Skip to main content

Announcing release 2025.2

· 4 min read
Jens Langhammer
Jens Langhammer
CTO at Authentik Security Inc

authentik is an open source Identity Provider that unifies your identity needs into a single platform, replacing Okta, Active Directory, and Auth0. Authentik Security is a public benefit company building on top of the open source project.

Our first release of the new year, version 2025.2, includes something for everyone, with the addition of a major new provider (Shared Signals Framework), authentication checks for "impossible travel" using our GeoIP policy, and Remote Access Control now available as an open source feature! Let's take a closer look at the 2025.2 release.

New features

SSF Provider (Enterprise, Preview)

Shared Signals Framework (SSF) is a common standard for sharing asynchronous real-time security signals and events across multiple applications and an identity provider. SSF allows applications to register a stream with authentik from which they receive events from authentik, such as when a session was revoked or a credential was add/changed/deleted, and then execute actions based on these events. To learn more, refer to our SSF documentation.

Using a SSF provider as a backchannel provider allows admins to integrate authentik with Apple Business Manager or Apple School Manager for federated Apple IDs.

RAC moved to open source

Remote access (RDP, VNC and SSH) has moved from enterprise to our free, open source code. We try our best to limit enterprise-specific functionality to features that would be non-essential to homelab users and far more valuable to enterprise use cases. We've had a variety of homelab users reach out with excellent use cases for RAC functionality, so while this will mean giving up some potential revenue, we think that opening up RAC to the community is the right thing to do!

GeoIP distance and impossible travel checks

Using our GeoIP policy with the "impossible travel" option enabled provides the ability to check for the distance a user has moved compared to a previous login, based on client IP, and thus to check impossible travel distances .

These options can be used to detect and prevent access from potentially stolen authentik sessions or stolen devices.

Email OTP Authenticator Setup Stage

Admins now have the ability to configure the option for users to use their email address as an authenticator. Users that already have an email address set on their account will be able to use that address to receive one-time-passwords. It is also possible to configure authentik to allow users to add additional email addresses as authenticators. Learn more in our documentation.

Application and providers created in single workflow

The default way of creating an application now allows admins to configure the application and provider at the same time, and also add any kind of bindings (policy, stage, and user or group bindings) without having to navigate through different sections of the UI. The previous way of creating a standalone application and a standalone provider will remain available alongside the new and streamlined method.

New fine-grained permissions for group-level superusers

Enabling the Is superuser toggle on a group now requires a separate permission, making it much easier to allow for delegated management of groups without risking the ability for users to self-elevate permissions. For details, refer to our documentation.

Improved debugging experience

For users who are developing authentik or building very complex, custom integrations, we have added documentation about how to configure debugging in authentik.

Changes to be aware of

Source stage (Enterprise)

In previous versions, the Source stage would incorrectly continue with the initial flow after returning from the source, which didn't match the documented behavior.

With this release this behavior has been corrected and the source stage will now correctly run the selected enrollment/authentication flow before returning to the flow from which the source stage was executed.

Deprecated and frozen :latest container image tag after 2025.2

We are deprecating the :latest tag for container images; using it led to unintentional updates and potentially broken setups. Note that we will not remove the tag, but it will not be updated past 2025.2.

We strongly recommended the use of a specific version tag for authentik instances' container images, such as :2025.2.

Upgrade to version 2025.2

Refer to our Upgrade documentation and the Release Notes for detailed instructions.

Enjoy the new release, and let us know if you any questions or feedback. Connect with us on GitHubDiscord, or with an email to [email protected].