authentik version 2026.2 is here!

February 27, 2026 · 5 min read

Fun-end Developer and DevRel at Authentik Security Inc

authentik is an open source Identity Provider that unifies your identity needs into a single platform, replacing Okta, Keycloak, and Ping. Authentik Security is a public benefit company building on top of the open source authentik project.

This authentik release introduces major updates, including Object Lifecycle Management, WS-Federation support, and significant SCIM provider enhancements contributed by our community.

Let's take a closer look at what's in the 2026.2 release of authentik, your favorite identity provider.

New features

Object Lifecycle Management (Enterprise, Preview): Admins can now automatically schedule periodic reviews of authentik objects such as applications, groups, and roles for compliance and auditing purposes. Reviewing access privileges and settings is an important best practice, and this feature makes it easy to stay on top of it. Check out the Object Lifecycle Management documentation to learn more.
WS-Federation (Enterprise): authentik now supports WS-Federation, an XML-based identity federation protocol that uses token exchange for federated Single Sign-On (SSO) and IdP authentication. This is particularly useful for Windows applications like SharePoint. Currently, authentik supports only the SAML2 token type within WS-Federation providers. As a result, the WS-Federation provider cannot be used with Entra ID, which requires a SAML 1.0 token. Learn more in the WS-Federation provider documentation.
SCIM provider improvements: Major improvements to the SCIM provider have landed thanks to community contributions from @ImmanuelVonNeumann and @bitpavel-l25. The sync improvements add the ability to filter users based on application policies and select specific groups to sync, instead of syncing all users and groups regardless of organizational boundaries. This is especially useful for multi-tenant setups. The group imports change brings feature parity between users and groups by allowing SCIM group definitions to be automatically matched and imported against the local database, just like users already could be. Thank you!

Enhancements

Fleet connector for Endpoint Devices (Enterprise): Endpoints now has a Fleet connector integration. You can now pull device facts and signals data from Fleet into authentik to implement Conditional Access rules.
Local Device Login on Linux: As part of our previous release, we released authentik agents. This allowed you to register physical devices with authentik. The last release supported Local Device Login for Windows, but it now works on Linux and also supports WebAuthn/FIDO2.
ED25519 and ED448 certificates: authentik's certificate builder now supports ED25519 and ED448 certificate generation.
SAML Provider improvements: The SAML provider's metadata parser now supports importing Single Logout Service endpoints and encryption certificates. Encryption certificates without private keys are now accepted, the structure of encrypted SAML assertions has been corrected, and the signing order for encrypted SAML responses has been fixed.
SAML Source improvements: SAML sources now correctly handle transient usernames longer than 150 characters, AuthnRequest signatures are no longer embedded in the request body when using the redirect binding, and the signature verification order has been improved for encrypted assertions. Status message handling has been fixed so that success messages don't get rejected, and better error handling was added.
First steps documentation: We now have a tutorial for your First steps after installing authentik! This document walks you through adding a new application and provider, then adding your first user.
Python 3.14: authentik now uses Python 3.14 under the hood. We don't use any Python 3.14 features yet, so this changes nothing for now, but we did it. For you :)

Changes to be aware of

This version includes a few breaking changes. Be sure to read along and make any updates as needed.

SCIM group syncing behavior: Users will now be filtered based on the policies bound to the application that the SCIM provider is used with. There is now an option to select groups in the SCIM provider which, if selected, will sync only those groups. If no groups are selected, all groups will be synced. If you have a SCIM provider with a group filter setup, it will be deactivated and a configuration warning will be created for you to review the configuration.
User.ak_groups deprecated: Users' groups are now accessed through User.groups instead of User.ak_groups. Usage of .ak_groups will continue to function, but will create a configuration warning event every 30 days (at most). We recommend you check any custom code (e.g. expression policies, property mappings) that deals with group memberships to update them.

Release frequency change

For the last couple years, we have done a release of authentik once every two months. Starting with release 2026.5 in May, we’re switching to a 3 month release cycle. We will continue to keep our current practice of supporting the two most recently released versions of authentik with security coverage.

New integration guides

A big thanks to our community contributors for many of these new guides:

Affine (Thanks @akaSorin!)
Arcane (Thanks @steilerDev!)
Datadog (Thanks @dominic-r!)
Elastic Cloud (Thanks @dominic-r!)
Okta

If you have an integration guide you'd like to add, check out how to add a new application.

Upgrade to version 2026.2

Refer to the Upgrade documentation and the Release Notes for detailed instructions.

Enjoy the new release! As always, we’d love to hear your questions and feedback. Reach out to us with any questions or feedback! Connect with us on GitHub, Discord, or with an email to [email protected].

New features​

Enhancements​

Changes to be aware of​

Release frequency change​

New integration guides​

Upgrade to version 2026.2​