGLE-VALUE )",
+							"( 1.3.6.1.4.1.42.2.27.8.1.16 NAME 'pwdChangedTime' SYNTAX '1.3.6.1.4.1.1466.115.121.1.24' SINGLE-VALUE NO-USER-MODIFICATION )",
 							"( 1.3.6.1.1.1.1.0 NAME 'uidNumber' SYNTAX '1.3.6.1.4.1.1466.115.121.1.27' SINGLE-VALUE )",
 							"( 1.3.6.1.1.1.1.1 NAME 'gidNumber' SYNTAX '1.3.6.1.4.1.1466.115.121.1.27' SINGLE-VALUE )",
 							"( 1.3.6.1.1.1.1.12 NAME 'memberUid' SYNTAX '1.3.6.1.4.1.1466.115.121.1.26' )",

internal/outpost/ldap/search/memory/memory.go

@@ -57,7 +57,7 @@ func (ms *MemorySearcher) fetch() {
 		Logger:   ms.log,
 	})
 	ms.users = users
-	groups, _ := ak.Paginator(ms.si.GetAPIClient().CoreApi.CoreGroupsList(context.TODO()).IncludeUsers(true), ak.PaginatorOptions{
+	groups, _ := ak.Paginator(ms.si.GetAPIClient().CoreApi.CoreGroupsList(context.TODO()).IncludeUsers(true).IncludeChildren(true), ak.PaginatorOptions{
 		PageSize: 100,
 		Logger:   ms.log,
 	})

internal/outpost/proxyv2/application/mode_common.go

@@ -38,7 +38,7 @@ func (a *Application) setAuthorizationHeader(headers http.Header, c *Claims) {
 }
 
 func (a *Application) addHeaders(headers http.Header, c *Claims) {
-	// https://goauthentik.io/docs/providers/proxy/proxy
+	// https://docs.goauthentik.io/add-secure-apps/providers/proxy
 	headers.Set("X-authentik-username", c.PreferredUsername)
 	headers.Set("X-authentik-groups", strings.Join(c.Groups, "|"))
 	headers.Set("X-authentik-entitlements", strings.Join(c.Entitlements, "|"))

lifecycle/aws/package-lock.json

@@ -9,7 +9,7 @@
             "version": "0.0.0",
             "license": "MIT",
             "devDependencies": {
-                "aws-cdk": "^2.1029.2",
+                "aws-cdk": "^2.1029.3",
                 "cross-env": "^10.0.0"
             },
             "engines": {
@@ -24,9 +24,9 @@
             "license": "MIT"
         },
         "node_modules/aws-cdk": {
-            "version": "2.1029.2",
-            "resolved": "https://registry.npmjs.org/aws-cdk/-/aws-cdk-2.1029.2.tgz",
-            "integrity": "sha512-VkgxcbDLygHtnIuZHDYosQSlYwqmnYogzgB4zq+n6prHUP3Q9R8b/eOeo5bG+5OhE+r6+ZXrrVSmfISyaxA0og==",
+            "version": "2.1029.3",
+            "resolved": "https://registry.npmjs.org/aws-cdk/-/aws-cdk-2.1029.3.tgz",
+            "integrity": "sha512-otRJP5a4r07S+SLKs/WvJH+0auZHkaRMnv1vtD4fpp1figV8Vr9MKdB4QPNjfKdLGyK9f95OEHwVlIW9xpjPBg==",
             "dev": true,
             "license": "Apache-2.0",
             "bin": {

lifecycle/aws/package.json

@@ -10,7 +10,7 @@
         "node": ">=20"
     },
     "devDependencies": {
-        "aws-cdk": "^2.1029.2",
+        "aws-cdk": "^2.1029.3",
         "cross-env": "^10.0.0"
     }
 }

schema.yml

@@ -40684,6 +40684,7 @@ components:
       - default
       - aws
       - slack
+      - sfdc
       type: string
     Config:
       type: object

tests/e2e/test_provider_ldap.py

@@ -241,6 +241,9 @@ class TestProviderLDAP(SeleniumTestCase):
                     "homeDirectory": f"/home/{o_user.username}",
                     "ak-active": True,
                     "ak-superuser": False,
+                    "pwdChangedTime": o_user.password_change_date.replace(microsecond=0),
+                    "createTimestamp": o_user.date_joined.replace(microsecond=0),
+                    "modifyTimestamp": o_user.last_updated.replace(microsecond=0),
                 },
                 "type": "searchResEntry",
             },
@@ -269,6 +272,9 @@ class TestProviderLDAP(SeleniumTestCase):
                     "homeDirectory": f"/home/{embedded_account.username}",
                     "ak-active": True,
                     "ak-superuser": False,
+                    "pwdChangedTime": embedded_account.password_change_date.replace(microsecond=0),
+                    "createTimestamp": embedded_account.date_joined.replace(microsecond=0),
+                    "modifyTimestamp": embedded_account.last_updated.replace(microsecond=0),
                 },
                 "type": "searchResEntry",
             },
@@ -301,6 +307,9 @@ class TestProviderLDAP(SeleniumTestCase):
                     "ak-active": True,
                     "ak-superuser": True,
                     "extraAttribute": ["bar"],
+                    "pwdChangedTime": self.user.password_change_date.replace(microsecond=0),
+                    "createTimestamp": self.user.date_joined.replace(microsecond=0),
+                    "modifyTimestamp": self.user.last_updated.replace(microsecond=0),
                 },
                 "type": "searchResEntry",
             },
@@ -378,6 +387,9 @@ class TestProviderLDAP(SeleniumTestCase):
                     "homeDirectory": f"/home/{user.username}",
                     "ak-active": True,
                     "ak-superuser": False,
+                    "pwdChangedTime": user.password_change_date.replace(microsecond=0),
+                    "createTimestamp": user.date_joined.replace(microsecond=0),
+                    "modifyTimestamp": user.last_updated.replace(microsecond=0),
                 },
                 "type": "searchResEntry",
             },

web/package-lock.json

@@ -23,7 +23,7 @@
                 "@floating-ui/dom": "^1.7.4",
                 "@formatjs/intl-listformat": "^7.7.11",
                 "@fortawesome/fontawesome-free": "^7.0.1",
-                "@goauthentik/api": "^2025.10.0-rc1-1758664464",
+                "@goauthentik/api": "^2025.10.0-rc1-1758803800",
                 "@goauthentik/core": "^1.0.0",
                 "@goauthentik/esbuild-plugin-live-reload": "^1.2.2",
                 "@goauthentik/eslint-config": "^1.0.5",
@@ -43,7 +43,7 @@
                 "@patternfly/elements": "^4.2.0",
                 "@patternfly/patternfly": "^4.224.2",
                 "@playwright/test": "^1.55.1",
-                "@sentry/browser": "^10.13.0",
+                "@sentry/browser": "^10.15.0",
                 "@spotlightjs/spotlight": "^4.0.0",
                 "@storybook/addon-docs": "^9.1.8",
                 "@storybook/addon-links": "^9.1.8",
@@ -126,7 +126,7 @@
                 "@rollup/rollup-darwin-arm64": "^4.52.2",
                 "@rollup/rollup-linux-arm64-gnu": "^4.52.2",
                 "@rollup/rollup-linux-x64-gnu": "^4.52.2",
-                "chromedriver": "^140.0.3",
+                "chromedriver": "^140.0.4",
                 "p-iteration": "^1.1.8"
             }
         },
@@ -1337,9 +1337,9 @@
             }
         },
         "node_modules/@goauthentik/api": {
-            "version": "2025.10.0-rc1-1758664464",
-            "resolved": "https://registry.npmjs.org/@goauthentik/api/-/api-2025.10.0-rc1-1758664464.tgz",
-            "integrity": "sha512-EP1kBwR/ISfXckA+vheBa3e2szNsIC9ihFpFiJj8Lly/8wknZgJBN66zXVhc+kPhbcjQ7Mu38MTJoqtVlJs8cg=="
+            "version": "2025.10.0-rc1-1758803800",
+            "resolved": "https://registry.npmjs.org/@goauthentik/api/-/api-2025.10.0-rc1-1758803800.tgz",
+            "integrity": "sha512-C3SP5Y0JYEIzJs91CH2auugHGDzxXrfZfPriUafp1I/+eiGbBbJhIwjgc3fnfbHpHf+idAe9HyRi7xJvX8asog=="
         },
         "node_modules/@goauthentik/core": {
             "resolved": "packages/core",
@@ -3109,50 +3109,6 @@
                 "node": ">=18"
             }
         },
-        "node_modules/@playwright/test/node_modules/fsevents": {
-            "version": "2.3.2",
-            "resolved": "https://registry.npmjs.org/fsevents/-/fsevents-2.3.2.tgz",
-            "integrity": "sha512-xiqMQR4xAeHTuB9uWm+fFRcIOgKBMiOBP+eXiyT7jsgVCq1bkVygt00oASowB7EdtpOHaaPgKt812P9ab+DDKA==",
-            "hasInstallScript": true,
-            "license": "MIT",
-            "optional": true,
-            "os": [
-                "darwin"
-            ],
-            "engines": {
-                "node": "^8.16.0 || ^10.6.0 || >=11.0.0"
-            }
-        },
-        "node_modules/@playwright/test/node_modules/playwright": {
-            "version": "1.55.0",
-            "resolved": "https://registry.npmjs.org/playwright/-/playwright-1.55.0.tgz",
-            "integrity": "sha512-sdCWStblvV1YU909Xqx0DhOjPZE4/5lJsIS84IfN9dAZfcl/CIZ5O8l3o0j7hPMjDvqoTF8ZUcc+i/GL5erstA==",
-            "license": "Apache-2.0",
-            "dependencies": {
-                "playwright-core": "1.55.0"
-            },
-            "bin": {
-                "playwright": "cli.js"
-            },
-            "engines": {
-                "node": ">=18"
-            },
-            "optionalDependencies": {
-                "fsevents": "2.3.2"
-            }
-        },
-        "node_modules/@playwright/test/node_modules/playwright-core": {
-            "version": "1.55.0",
-            "resolved": "https://registry.npmjs.org/playwright-core/-/playwright-core-1.55.0.tgz",
-            "integrity": "sha512-GvZs4vU3U5ro2nZpeiwyb0zuFaqb9sUiAJuyrWpcGouD8y9/HLgGbNRjIph7zU9D3hnPaisMl9zG9CgFi/biIg==",
-            "license": "Apache-2.0",
-            "bin": {
-                "playwright-core": "cli.js"
-            },
-            "engines": {
-                "node": ">=18"
-            }
-        },
         "node_modules/@polka/url": {
             "version": "1.0.0-next.29",
             "resolved": "https://registry.npmjs.org/@polka/url/-/url-1.0.0-next.29.tgz",
@@ -3612,71 +3568,116 @@
             "integrity": "sha512-831qok9r2t8AlxLko40y2ebgSDhenenCatLVeW/uBtnHPyhHOvG0C7TvfgecV+wHzIm5KUICgzmVpWS+IMEAeg=="
         },
         "node_modules/@sentry-internal/browser-utils": {
-            "version": "10.13.0",
-            "resolved": "https://registry.npmjs.org/@sentry-internal/browser-utils/-/browser-utils-10.13.0.tgz",
-            "integrity": "sha512-e50QBM8yTd0Hn3A2iDmqDdiPkzXFtwVWUiNdLQ1odvAPGHMChXGFHZe7qrFMisGq5NwUA5lHGdk1eZoM71owHw==",
+            "version": "10.15.0",
+            "resolved": "https://registry.npmjs.org/@sentry-internal/browser-utils/-/browser-utils-10.15.0.tgz",
+            "integrity": "sha512-hJxo6rj3cMqiYlZd6PC8o/i2FG6hRnZdHcJkfm1HXgWCRgdCPilKghL6WU+B2H5dLyRKJ17nWjDAVQPRdCxO9w==",
             "license": "MIT",
             "dependencies": {
-                "@sentry/core": "10.13.0"
+                "@sentry/core": "10.15.0"
             },
             "engines": {
                 "node": ">=18"
             }
         },
+        "node_modules/@sentry-internal/browser-utils/node_modules/@sentry/core": {
+            "version": "10.15.0",
+            "resolved": "https://registry.npmjs.org/@sentry/core/-/core-10.15.0.tgz",
+            "integrity": "sha512-J7WsQvb9G6nsVgWkTHwyX7wR2djtEACYCx19hAnRbSGIg+ysVG+7Ti3RL4bz9/VXfcxsz346cleKc7ljhynYlQ==",
+            "license": "MIT",
+            "engines": {
+                "node": ">=18"
+            }
+        },
         "node_modules/@sentry-internal/feedback": {
-            "version": "10.13.0",
-            "resolved": "https://registry.npmjs.org/@sentry-internal/feedback/-/feedback-10.13.0.tgz",
-            "integrity": "sha512-Sm7ShXUbN2oG57nq6Tayqm9PePlEToZWduSc4LO9jlp34zTM5bDSJ/3zG83UPVnVWnVak6P/RbeCwNd2U5pdDw==",
+            "version": "10.15.0",
+            "resolved": "https://registry.npmjs.org/@sentry-internal/feedback/-/feedback-10.15.0.tgz",
+            "integrity": "sha512-EP+NvdU9yfmepGzQwz0jnqhd0DBxHzrP16TsJIVXJe93QJ+gumdN3XQ0lvYtEC9zHuU08DghRLjfI1kLRfGzdQ==",
             "license": "MIT",
             "dependencies": {
-                "@sentry/core": "10.13.0"
+                "@sentry/core": "10.15.0"
             },
             "engines": {
                 "node": ">=18"
             }
         },
+        "node_modules/@sentry-internal/feedback/node_modules/@sentry/core": {
+            "version": "10.15.0",
+            "resolved": "https://registry.npmjs.org/@sentry/core/-/core-10.15.0.tgz",
+            "integrity": "sha512-J7WsQvb9G6nsVgWkTHwyX7wR2djtEACYCx19hAnRbSGIg+ysVG+7Ti3RL4bz9/VXfcxsz346cleKc7ljhynYlQ==",
+            "license": "MIT",
+            "engines": {
+                "node": ">=18"
+            }
+        },
         "node_modules/@sentry-internal/replay": {
-            "version": "10.13.0",
-            "resolved": "https://registry.npmjs.org/@sentry-internal/replay/-/replay-10.13.0.tgz",
-            "integrity": "sha512-Gp2keOmy9V4YSchQPdba5lkG+XUpzm9ixCiJpCZ3hE0TKrYUHmrKYRyOCOvzg77aP4oif4WgDTAQjABuxilfXw==",
+            "version": "10.15.0",
+            "resolved": "https://registry.npmjs.org/@sentry-internal/replay/-/replay-10.15.0.tgz",
+            "integrity": "sha512-vHBAFVdDfa51oqPWyRCK4fOIFhFeE2mVlqBWrBb+S3vCNcmtpvqJUq6o4sjSYcQzdZQpMSp5/Lj8Y3a8x/ed7w==",
             "license": "MIT",
             "dependencies": {
-                "@sentry-internal/browser-utils": "10.13.0",
-                "@sentry/core": "10.13.0"
+                "@sentry-internal/browser-utils": "10.15.0",
+                "@sentry/core": "10.15.0"
             },
             "engines": {
                 "node": ">=18"
             }
         },
         "node_modules/@sentry-internal/replay-canvas": {
-            "version": "10.13.0",
-            "resolved": "https://registry.npmjs.org/@sentry-internal/replay-canvas/-/replay-canvas-10.13.0.tgz",
-            "integrity": "sha512-2JjTc928l0faKIlfMrLtSUpuAUeUFKDk84mfkjnIr3tTdJSIZGxE0wFiaC+PFAARrIlyjdK3yzvAwAMkjlvdcw==",
+            "version": "10.15.0",
+            "resolved": "https://registry.npmjs.org/@sentry-internal/replay-canvas/-/replay-canvas-10.15.0.tgz",
+            "integrity": "sha512-SXgUWArk+haUJ24W6pIm9IiwmIk3WxeQyFUxFfMUetSRb06CVAoNjPb0YuzKIeuFYJb6hDPGQ9UWhShnQpTmkw==",
             "license": "MIT",
             "dependencies": {
-                "@sentry-internal/replay": "10.13.0",
-                "@sentry/core": "10.13.0"
+                "@sentry-internal/replay": "10.15.0",
+                "@sentry/core": "10.15.0"
             },
             "engines": {
                 "node": ">=18"
             }
         },
+        "node_modules/@sentry-internal/replay-canvas/node_modules/@sentry/core": {
+            "version": "10.15.0",
+            "resolved": "https://registry.npmjs.org/@sentry/core/-/core-10.15.0.tgz",
+            "integrity": "sha512-J7WsQvb9G6nsVgWkTHwyX7wR2djtEACYCx19hAnRbSGIg+ysVG+7Ti3RL4bz9/VXfcxsz346cleKc7ljhynYlQ==",
+            "license": "MIT",
+            "engines": {
+                "node": ">=18"
+            }
+        },
+        "node_modules/@sentry-internal/replay/node_modules/@sentry/core": {
+            "version": "10.15.0",
+            "resolved": "https://registry.npmjs.org/@sentry/core/-/core-10.15.0.tgz",
+            "integrity": "sha512-J7WsQvb9G6nsVgWkTHwyX7wR2djtEACYCx19hAnRbSGIg+ysVG+7Ti3RL4bz9/VXfcxsz346cleKc7ljhynYlQ==",
+            "license": "MIT",
+            "engines": {
+                "node": ">=18"
+            }
+        },
         "node_modules/@sentry/browser": {
-            "version": "10.13.0",
-            "resolved": "https://registry.npmjs.org/@sentry/browser/-/browser-10.13.0.tgz",
-            "integrity": "sha512-DQ0HgO40hZEKVBuNmXVH6FVxC24gL60EJ74bnEWIdKKSV1r5FqRE0ho/PIYZnVlw4khUD4iwEzZTjaBPZDwcLw==",
+            "version": "10.15.0",
+            "resolved": "https://registry.npmjs.org/@sentry/browser/-/browser-10.15.0.tgz",
+            "integrity": "sha512-YV42VgW7xdmY23u7+nQLNJXDVilNTP0d5WWkHDxeI/uD6AAvn3GyKjx1YMG/KCulxva3dPDPEUunzDm3al26Sw==",
             "license": "MIT",
             "dependencies": {
-                "@sentry-internal/browser-utils": "10.13.0",
-                "@sentry-internal/feedback": "10.13.0",
-                "@sentry-internal/replay": "10.13.0",
-                "@sentry-internal/replay-canvas": "10.13.0",
-                "@sentry/core": "10.13.0"
+                "@sentry-internal/browser-utils": "10.15.0",
+                "@sentry-internal/feedback": "10.15.0",
+                "@sentry-internal/replay": "10.15.0",
+                "@sentry-internal/replay-canvas": "10.15.0",
+                "@sentry/core": "10.15.0"
             },
             "engines": {
                 "node": ">=18"
             }
         },
+        "node_modules/@sentry/browser/node_modules/@sentry/core": {
+            "version": "10.15.0",
+            "resolved": "https://registry.npmjs.org/@sentry/core/-/core-10.15.0.tgz",
+            "integrity": "sha512-J7WsQvb9G6nsVgWkTHwyX7wR2djtEACYCx19hAnRbSGIg+ysVG+7Ti3RL4bz9/VXfcxsz346cleKc7ljhynYlQ==",
+            "license": "MIT",
+            "engines": {
+                "node": ">=18"
+            }
+        },
         "node_modules/@sentry/core": {
             "version": "10.13.0",
             "resolved": "https://registry.npmjs.org/@sentry/core/-/core-10.13.0.tgz",
@@ -7411,9 +7412,9 @@
             }
         },
         "node_modules/chromedriver": {
-            "version": "140.0.3",
-            "resolved": "https://registry.npmjs.org/chromedriver/-/chromedriver-140.0.3.tgz",
-            "integrity": "sha512-2UdIHhkGy8U5hODjIitUnm6coDJiEpcWAiDCSG8bwTHnK3hivHetW/KAvApXEMdCGdGZVCBwhycJG3HVFTxKpA==",
+            "version": "140.0.4",
+            "resolved": "https://registry.npmjs.org/chromedriver/-/chromedriver-140.0.4.tgz",
+            "integrity": "sha512-/NUoxYBNkJeoNj1B5ux3KxGShITlxJctkbApgVAa3ZC8EvCLKaBclwU3/IEj5MJHnBJzqOVDxs/eTyaF9k2fOg==",
             "hasInstallScript": true,
             "license": "Apache-2.0",
             "optional": true,

web/package.json

@@ -95,7 +95,7 @@
         "@floating-ui/dom": "^1.7.4",
         "@formatjs/intl-listformat": "^7.7.11",
         "@fortawesome/fontawesome-free": "^7.0.1",
-        "@goauthentik/api": "^2025.10.0-rc1-1758664464",
+        "@goauthentik/api": "^2025.10.0-rc1-1758803800",
         "@goauthentik/core": "^1.0.0",
         "@goauthentik/esbuild-plugin-live-reload": "^1.2.2",
         "@goauthentik/eslint-config": "^1.0.5",
@@ -115,7 +115,7 @@
         "@patternfly/elements": "^4.2.0",
         "@patternfly/patternfly": "^4.224.2",
         "@playwright/test": "^1.55.1",
-        "@sentry/browser": "^10.13.0",
+        "@sentry/browser": "^10.15.0",
         "@spotlightjs/spotlight": "^4.0.0",
         "@storybook/addon-docs": "^9.1.8",
         "@storybook/addon-links": "^9.1.8",
@@ -195,7 +195,7 @@
         "@rollup/rollup-darwin-arm64": "^4.52.2",
         "@rollup/rollup-linux-arm64-gnu": "^4.52.2",
         "@rollup/rollup-linux-x64-gnu": "^4.52.2",
-        "chromedriver": "^140.0.3",
+        "chromedriver": "^140.0.4",
         "p-iteration": "^1.1.8"
     },
     "wireit": {

web/security.txt

@@ -1,4 +1,4 @@
 Contact: mailto:security@goauthentik.io
 Expires: Mon, 1 Jan 2024 00:00 +0200
 Preferred-Languages: en, de
-Policy: https://goauthentik.io/docs/security/policy
+Policy: https://docs.goauthentik.io/security/policy

web/src/admin/admin-overview/cards/VersionStatusCard.ts

@@ -56,7 +56,7 @@ export class VersionStatusCard extends AdminStatusCard<Version> {
         let text = this.value?.versionCurrent;
         const versionFamily = this.value?.versionCurrent.split(".");
         versionFamily?.pop();
-        let link = `https://goauthentik.io/docs/releases/${versionFamily?.join(".")}`;
+        let link = `https://docs.goauthentik.io/releases/${versionFamily?.join(".")}`;
         if (this.value?.buildHash) {
             text = this.value.buildHash?.substring(0, 7);
             link = `https://github.com/goauthentik/authentik/commit/${this.value.buildHash}`;

web/src/admin/providers/scim/SCIMProviderFormForm.ts

@@ -189,6 +189,11 @@ export function renderForm(
                             value: CompatibilityModeEnum.Slack,
                             description: html`${msg("Altered behavior for usage with Slack.")}`,
                         },
+                        {
+                            label: msg("Salesforce"),
+                            value: CompatibilityModeEnum.Sfdc,
+                            description: html`${msg("Altered behavior for usage with Salesforce.")}`,
+                        },
                     ]}
                     help=${msg(
                         "Alter authentik's behavior for vendor-specific SCIM implementations.",

web/src/admin/users/ServiceAccountForm.ts

@@ -54,6 +54,7 @@ export class ServiceAccountForm extends Form<UserServiceAccountRequest> {
     reset(): void {
         super.reset();
         this.result = null;
+        (this.parentElement as ModalForm).showSubmitButton = true;
     }
 
     renderForm(): TemplateResult {

web/src/elements/Base.ts

@@ -13,7 +13,7 @@ import {
 import { UiThemeEnum } from "@goauthentik/api";
 
 import { localized } from "@lit/localize";
-import { CSSResult, CSSResultGroup, CSSResultOrNative, LitElement } from "lit";
+import { CSSResult, CSSResultGroup, CSSResultOrNative, LitElement, PropertyValues } from "lit";
 import { property } from "lit/decorators.js";
 
 export interface AKElementProps {
@@ -53,6 +53,25 @@ export class AKElement extends LitElement implements AKElementProps {
         this.#customCSSStyleSheet = brand?.brandingCustomCss
             ? createStyleSheetUnsafe(brand.brandingCustomCss)
             : null;
+
+        if (process.env.NODE_ENV === "development") {
+            const updatedCallback = this.updated;
+
+            this.updated = function (args: PropertyValues) {
+                updatedCallback?.call(this, args);
+
+                const unregisteredElements = this.renderRoot.querySelectorAll(":not(:defined)");
+
+                if (!unregisteredElements.length) return;
+
+                for (const element of unregisteredElements) {
+                    console.debug("Unregistered custom element found in the DOM", element);
+                }
+                throw new TypeError(
+                    `${unregisteredElements.length} unregistered custom elements found in the DOM. See console for details.`,
+                );
+            };
+        }
     }
 
     public override disconnectedCallback(): void {

web/src/elements/cards/stories/QuickActionsCard.stories.ts

@@ -11,7 +11,7 @@ const ACTIONS: QuickAction[] = [
     ["Check the logs", "/events/log"],
     ["Explore integrations", "https://integrations.goauthentik.io/", true],
     ["Manage users", "/identity/users"],
-    ["Check the release notes", "https://goauthentik.io/docs/releases/", true],
+    ["Check the release notes", "https://docs.goauthentik.io/releases/", true],
 ];
 
 const metadata: Meta<QuickActionsCard> = {
@@ -41,7 +41,7 @@ const ACTIONS: QuickAction[] = [
     ["Check the logs", "/events/log"],
     ["Explore integrations", "https://goauthentik.io/integrations/", true],
     ["Manage users", "/identity/users"],
-    ["Check the release notes", "https://goauthentik.io/docs/releases/", true],
+    ["Check the release notes", "https://docs.goauthentik.io/releases/", true],
 ];
 \`\`\`
 

website/api/package.json

@@ -45,9 +45,9 @@
         "typescript": "^5.9.2"
     },
     "optionalDependencies": {
-        "@rspack/binding-darwin-arm64": "1.5.5",
-        "@rspack/binding-linux-arm64-gnu": "1.5.5",
-        "@rspack/binding-linux-x64-gnu": "1.5.5",
+        "@rspack/binding-darwin-arm64": "1.5.7",
+        "@rspack/binding-linux-arm64-gnu": "1.5.7",
+        "@rspack/binding-linux-x64-gnu": "1.5.7",
         "@swc/core-darwin-arm64": "1.13.5",
         "@swc/core-linux-arm64-gnu": "1.13.5",
         "@swc/core-linux-x64-gnu": "1.13.5",

website/docs/add-secure-apps/flows-stages/stages/email/index.mdx

@@ -48,11 +48,11 @@ import Tabs from "@theme/Tabs";
 <Tabs
   defaultValue="docker-compose"
   values={[
-    {label: 'docker-compose', value: 'docker-compose'},
+    {label: 'Docker Compose', value: 'docker-compose'},
     {label: 'Kubernetes', value: 'kubernetes'},
   ]}>
   <TabItem value="docker-compose">
-Place any custom templates in the `custom-templates` Folder, which is in the same folder as your docker-compose file. Afterwards, you'll be able to select the template when creating/editing an Email stage.
+Place any custom templates in the `custom-templates` Folder, which is in the same folder as your Compose file. Afterwards, you'll be able to select the template when creating/editing an Email stage.
 
   </TabItem>
   <TabItem value="kubernetes">

website/docs/add-secure-apps/providers/oauth2/index.mdx

@@ -54,12 +54,14 @@ sequenceDiagram
 | Token                | `/application/o/token/`                                              |
 | User Info            | `/application/o/userinfo/`                                           |
 | Token Revoke         | `/application/o/revoke/`                                             |
+| Token Introspection  | `/application/o/introspect/`                                         |
+| Device Authorization | `/application/o/device/`                                             |
 | End Session          | `/application/o/<application slug>/end-session/`                     |
 | JWKS                 | `/application/o/<application slug>/jwks/`                            |
 | OpenID Configuration | `/application/o/<application slug>/.well-known/openid-configuration` |
 
 :::caution Reserved application slugs
-Due to how the OAuth2 provider endpoints are structured, you cannot create applications that use the slugs `authorize`, `token`, `userinfo`, or `revoke` as these would conflict with the global OAuth2 endpoints.
+Due to how the OAuth2 provider endpoints are structured, you cannot create applications that use the slugs `authorize`, `token`, `device`, `userinfo`, `introspect`, or `revoke` as these would conflict with the global OAuth2 endpoints.
 :::
 
 ### Additional configuration options with Redirect URIs

website/docs/add-secure-apps/providers/proxy/server_traefik.mdx

@@ -13,7 +13,7 @@ import Placeholders from "./__placeholders.md";
   defaultValue="standalone-traefik"
   values={[
     {label: 'Standalone traefik', value: 'standalone-traefik'},
-    {label: 'docker-compose', value: 'docker-compose'},
+    {label: 'Docker Compose', value: 'docker-compose'},
     {label: 'Ingress', value: 'ingress'},
   ]}>
   <TabItem value="standalone-traefik">

website/docs/developer-docs/docs/writing-documentation.md

@@ -7,7 +7,18 @@ import Tabs from "@theme/Tabs";
 
 Writing documentation for authentik is a great way for both new and experienced users to improve and contribute to the project. We appreciate contributions to our documentation; everything from fixing a typo to adding additional content to writing a completely new topic.
 
-The technical documentation (https://docs.goauthentik.io/docs/) and our integration guides (https://integrations.goauthentik.io/) are built, formatted, and tested using npm. The commands to build the content locally are defined in the `Makefile` in the root of the repository. Each command is prefixed with `docs-` or `integrations-` and corresponds to an NPM script within the `website` directory.
+The [technical documentation](https://docs.goauthentik.io) and our [integration guides](https://integrations.goauthentik.io/) are built, formatted, and tested using `npm`. The `Makefile` in the root of the repository defines commands to build and test the content locally. Each command is prefixed with `docs-` or `integrations-` and corresponds to an NPM script within the `website` directory.
+
+## Documentation subdomains
+
+authentik documentation is deployed to different subdomains based on the git branch:
+
+| Subdomain                                          | Git Branch       | Description                      |
+| -------------------------------------------------- | ---------------- | -------------------------------- |
+| [main.goauthentik.io](https://main.goauthentik.io) | `main`           | Latest changes and features      |
+| [next.goauthentik.io](https://next.goauthentik.io) | `next`           | Upcoming release content         |
+| [docs.goauthentik.io](https://docs.goauthentik.io) | Current release  | Official stable documentation    |
+| version-YYYY-MM.goauthentik.io                     | Specific release | Historical version documentation |
 
 ## Guidelines
 

website/docs/developer-docs/releases/index.md

@@ -50,13 +50,13 @@
     - Add the following to the release notes
 
         ```
-        See https://goauthentik.io/docs/releases/2022.12
+        See https://docs.goauthentik.io/releases/2022.12
         ```
 
         Or if creating a subsequent release
 
         ```
-        See https://goauthentik.io/docs/releases/2022.12#fixed-in-2022121
+        See https://docs.goauthentik.io/releases/2022.12#fixed-in-2022121
         ```
 
     - Auto-generate the full release notes using the GitHub _Generate Release Notes_ feature
@@ -124,7 +124,7 @@ If you have any questions or comments about this advisory:
 Subject: `Notice of upcoming authentik Security releases 2022.10.3 and 2022.11.3`
 
 ```markdown
-We'll be publishing a security Issue (CVE-2022-xxxxx) and accompanying fix on _date_, 13:00 UTC with the Severity level High. Fixed versions x, y and z will be released alongside a workaround for previous versions. For more info, see the authentik Security policy here: https://goauthentik.io/docs/security/policy.
+We'll be publishing a security Issue (CVE-2022-xxxxx) and accompanying fix on _date_, 13:00 UTC with the Severity level High. Fixed versions x, y and z will be released alongside a workaround for previous versions. For more info, see the authentik Security policy here: https://docs.goauthentik.io/security/policy.
 ```
 
 </details>
@@ -133,7 +133,7 @@ We'll be publishing a security Issue (CVE-2022-xxxxx) and accompanying fix on _d
 <summary>Discord template</summary>
 
 ```markdown
-@everyone We'll be publishing a security Issue (CVE-2022-xxxxx) and accompanying fix on _date_, 13:00 UTC with the Severity level High. Fixed versions x, y and z will be released alongside a workaround for previous versions. For more info, see the authentik Security policy here: https://goauthentik.io/docs/security/policy.
+@everyone We'll be publishing a security Issue (CVE-2022-xxxxx) and accompanying fix on _date_, 13:00 UTC with the Severity level High. Fixed versions x, y and z will be released alongside a workaround for previous versions. For more info, see the authentik Security policy here: https://docs.goauthentik.io/security/policy.
 ```
 
 </details>

website/docs/index.mdx

@@ -66,6 +66,6 @@ Our tech docs cover the typical topics, from installation to configuration, addi
 
 ## Installation
 
-Refer to the installation steps in either [Docker-compose](./install-config/install/docker-compose.mdx) or [Kubernetes](./install-config/install/kubernetes.md).
+Refer to the installation steps for either [Docker Compose](./install-config/install/docker-compose.mdx) or [Kubernetes](./install-config/install/kubernetes.md).
 
 For more information about configuration, beta versions, and additional installation options, see our main [Installation](./install-config/index.mdx) section.

website/docs/install-config/air-gapped.mdx

@@ -22,7 +22,7 @@ To disable these outbound connections, adjust the following settings:
 <Tabs
   defaultValue="docker-compose"
   values={[
-    {label: 'docker-compose', value: 'docker-compose'},
+    {label: 'Docker Compose', value: 'docker-compose'},
     {label: 'Kubernetes', value: 'kubernetes'},
   ]}>
   <TabItem value="docker-compose">

website/docs/releases/2021/v2021.1.md

@@ -10,7 +10,7 @@ slug: "/releases/2021.1"
 
     In previous versions, you had to configure email connection details per [Email Stage](../../add-secure-apps/flows-stages/stages/email/index.mdx). Now, you can (and should) configure global settings.
 
-    This is documented under the [docker-compose](../../install-config/install/docker-compose.mdx) and [Kubernetes](../../install-config/install/kubernetes.md) sections.
+    This is documented under the [Docker Compose](../../install-config/install/docker-compose.mdx) and [Kubernetes](../../install-config/install/kubernetes.md) sections.
 
 - New notification system
 
@@ -58,7 +58,7 @@ slug: "/releases/2021.1"
 
 This release does not introduce any new requirements.
 
-### docker-compose
+### Docker Compose
 
 Download the docker-compose file for 2021.1 from [here](https://goauthentik.io/version/2021.1/docker-compose.yml). Afterwards, simply run `docker-compose up -d` and then the standard upgrade command of `docker-compose run --rm server migrate`.
 

website/docs/releases/old/v0.10.md

@@ -37,7 +37,7 @@ This update brings a lot of big features, such as:
 
 ### docker-compose
 
-The docker-compose file has been updated, please download the latest from `https://goauthentik.io/docker-compose.yml`.
+The docker-compose file has been updated, please download the latest from `https://docs.goauthentik.io/docker-compose.yml`.
 By default, the new compose file uses a fixed version to prevent unintended updates.
 
 Before updating the file, stop all containers. Then download the file, pull the new containers and start the database.

website/docs/releases/old/v0.11.md

@@ -20,6 +20,6 @@ This update brings these headline features:
 
 ## Upgrading
 
-This upgrade can be done as any other patch upgrade, the only external change is the new docker-compose file, which enabled the Docker Integration for Outposts. To use this feature, please download the latest docker-compose from [here](https://goauthentik.io/docker-compose.yml).
+This upgrade can be done as any other patch upgrade, the only external change is the new docker-compose file, which enabled the Docker Integration for Outposts. To use this feature, please download the latest docker-compose from [here](https://docs.goauthentik.io/docker-compose.yml).
 
 Afterwards, you can simply run `docker-compose up -d` and then the normal upgrade command of `docker-compose run --rm server migrate`.

website/docs/releases/old/v0.12.md

@@ -21,7 +21,7 @@ Fixes:
 
 ### docker-compose
 
-Docker-compose users should download the latest docker-compose file from [here](https://goauthentik.io/docker-compose.yml). This includes the new traefik 2.3.
+Docker-compose users should download the latest docker-compose file from [here](https://docs.goauthentik.io/docker-compose.yml). This includes the new traefik 2.3.
 
 Afterwards, you can simply run `docker-compose up -d` and then the normal upgrade command of `docker-compose run --rm server migrate`.
 

website/docs/sys-mgmt/ops/geoip.mdx

@@ -20,7 +20,7 @@ import Tabs from "@theme/Tabs";
 <Tabs
   defaultValue="docker-compose"
   values={[
-    {label: 'docker-compose', value: 'docker-compose'},
+    {label: 'Docker Compose', value: 'docker-compose'},
     {label: 'Kubernetes', value: 'kubernetes'},
   ]}>
   <TabItem value="docker-compose">
@@ -57,7 +57,7 @@ Sign up for a free MaxMind account [here](https://www.maxmind.com/en/geolite2/si
 <Tabs
   defaultValue="docker-compose"
   values={[
-    {label: 'docker-compose', value: 'docker-compose'},
+    {label: 'Docker Compose', value: 'docker-compose'},
     {label: 'Kubernetes', value: 'kubernetes'},
   ]}>
   <TabItem value="docker-compose">

website/docs/sys-mgmt/ops/worker.md

@@ -37,7 +37,7 @@ All tasks have a time limit. If running a task takes longer than than limit, the
 
 How many workers are needed will depend on what tasks are expected to run. The number of tasks that can concurrently run is calculated as follows:
 
-- workers replicas (1 for docker-compose, defaults to 1 for the Helm chart but can be configured) _multiplied_ by [`AUTHENTIK_WORKER__PROCESSES`](../../install-config/configuration/configuration.mdx#authentik_worker__processes) _multiplied_ by [`AUTHENTIK_WORKER__THREADS`](../../install-config/configuration/configuration.mdx#authentik_worker__threads)
+- workers replicas (1 for Docker Compose, defaults to 1 for the Helm chart but can be configured) _multiplied_ by [`AUTHENTIK_WORKER__PROCESSES`](../../install-config/configuration/configuration.mdx#authentik_worker__processes) _multiplied_ by [`AUTHENTIK_WORKER__THREADS`](../../install-config/configuration/configuration.mdx#authentik_worker__threads)
 
 For example, let's say an LDAP source is configured with 1000 users and 200 groups. The LDAP source syncs the users first, then the groups, and finally memberships. All those steps are done by splitting the objects to synchronize into pages, of size [`AUTHENTIK_LDAP__PAGE_SIZE`](../../install-config/configuration/configuration.mdx#authentik_ldap__page_size). Let's say that setting is 50. That means there are `1000 / 50 = 20` pages of users, `200 / 50 = 4` pages of groups. We won't worry about the number of membership pages, because those are usually smaller than the previous ones.
 

website/docs/troubleshooting/emails.md

@@ -14,7 +14,7 @@ ak test_email <to address> [-S <stage name>]
 
 If you omit the `-S` parameter, the email will be sent using the global settings. Otherwise, the settings of the specified stage will be used.
 
-To run this command with docker-compose, use
+To run this command with Docker Compose, use
 
 ```shell
 docker compose exec worker ak test_email [...]

website/docs/troubleshooting/forward_auth/general.mdx

@@ -19,7 +19,7 @@ Set the authentik log level to `TRACE`:
   groupId="platform"
   defaultValue="docker-compose"
   values={[
-    {label: 'docker-compose', value: 'docker-compose'},
+    {label: 'Docker Compose', value: 'docker-compose'},
     {label: 'Kubernetes', value: 'kubernetes'},
   ]}>
   <TabItem value="docker-compose">

website/docs/troubleshooting/image_upload.md

@@ -3,14 +3,14 @@ title: Errors when uploading icons
 ---
 
 :::info
-This is specific to the docker-compose installation, if you're running into issues on Kubernetes please open a GitHub issue.
+This is specific to the Docker Compose installation, if you're running into issues on Kubernetes please open a GitHub issue.
 :::
 
 This issue is most likely caused by permissions. Docker creates bound volumes as root, but the authentik processes don't run as root.
 
 This will cause issues with icon uploads (for Applications), background uploads (for Flows) and local backups.
 
-To fix these issues, run these commands in the folder of your docker-compose file:
+To fix these issues, run these commands in the folder of your Docker Compose file:
 
 ```shell
 sudo chown 1000:1000 media/

website/docs/troubleshooting/logs.mdx

@@ -17,7 +17,7 @@ import Tabs from "@theme/Tabs";
   groupId="platform"
   defaultValue="docker"
   values={[
-    {label: 'docker-compose', value: 'docker'},
+    {label: 'Docker Compose', value: 'docker'},
     {label: 'Kubernetes', value: 'kubernetes'},
   ]}>
   <TabItem value="docker">
@@ -57,7 +57,7 @@ To enable `trace` logging, follow the platform-specific steps below:
   groupId="platform"
   defaultValue="docker"
   values={[
-    {label: 'docker-compose', value: 'docker'},
+    {label: 'Docker Compose', value: 'docker'},
     {label: 'Kubernetes', value: 'kubernetes'},
   ]}>
   <TabItem value="docker">

website/docs/users-sources/sources/directory-sync/active-directory/index.md

@@ -79,3 +79,11 @@ To support the integration of authentik with Active Directory, you will need to
 6. To finalise the Active Directory setup, you need to enable the backend "authentik LDAP" in the Password Stage.
 
     ![](./11_ak_stage.png)
+
+## Property mapping
+
+```python
+return {
+  "type": "external".
+}
+```

website/docs/users-sources/sources/property-mappings/expressions.md

@@ -19,3 +19,19 @@ import Objects from "../../../expressions/\_objects.md";
 import Functions from "../../../expressions/\_functions.mdx";
 
 <Functions />
+
+## Source property mapping examples
+
+### Set a user's type
+
+The following example is useful when users are being synced from a source such as LDAP and their authentik accounts need to be set as a certain type: external, internal, service account or internal service account.
+
+To set users as external, create the following source property mapping and add it to the source's settings.
+
+```python
+return {
+  "type": "external".
+}
+```
+
+###

website/docs/users-sources/sources/social-logins/discord/index.md

@@ -70,7 +70,7 @@ GUILD_NAME_STRING = "The desired server/guild name in the error message."
 # Only change below here if you know what you are doing.
 
 # Ensure flow is only run during OAuth logins via Discord
-if context['source'].provider_type != "discord":
+if not isinstance(context['source'], OAuthSource) or context['source'].provider_type != "discord":
     return True
 
 # Get the user-source connection object from the context, and get the access token
@@ -118,7 +118,7 @@ ROLE_NAME_STRING = "The desired role name in the error message."
 GUILD_API_URL = f"https://discord.com/api/users/@me/guilds/{ACCEPTED_GUILD_ID}/member"
 
 # Ensure flow is only run during OAuth logins via Discord
-if context['source'].provider_type != "discord":
+if not isinstance(context['source'], OAuthSource) or context['source'].provider_type != "discord":
     return True
 
 # Get the user-source connection object from the context, and get the access token
@@ -185,7 +185,7 @@ guild_id = "<YOUR GUILD ID>"
 ##############
 
 # Ensure flow is only run during OAuth logins via Discord
-if context["source"].provider_type != "discord":
+if not isinstance(context['source'], OAuthSource) or context['source'].provider_type != "discord":
     return True
 
 # Get the user-source connection object from the context, and get the access token
@@ -250,7 +250,7 @@ guild_id = "<YOUR GUILD ID>"
 ##############
 
 # Ensure flow is only run during OAuth logins via Discord
-if context["source"].provider_type != "discord":
+if not isinstance(context['source'], OAuthSource) or context['source'].provider_type != "discord":
     return True
 
 # Get the user-source connection object from the context, and get the access token
@@ -347,7 +347,7 @@ def get_avatar_from_avatar_url(url):
 
 
 # Ensure flow is only run during OAuth logins via Discord
-if context["source"].provider_type != "discord":
+if not isinstance(context['source'], OAuthSource) or context['source'].provider_type != "discord":
     return True
 
 user = request.user

website/docs/users-sources/sources/social-logins/github/index.mdx

@@ -58,7 +58,7 @@ Make sure to include `read:org` in the sources' _Scopes_ setting.
 
 ```python
 # Ensure flow is only run during oauth logins via Github
-if context["source"].provider_type != "github":
+if not isinstance(context['source'], OAuthSource) or context["source"].provider_type != "github":
     return True
 
 accepted_org = "foo"

website/docs/users-sources/user/user_ref.mdx

@@ -10,6 +10,7 @@ The User object has the following properties:
 - `email`: User's email.
 - `uid`: User's unique ID. Read-only.
 - `name`: User's display name.
+- `type`: User's account type; internal, external, service account or internal service account.
 - `is_staff`: Boolean field defining if user is staff.
 - `is_active`: Boolean field defining if user is active.
 - `date_joined`: Date user joined/was created. Read-only.

website/integrations/chat-communication-collaboration/rocketchat/index.md

@@ -11,7 +11,7 @@ support_level: community
 > -- https://github.com/RocketChat/Rocket.Chat
 
 :::note
-This is based on authentik 2022.3.1 and Rocket.chat 4.5.1 using the [Docker-Compose install](https://docs.rocket.chat/quick-start/installing-and-updating/rapid-deployment-methods/docker-and-docker-compose/docker-containers). Instructions may differ between versions.
+This is based on authentik 2022.3.1 and Rocket.chat 4.5.1 using the [Docker Compose install](https://docs.rocket.chat/quick-start/installing-and-updating/rapid-deployment-methods/docker-and-docker-compose/docker-containers). Instructions may differ between versions.
 :::
 
 ## Preparation

website/integrations/chat-communication-collaboration/sharepoint-se/index.md

@@ -340,7 +340,7 @@ From the authentik Admin Dashboard:
 :::note
 The following procedure apply to an authentik deployment within Kubernetes.
 
-For other kinds of deployment, please refer to the [authentik documentation](https://goauthentik.io/docs/).
+For other kinds of deployment, please refer to the [authentik documentation](https://docs.goauthentik.io/).
 :::
 
 1. Follow authentik [LDAP Provider Generic Setup](https://version-2023-10.goauthentik.io/docs/providers/ldap/generic_setup) with the following steps :

website/integrations/chat-communication-collaboration/vikunja/index.md

@@ -11,7 +11,7 @@ support_level: community
 > -- https://vikunja.io/
 
 :::note
-This is based on authentik 2021.7.3 and Vikunja V0.17.1 using the Docker-Compose install https://vikunja.io/docs/full-docker-example/. Instructions may differ between versions.
+This is based on authentik 2021.7.3 and Vikunja V0.17.1 using the Docker Compose install https://vikunja.io/docs/full-docker-example/. Instructions may differ between versions.
 :::
 
 ## Preparation

website/integrations/documentation/paperless-ng/index.md

@@ -30,7 +30,7 @@ Also set up your proxy server to use forward auth with paperless.company: https:
 
 ## Paperless
 
-Start by adding the following environment variables to your Paperless-ng setup. If you are using docker-compose, then add the following to your docker-compose.env file:
+Start by adding the following environment variables to your Paperless-ng setup. If you are using Docker Compose, then add the following to your Compose file:
 
 ```
 PAPERLESS_ENABLE_HTTP_REMOTE_USER=TRUE

website/integrations/infrastructure/apache-guacamole/index.mdx

@@ -1,6 +1,6 @@
 ---
-title: Integrate with Apache Guacamole™
-sidebar_label: Apache Guacamole™
+title: Integrate with Apache Guacamole
+sidebar_label: Apache Guacamole
 support_level: authentik
 ---
 
@@ -68,8 +68,27 @@ Docker containers are typically configured using environment variables. To ensur
     OPENID_JWKS_ENDPOINT=https://authentik.company/application/o/<application_slug>/jwks/
     OPENID_REDIRECT_URI=https://guacamole.company/
     OPENID_USERNAME_CLAIM_TYPE=preferred_username
+    OPENID_ENABLED=true
     ```
 
+You must also add one of the following variables, depending on your desired behaviour:
+
+    - To automatically redirect all unauthenticated users, add the following:
+
+        ```yaml
+        EXTENSION_PRIORITY=openid
+        ```
+
+    - Alternatively, to present unauthenticated users with a login screen, add the following:
+
+        ```yaml
+        EXTENSION_PRIORITY=*,openid
+        ```
+
+:::tip Older versions of Apache Guacamole (pre v1.6)
+In older versions of Apache Guacamole, the `OPENID_ENABLED=true`, `EXTENSION_PRIORITY=openid` or `EXTENSION_PRIORITY=*,openid` are not required.
+:::
+
 Additionally, ensure your `guacamole.properties` file (typically located in `/etc/guacamole/`) includes the following line. This setting allows environment variables to be evaluated before static configuration files:
 
     ```yaml
@@ -87,14 +106,33 @@ Additionally, ensure your `guacamole.properties` file (typically located in `/et
     openid-jwks-endpoint=https://authentik.company/application/o/<application_slug>/jwks/
     openid-redirect-uri=https://guacamole.company/
     openid-username-claim-type=preferred_username
+    openid-enabled=true
     ```
 
+You must also add one of the following settings depending on your desired behaviour:
+
+    - To automatically redirect all unauthenticated users, add the following:
+
+        ```yaml
+        extension-priority=openid
+        ```
+
+    - Alternatively, to present unauthenticated users with a login screen, add the following:
+
+        ```yaml
+        extension-priority=*,openid
+        ```
+
+:::tip Older versions of Apache Guacamole (pre v1.6)
+In older versions of Apache Guacamole, the `openid-enabled=true`, `extension-priority=openid` or `extension-priority=*,openid` are not required.
+:::
+
   </TabItem>
 </Tabs>
 
 ### Self Signed Certificates
 
-When using a self-signed certificate, it is necessary to incorporate the certificate of the corresponding Certificate Authority into both the `/etc/ssl/certs/ca-certificates.crt` file and the `/opt/java/openjkd/jre/lib/security/cacerts` keystore on your Apache Guacamole host. This ensures that the self-signed certificate is trusted by both the system and the Java runtime environment used by Guacamole.
+When using a self-signed certificate, it is necessary to incorporate the certificate of the corresponding Certificate Authority into both the `/etc/ssl/certs/ca-certificates.crt` file and the `/opt/java/openjdk/lib/security/cacerts` keystore on your Apache Guacamole host. This ensures that the self-signed certificate is trusted by both the system and the Java runtime environment used by Guacamole.
 
 #### Adding Certificate Authority certificate as trusted in `/etc/ssl/certs/ca-certificates.crt`
 
@@ -105,7 +143,6 @@ This section depends on the operating system hosting Apache Guacamole.
 ##### For _Debian_ based operating systems:
 
 1. Copy the certificate of the Certificate Authority (e.g. `<CA_certificate>.crt`) to the `/usr/local/share/ca-certificates/` directory on the Apache Guacamole host. Ensure that the file extension is `.crt`.
-
 2. To add the certificate as trusted in `/etc/ssl/certs/ca-certificates.crt`, use the following command:
 
     ```shell
@@ -115,14 +152,13 @@ This section depends on the operating system hosting Apache Guacamole.
 ##### For _Synology_ systems:
 
 1. Copy the certificate of the Certificate Authority (e.g. `<CA_certificate>.crt`) to the `/usr/syno/etc/security-profile/ca-bundle-profile/ca-certificates/` directory on the Synology host. Ensure that the filetype is `.crt`.
-
 2. To add the certificate as trusted in `/etc/ssl/certs/ca-certificates.crt`, use the following command:
 
     ```shell
     update-ca-certificates.sh
     ```
 
-#### Adding Certificate Authority certificate to `/opt/java/openjkd/jre/lib/security/cacerts`
+#### Adding Certificate Authority certificate to `/opt/java/openjdk/lib/security/cacerts`
 
 1. To export the certificate of the Certificate Authority, use the following command on the Certificate Authority host:
 
@@ -130,12 +166,16 @@ This section depends on the operating system hosting Apache Guacamole.
     openssl pkcs12 -export -in <CA_certificate>.crt -inkey <CA_certificate>.key -out <CA_certificate>.p12 -passout pass:<password>
     ```
 
-2. To import the certificate to the `/opt/java/openjdk/jre/lib/security/cacerts` keystore on the Apache Guacamole host, use the following command:
+2. To import the certificate to the `/opt/java/openjdk/lib/security/cacerts` keystore on the Apache Guacamole host, use the following command:
 
     ```shell
-    keytool -importkeystore -srckeystore <CA_certificate>.p12 -srcstoretype PKCS12 -keystore /opt/java/openjdk/jre/lib/security/cacerts -deststorepass <destination_store_password> -nopromt -srcstorepass <password>
+    keytool -importkeystore -srckeystore <CA_certificate>.p12 -srcstoretype PKCS12 -keystore /opt/java/openjdk/lib/security/cacerts -deststorepass <destination_store_password> -nopromt -srcstorepass <password>
     ```
 
+:::tip Older versions of Apache Guacamole (pre v1.6)
+In older versions of Apache Guacamole, the keystore was located at `/opt/java/openjdk/jre/lib/security/cacerts`. If using an older version, update the command accordingly.
+:::
+
 :::note
 More information on the keytool command can be found in the [Oracle documentation.](https://docs.oracle.com/en/java/javase/21/docs/specs/man/keytool.html)
 :::

website/integrations/infrastructure/powerdns-admin/index.md

@@ -61,7 +61,7 @@ SAML_CERT=/saml.crt
 
 You must mount the certificate selected in authentik as a file in the Docker container. The path in the container must match the path in the env variable `SAML_CERT`.
 
-### docker-compose
+### Docker Compose
 
 ```yaml
 services:

website/integrations/infrastructure/zammad/index.md

@@ -32,14 +32,14 @@ To support the integration of Zammad with authentik, you need to create an appli
 2. Navigate to **Applications** > **Applications** and click **Create with Provider** to create an application and provider pair. (Alternatively you can first create a provider separately, then create the application and connect it with the provider.)
 
 - **Application**: provide a descriptive name, an optional group for the type of application, the policy engine mode, and optional UI settings. Take note of the **slug** as it will be required later.
-- **Choose a Provider type**: selec`AML Provider\*\* as the provider type.
+- **Choose a Provider type**: select **SAML Provider** as the provider type.
 - **Configure the Provider**: provide a name (or accept the auto-provided name), the authorization flow to use for this provider, and the following required configurations.
     - Set the **ACS URL** `bd>https://zammad.company/auth/saml/callback`.
     - Set the **Issuer** to `https://zammad.company/auth/saml/metadata`.
     - Set the **Audience** to `https://zammad.company/auth/saml/metadata`.
-    - Set the **Service Provider Bi`** to `Post`.
+    - Set the **Service Provider Binding** to `Post`.
     - Under **Advanced protocol settings**, select an available signing certificate.
-- **Configure Bindings** _`onal)_: you can create a [binding](/docs/add-secure-apps/flows-stages/bindings/) (policy, group, or user) to manage the listing and access to applications on a user's **My applications** page.
+- **Configure Bindings** _(optional)_: you can create a [binding](/docs/add-secure-apps/flows-stages/bindings/) (policy, group, or user) to manage the listing and access to applications on a user's **My applications** page.
 
 3. Click **Submit** to save the new application and provider.
 
@@ -47,12 +47,11 @@ To support the integration of Zammad with authentik, you need to create an appli
 
 1. Log in to authentik as an administrator and open the authentik Admin interface.
 2. Navigate to **Applications** > **Providers** and click on the name of the provider that you created in the previous section (e.g. `Provider for zammad`).
-3. Under **Related objects** > **Download signing certificate **, click on **Download**. This downloaded file is your certificate file and it will be required in the next section.
+3. Under **Related objects** > **Download signing certificate**, click on **Download**. This downloaded file is your certificate file and it will be required in the next section.
 
-## Zammad configuration`
+## Zammad configuration
 
-`
-To configure the Zammad SAML o`s go to **Settings** (the gear icon) and select **Security** > **Third-party Applications**. Next, activate the **Authentication via SAML** toggle and change the following fields:
+To configure Zammad's integration with authentik, go to **Settings** (the gear icon) and select **Security** > **Third-party Applications**. Next, activate the **Authentication via SAML** toggle and change the following fields:
 
     - **Display name**: authentik
     - **IDP SSO target URL**: `https://authentik.company/application/saml/<application_slug>/sso/binding/post/`

website/package-lock.json

@@ -19,6 +19,7 @@
                 "@goauthentik/eslint-config": "^1.0.5",
                 "@goauthentik/prettier-config": "^3.1.0",
                 "@goauthentik/tsconfig": "^1.0.4",
+                "@rspack/binding-linux-x64-gnu": "1.5.7",
                 "@types/node": "^24.5.2",
                 "@typescript-eslint/eslint-plugin": "^8.44.1",
                 "@typescript-eslint/parser": "^8.44.1",
@@ -35,9 +36,9 @@
                 "node": ">=24"
             },
             "optionalDependencies": {
-                "@rspack/binding-darwin-arm64": "1.5.5",
-                "@rspack/binding-linux-arm64-gnu": "1.5.5",
-                "@rspack/binding-linux-x64-gnu": "1.5.5",
+                "@rspack/binding-darwin-arm64": "1.5.7",
+                "@rspack/binding-linux-arm64-gnu": "1.5.7",
+                "@rspack/binding-linux-x64-gnu": "1.5.7",
                 "@swc/core-darwin-arm64": "1.13.5",
                 "@swc/core-linux-arm64-gnu": "1.13.5",
                 "@swc/core-linux-x64-gnu": "1.13.5",
@@ -79,9 +80,9 @@
                 "typescript": "^5.9.2"
             },
             "optionalDependencies": {
-                "@rspack/binding-darwin-arm64": "1.5.5",
-                "@rspack/binding-linux-arm64-gnu": "1.5.5",
-                "@rspack/binding-linux-x64-gnu": "1.5.5",
+                "@rspack/binding-darwin-arm64": "1.5.7",
+                "@rspack/binding-linux-arm64-gnu": "1.5.7",
+                "@rspack/binding-linux-x64-gnu": "1.5.7",
                 "@swc/core-darwin-arm64": "1.13.5",
                 "@swc/core-linux-arm64-gnu": "1.13.5",
                 "@swc/core-linux-x64-gnu": "1.13.5",
@@ -5605,9 +5606,9 @@
             }
         },
         "node_modules/@rspack/binding-darwin-arm64": {
-            "version": "1.5.5",
-            "resolved": "https://registry.npmjs.org/@rspack/binding-darwin-arm64/-/binding-darwin-arm64-1.5.5.tgz",
-            "integrity": "sha512-Kg3ywEZHLX+aROfTQ5tMOv+Ud+8b4jk8ruUgsi0W8oBkEkR5xBdhFa9vcf6pzy+gfoLCnEI68U9i8ttm+G0csA==",
+            "version": "1.5.7",
+            "resolved": "https://registry.npmjs.org/@rspack/binding-darwin-arm64/-/binding-darwin-arm64-1.5.7.tgz",
+            "integrity": "sha512-prQ/vgJxOPdlYiR4gVeOEKofTCEOu70JQIQApqFnw8lKM7rd9ag8ogDNqmc2L/GGXGHLAqds28oeKXRlzYf7+Q==",
             "cpu": [
                 "arm64"
             ],
@@ -5631,9 +5632,9 @@
             ]
         },
         "node_modules/@rspack/binding-linux-arm64-gnu": {
-            "version": "1.5.5",
-            "resolved": "https://registry.npmjs.org/@rspack/binding-linux-arm64-gnu/-/binding-linux-arm64-gnu-1.5.5.tgz",
-            "integrity": "sha512-KgVN3TeUJ3iNwwOX3JGY4arvoLHX94eItJ4TeOSyetRiSJUrQI0evP16i5kIh+n+p7mVnXmfUS944Gl+uNsJmg==",
+            "version": "1.5.7",
+            "resolved": "https://registry.npmjs.org/@rspack/binding-linux-arm64-gnu/-/binding-linux-arm64-gnu-1.5.7.tgz",
+            "integrity": "sha512-fwy+NY+0CHrZqqzDrjPBlTuK53W4dG5EEg/QQFAE7KVM+okRqPk8tg45bJ5628rCNLe13GDmPIE107LmgspNqA==",
             "cpu": [
                 "arm64"
             ],
@@ -5657,9 +5658,9 @@
             ]
         },
         "node_modules/@rspack/binding-linux-x64-gnu": {
-            "version": "1.5.5",
-            "resolved": "https://registry.npmjs.org/@rspack/binding-linux-x64-gnu/-/binding-linux-x64-gnu-1.5.5.tgz",
-            "integrity": "sha512-haPFg4M9GwpSI5g9BQhKUNdzCKDvFexIUkLiAHBjFU9iWQTEcI9VfYPixestOIwzUv7E34rHM+jAsmRGWdgmXw==",
+            "version": "1.5.7",
+            "resolved": "https://registry.npmjs.org/@rspack/binding-linux-x64-gnu/-/binding-linux-x64-gnu-1.5.7.tgz",
+            "integrity": "sha512-brSHywXjjeuWkv0ywgxS4VgDgquarEb4XGr+eXhOaPcc8x2rNefyc4hErplrI7+oxPXVuGK5VE4ZH5bj3Yknvg==",
             "cpu": [
                 "x64"
             ],

website/package.json

@@ -35,9 +35,9 @@
         "typescript-eslint": "^8.44.1"
     },
     "optionalDependencies": {
-        "@rspack/binding-darwin-arm64": "1.5.5",
-        "@rspack/binding-linux-arm64-gnu": "1.5.5",
-        "@rspack/binding-linux-x64-gnu": "1.5.5",
+        "@rspack/binding-darwin-arm64": "1.5.7",
+        "@rspack/binding-linux-arm64-gnu": "1.5.7",
+        "@rspack/binding-linux-x64-gnu": "1.5.7",
         "@swc/core-darwin-arm64": "1.13.5",
         "@swc/core-linux-arm64-gnu": "1.13.5",
         "@swc/core-linux-x64-gnu": "1.13.5",