website/docs: release notes for 2026.2.0

website/docs/releases/2026/v2026.2.md

@@ -1,25 +1,81 @@
 ---
 title: Release 2026.2
 slug: "/releases/2026.2"
-draft: true
+beta: true
 ---
 
-:::info
-2026.2 has not been released yet! We're publishing these release notes as a preview of what's to come, and for our awesome beta testers trying out release candidates.
+## Highlights
 
-To try out the release candidate, replace your Docker image tag with the latest release candidate number, such as 2026.2.0-rc1. You can find the latest one in [the latest releases on GitHub](https://github.com/goauthentik/authentik/releases). If you don't find any, it means we haven't released one yet.
-:::
+TODO: @fheisler reword please and thank you
 
-## Highlights
+This release focuses on minor features and bugfixes. However, a couple of major enterprise features also made it in:
+
+- **SCIM provider**: Major improvements to the SCIM provider have been made by community contributions from @ImmanuelVonNeumann and @bitpavel-l25 in the form of [sync improvements](https://github.com/goauthentik/authentik/pull/13947) and [group imports](https://github.com/goauthentik/authentik/pull/19846). Thank you!
+- **Object Lifecycle Management**: :ak-enterprise :ak-preview You can now automatically schedule periodic reviews of authentik objects (applications, groups, roles).
+- **WS-Federation**: :ak-enterprise authentik now supports WS-Federation, a single sign-on and identity federation protocol.
+
+### Release frequency change
+
+In recent years a new authentik release was cut more-or-less every 2 months. We feel that our feature set is now mature enough to target a 3-month release cycle. The next release is therefore planned for May 2026.
+
+In terms of security, we will keep to our current practice of supporting the two most recently released versions. The releases being further apart results in longer security coverage.
 
 ## Breaking changes
 
-### RBAC
+### SCIM group syncing behavior
+
+Users will now be filtered based on the policies bound to the application the SCIM provider is used with. There is now an option to select groups in the SCIM provider, which, if selected, will only sync those groups, and if no groups are selected, all groups will be synced. If you have a SCIM provider with a group filter setup, it will be deactivated and a configuration warning will be created, for you to review the configuration.
 
-`User.ak_groups` has been deprecated. Users' groups are now accessed through `User.groups`. Usage of `.ak_groups` will continue to function, but will create a configuration warning event. We recommend you check any custom code (e.g. expression policies, property mappings) that deals with group memberships to update them if necessary.
+### Policies / Property mappings
+
+`User.ak_groups` has been deprecated. Users' groups are now accessed through `User.groups`. Usage of `.ak_groups` will continue to function, but will create a configuration warning event, at most every 30 days. We recommend you check any custom code (e.g. expression policies, property mappings) that deals with group memberships to update them if necessary.
 
 ## New features and improvements
 
+### Object lifecycle management :ak-enterprise :ak-preview
+
+Object Lifecycle Management allows you to schedule and track periodic reviews for Applications, Groups and Roles. Reviewing access privileges to specific applications is an important best practice, as is reviewing other settings such as your branding settings, group and role membership, application entitlements, and current policy bindings.
+
+### WS-Federation :ak-enterprise
+
+TODO: @tanberry
+
+WS-Federation added for compatibility with legacy software, we only support the SAML2 token type within WS-Federation providers.
+
+> And mention that it doesn't work with Entra, because Entra needs a SAML 1.0 token
+
+TODO: Link docs
+
+### Endpoints and authentik agent :ak-enterprise
+
+Endpoints now has a FleetDM connector integration. You can now pull in device facts and signals data from Fleet into authentik to implement Conditional Access rules.
+
+TODO: Link docs currently being written by @dewi-tik
+
+Local Device Login now works on Linux too and also supports webauthn/FIDO2.
+
+### Certificate builder
+
+authentik's certificate builder now supports ED25519 and ED448 certificate generation.
+
+### Documentation page: First steps
+
+We now have a tutorial for your [First steps](../../install-config/first-steps/index.mdx) after installing authentik! This document walks you through adding a new application and provider, then adding your first user, with Tips to explain more complex concepts. Best practices and troubleshooting tips are also included.
+
+### πthon
+
+authentik now uses [Python 3.14](https://docs.python.org/3/whatsnew/3.14.html) under the hood. This means absolutely nothing as we use none of its features, but it has a cool name.
+
+## New integration guides
+
+An integration is how authentik connects to third-party applications, directories, and other identity providers. The following integration guides were recently added. A big thanks to our contributors!
+
+- [Arcane](https://integrations.goauthentik.io/hypervisors-orchestrators/arcane/)
+
+- [Datadog](https://integrations.goauthentik.io/monitoring/datadog/) (Thanks to [@dominic-r](https://github.com/dominic-r)!)
+
+- [Elastic Cloud](https://integrations.goauthentik.io/platforms/elastic-cloud/) (Thanks to [@dominic-r](https://github.com/dominic-r)!)
+
 ## Upgrading
 
 This release does not introduce any new requirements. You can follow the upgrade instructions below; for more detailed information about upgrading authentik, refer to our [Upgrade documentation](../../install-config/upgrade.mdx).