website/docs: release notes for 2026.2.0

website/docs/releases/2026/v2026.2.md

@@ -1,25 +1,75 @@
 ---
 title: Release 2026.2
 slug: "/releases/2026.2"
-draft: true
+beta: true
 ---
 
-:::info
-2026.2 has not been released yet! We're publishing these release notes as a preview of what's to come, and for our awesome beta testers trying out release candidates.
+## Highlights
 
-To try out the release candidate, replace your Docker image tag with the latest release candidate number, such as 2026.2.0-rc1. You can find the latest one in [the latest releases on GitHub](https://github.com/goauthentik/authentik/releases). If you don't find any, it means we haven't released one yet.
-:::
+- **Object Lifecycle Management**: :ak-enterprise :ak-preview Admins can now automatically schedule periodic reviews of authentik objects (applications, groups, roles) for compliance and auditing purposes.
+- **WS-Federation**: :ak-enterprise authentik now supports WS-Federation, a single sign-on and identity federation protocol common in some Microsoft environments.
+- **SCIM provider**: Major improvements to the SCIM provider have been made by community contributions from @ImmanuelVonNeumann and @bitpavel-l25 in the form of [sync improvements](https://github.com/goauthentik/authentik/pull/13947) and [group imports](https://github.com/goauthentik/authentik/pull/19846). Thank you!
 
-## Highlights
+### Release frequency change
+
+In recent years, a new authentik release was cut roughly every two months. We will be extending this to target a three-month release cycle, with the next release being 2026.5 in May. We will keep to our current practice of supporting the two most recently released versions with security coverage, which will therefore result in a longer coverage period as well.
 
 ## Breaking changes
 
-### RBAC
+### SCIM group syncing behavior
 
-`User.ak_groups` has been deprecated. Users' groups are now accessed through `User.groups`. Usage of `.ak_groups` will continue to function, but will create a configuration warning event. We recommend you check any custom code (e.g. expression policies, property mappings) that deals with group memberships to update them if necessary.
+Users will now be filtered based on the policies bound to the application the SCIM provider is used with. There is now an option to select groups in the SCIM provider, which, if selected, will only sync those groups, and if no groups are selected, all groups will be synced. If you have a SCIM provider with a group filter setup, it will be deactivated and a configuration warning will be created, for you to review the configuration.
+
+### Policies / Property mappings
+
+`User.ak_groups` has been deprecated. Users' groups are now accessed through `User.groups`. Usage of `.ak_groups` will continue to function, but will create a configuration warning event, at most every 30 days. We recommend you check any custom code (e.g. expression policies, property mappings) that deals with group memberships to update them if necessary.
 
 ## New features and improvements
 
+### Object lifecycle management :ak-enterprise :ak-preview
+
+[Object Lifecycle Management](../../sys-mgmt/object-lifecycle-management.md) allows Admins to schedule and track periodic reviews for Applications, Groups, and Roles. Reviewing access privileges to specific applications is an important best practice, as is reviewing other settings such as your branding settings, group and role membership, application entitlements, and current policy bindings.
+
+### WS-Federation :ak-enterprise
+
+We now have a provider to integrate authentik with applications and service providers that use the [WS-Fed protocol](https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-adfsod/204de335-ea34-4f9b-ae73-8b7d4c8152d1). (WS-Fed) is an XML-based identity federation protocol that uses token exchange for federated Single Sign-On (SSO) and IdP authentication, specifically for Windows applications such as Sharepoint. Note that we only support the SAML2 token type within WS-Federation providers, and that using the WS-Fed provider with Entra ID is not supported because Entra ID requires a SAML 1.0 token.
+
+TODO: Link docs @tanberrry #20091
+
+### Endpoints and authentik agent :ak-enterprise
+
+Endpoints now has a [Fleet connector](../../endpoint-devices/device-compliance/connectors/fleetdm.md) integration. You can now pull device facts and signals data from [Fleet](https://fleetdm.com/) into authentik to implement Conditional Access rules.
+
+[Local Device Login](../../endpoint-devices/authentik-agent/device-authentication/local-device-login/linux.md) now works on Linux too and also supports webauthn/FIDO2.
+
+### Certificate builder
+
+authentik's certificate builder now supports ED25519 and ED448 certificate generation.
+
+### SAML Provider
+
+The SAML provider's metadata parser now supports importing Single Logout Service endpoints and encryption certificates. Also, encryption certificates without private keys are now accepted, and the structure of encrypted SAML assertions has been corrected. The signing order for encrypted SAML responses has been fixed, and signature algorithm options are now automatically pulled from the selected signing certificate. The SP ACS binding field has been lowered in the form and will soon be sunset, as defaulting to POST should work in every case.
+
+### SAML Source
+
+SAML sources now correctly handle transient usernames longer than 150 characters by truncating them. AuthnRequest signatures are no longer incorrectly embedded in the request body when using the redirect binding. The signature verification order has been fixed to properly accommodate encrypted assertions, and InvalidSignature exceptions are now properly caught. Status message handling has also been improved for better error reporting.
+
+### Documentation page: First steps
+
+We now have a tutorial for your [First steps](../../install-config/first-steps/index.mdx) after installing authentik! This document walks you through adding a new application and provider, then adding your first user, with Tips to explain more complex concepts. Best practices and troubleshooting tips are also included.
+
+### πthon
+
+authentik now uses [Python 3.14](https://docs.python.org/3/whatsnew/3.14.html) under the hood. This means absolutely nothing as we use none of its features, but it has a cool name.
+
+## New integration guides
+
+An integration is how authentik connects to third-party applications, directories, and other identity providers. The following integration guides were recently added. A big thanks to our contributors!
+
+- [Arcane](https://integrations.goauthentik.io/integrations/hypervisors-orchestrators/arcane/)
+- [Datadog](https://integrations.goauthentik.io/integrations/monitoring/datadog/) (Thanks to [@dominic-r](https://github.com/dominic-r)!)
+- [Elastic Cloud](https://integrations.goauthentik.io/integrations/platforms/elastic-cloud/) (Thanks to [@dominic-r](https://github.com/dominic-r)!)
+
 ## Upgrading
 
 This release does not introduce any new requirements. You can follow the upgrade instructions below; for more detailed information about upgrading authentik, refer to our [Upgrade documentation](../../install-config/upgrade.mdx).