Headline Changes
-
Duo two-factor support
You can now add the new
authenticator_duostage to configure Duo authenticators. Duo has also been added as device class to theauthenticator_validationstage.Currently, only Duo push notifications are supported. Because no additional input is required, Duo also works with the LDAP Outpost.
-
Multi-tenancy
This version adds soft multi-tenancy. This means you can configure different branding settings and different default flows per domain.
This also changes how a default flow is determined. Previously, for defaults flow, authentik would pick the first flow that
- matches the required designation - comes first sorted by slug - is allowed by policiesNow, authentik first checks if the current tenant has a default flow configured for the selected designation. If not, it behaves the same as before, meaning that if you want to select a default flow based on policy, you can just leave the tenant default empty.
-
Domain-level authorization with proxy providers
Instead of simply being able to toggle between forward auth and proxy mode, you can now enable forward auth for an entire domain. This has the downside that you can't do per-application authorization, but also simplifies configuration as you don't have to create each application in authentik.
-
API Schema now uses OpenAPI v3
The API endpoints are mostly the same, however all the clients are now built from an OpenAPI v3 schema. You can retrieve the schema from
authentik.company.tld/api/v2beta/schema/ -
On Kubernetes installs without a /media PVC, you can now set URLs instead of uploading files.
-
Expanded prometheus metrics for PolicyEngine and FlowPlanner
Minor changes
- You can now specify which sources should be shown on an Identification stage.
- Add UI for the reputation of IPs and usernames for reputation policies.
- Fix proxy outpost not being able to redeem tokens when using with an un-trusted SSL Certificate
- Add UI to check access of any application for any user