Merge branch 'main' into dev

* main:
  website: revise full development environment instructions (#12638)
  website: bump typescript from 5.7.2 to 5.7.3 in /website (#12620)
  website: bump aws-cdk from 2.174.1 to 2.175.0 in /website (#12621)
  ci: bump docker/setup-qemu-action from 3.2.0 to 3.3.0 (#12622)
  core: bump twilio from 9.4.1 to 9.4.2 (#12623)
  core: bump python-kadmin-rs from 0.5.2 to 0.5.3 (#12624)
  core: bump ruff from 0.8.6 to 0.9.0 (#12625)
  core: bump pydantic from 2.10.4 to 2.10.5 (#12626)
  core: bump google-api-python-client from 2.157.0 to 2.158.0 (#12628)
  core: bump goauthentik.io/api/v3 from 3.2024121.3 to 3.2024122.1 (#12629)
  web: bump API Client version (#12617)
  release: 2024.12.2 (#12615)
  website/docs: prepare 2024.12.2 release notes (#12614)
  providers/saml: fix invalid SAML Response when assertion and response are signed (#12611)
  core: fix error when creating new user with default path (#12609)
  rbac: permissions endpoint: allow authenticated users (#12608)
  website/docs: update customer portal (#12603)
  website/docs: policy for email whitelist: modernize (#12558)

.bumpversion.cfg

@@ -1,5 +1,5 @@
 [bumpversion]
-current_version = 2024.12.1
+current_version = 2024.12.2
 tag = True
 commit = True
 parse = (?P<major>\d+)\.(?P<minor>\d+)\.(?P<patch>\d+)(?:-(?P<rc_t>[a-zA-Z-]+)(?P<rc_n>[1-9]\\d*))?

.github/workflows/ci-main.yml

@@ -243,7 +243,7 @@ jobs:
         with:
           ref: ${{ github.event.pull_request.head.sha }}
       - name: Set up QEMU
-        uses: docker/setup-qemu-action@v3.2.0
+        uses: docker/setup-qemu-action@v3.3.0
       - name: Set up Docker Buildx
         uses: docker/setup-buildx-action@v3
       - name: prepare variables

.github/workflows/ci-outpost.yml

@@ -82,7 +82,7 @@ jobs:
         with:
           ref: ${{ github.event.pull_request.head.sha }}
       - name: Set up QEMU
-        uses: docker/setup-qemu-action@v3.2.0
+        uses: docker/setup-qemu-action@v3.3.0
       - name: Set up Docker Buildx
         uses: docker/setup-buildx-action@v3
       - name: prepare variables

.github/workflows/release-publish.yml

@@ -17,7 +17,7 @@ jobs:
     steps:
       - uses: actions/checkout@v4
       - name: Set up QEMU
-        uses: docker/setup-qemu-action@v3.2.0
+        uses: docker/setup-qemu-action@v3.3.0
       - name: Set up Docker Buildx
         uses: docker/setup-buildx-action@v3
       - name: prepare variables
@@ -83,7 +83,7 @@ jobs:
         with:
           go-version-file: "go.mod"
       - name: Set up QEMU
-        uses: docker/setup-qemu-action@v3.2.0
+        uses: docker/setup-qemu-action@v3.3.0
       - name: Set up Docker Buildx
         uses: docker/setup-buildx-action@v3
       - name: prepare variables

authentik/__init__.py

@@ -2,7 +2,7 @@
 
 from os import environ
 
-__version__ = "2024.12.1"
+__version__ = "2024.12.2"
 ENV_GIT_HASH_KEY = "GIT_BUILD_HASH"
 
 

authentik/providers/saml/processors/assertion.py

@@ -256,7 +256,7 @@ class AssertionProcessor:
         assertion.attrib["IssueInstant"] = self._issue_instant
         assertion.append(self.get_issuer())
 
-        if self.provider.signing_kp:
+        if self.provider.signing_kp and self.provider.sign_assertion:
             sign_algorithm_transform = SIGN_ALGORITHM_TRANSFORM_MAP.get(
                 self.provider.signature_algorithm, xmlsec.constants.TransformRsaSha1
             )
@@ -295,6 +295,18 @@ class AssertionProcessor:
 
         response.append(self.get_issuer())
 
+        if self.provider.signing_kp and self.provider.sign_response:
+            sign_algorithm_transform = SIGN_ALGORITHM_TRANSFORM_MAP.get(
+                self.provider.signature_algorithm, xmlsec.constants.TransformRsaSha1
+            )
+            signature = xmlsec.template.create(
+                response,
+                xmlsec.constants.TransformExclC14N,
+                sign_algorithm_transform,
+                ns=xmlsec.constants.DSigNs,
+            )
+            response.append(signature)
+
         status = SubElement(response, f"{{{NS_SAML_PROTOCOL}}}Status")
         status_code = SubElement(status, f"{{{NS_SAML_PROTOCOL}}}StatusCode")
         status_code.attrib["Value"] = "urn:oasis:names:tc:SAML:2.0:status:Success"

authentik/providers/saml/tests/test_auth_n_request.py

@@ -2,8 +2,10 @@
 
 from base64 import b64encode
 
+from defusedxml.lxml import fromstring
 from django.http.request import QueryDict
 from django.test import TestCase
+from lxml import etree  # nosec
 
 from authentik.blueprints.tests import apply_blueprint
 from authentik.core.tests.utils import create_test_admin_user, create_test_cert, create_test_flow
@@ -11,12 +13,14 @@ from authentik.crypto.models import CertificateKeyPair
 from authentik.events.models import Event, EventAction
 from authentik.lib.generators import generate_id
 from authentik.lib.tests.utils import get_request
+from authentik.lib.xml import lxml_from_string
 from authentik.providers.saml.models import SAMLPropertyMapping, SAMLProvider
 from authentik.providers.saml.processors.assertion import AssertionProcessor
 from authentik.providers.saml.processors.authn_request_parser import AuthNRequestParser
 from authentik.sources.saml.exceptions import MismatchedRequestID
 from authentik.sources.saml.models import SAMLSource
 from authentik.sources.saml.processors.constants import (
+    NS_MAP,
     SAML_BINDING_REDIRECT,
     SAML_NAME_ID_FORMAT_EMAIL,
     SAML_NAME_ID_FORMAT_UNSPECIFIED,
@@ -185,6 +189,19 @@ class TestAuthNRequest(TestCase):
         self.assertEqual(response.count(response_proc._assertion_id), 2)
         self.assertEqual(response.count(response_proc._response_id), 2)
 
+        schema = etree.XMLSchema(
+            etree.parse("schemas/saml-schema-protocol-2.0.xsd", parser=etree.XMLParser())  # nosec
+        )
+        self.assertTrue(schema.validate(lxml_from_string(response)))
+
+        response_xml = fromstring(response)
+        self.assertEqual(
+            len(response_xml.xpath("//saml:Assertion/ds:Signature", namespaces=NS_MAP)), 1
+        )
+        self.assertEqual(
+            len(response_xml.xpath("//samlp:Response/ds:Signature", namespaces=NS_MAP)), 1
+        )
+
         # Now parse the response (source)
         http_request.POST = QueryDict(mutable=True)
         http_request.POST["SAMLResponse"] = b64encode(response.encode()).decode()

authentik/rbac/api/rbac.py

@@ -5,6 +5,7 @@ from django.contrib.auth.models import Permission
 from django.db.models import QuerySet
 from django_filters.filters import ModelChoiceFilter
 from django_filters.filterset import FilterSet
+from django_filters.rest_framework import DjangoFilterBackend
 from rest_framework.exceptions import ValidationError
 from rest_framework.fields import (
     CharField,
@@ -13,6 +14,8 @@ from rest_framework.fields import (
     ReadOnlyField,
     SerializerMethodField,
 )
+from rest_framework.filters import OrderingFilter, SearchFilter
+from rest_framework.permissions import IsAuthenticated
 from rest_framework.viewsets import ReadOnlyModelViewSet
 
 from authentik.core.api.utils import ModelSerializer, PassiveSerializer
@@ -92,7 +95,9 @@ class RBACPermissionViewSet(ReadOnlyModelViewSet):
     queryset = Permission.objects.none()
     serializer_class = PermissionSerializer
     ordering = ["name"]
+    filter_backends = [DjangoFilterBackend, OrderingFilter, SearchFilter]
     filterset_class = PermissionFilter
+    permission_classes = [IsAuthenticated]
     search_fields = [
         "codename",
         "content_type__model",

blueprints/schema.json

@@ -2,7 +2,7 @@
     "$schema": "http://json-schema.org/draft-07/schema",
     "$id": "https://goauthentik.io/blueprints/schema.json",
     "type": "object",
-    "title": "authentik 2024.12.1 Blueprint schema",
+    "title": "authentik 2024.12.2 Blueprint schema",
     "required": [
         "version",
         "entries"

docker-compose.yml

@@ -31,7 +31,7 @@ services:
     volumes:
       - redis:/data
   server:
-    image: ${AUTHENTIK_IMAGE:-ghcr.io/goauthentik/server}:${AUTHENTIK_TAG:-2024.12.1}
+    image: ${AUTHENTIK_IMAGE:-ghcr.io/goauthentik/server}:${AUTHENTIK_TAG:-2024.12.2}
     restart: unless-stopped
     command: server
     environment:
@@ -54,7 +54,7 @@ services:
       redis:
         condition: service_healthy
   worker:
-    image: ${AUTHENTIK_IMAGE:-ghcr.io/goauthentik/server}:${AUTHENTIK_TAG:-2024.12.1}
+    image: ${AUTHENTIK_IMAGE:-ghcr.io/goauthentik/server}:${AUTHENTIK_TAG:-2024.12.2}
     restart: unless-stopped
     command: worker
     environment:

go.mod

@@ -29,7 +29,7 @@ require (
 	github.com/spf13/cobra v1.8.1
 	github.com/stretchr/testify v1.10.0
 	github.com/wwt/guac v1.3.2
-	goauthentik.io/api/v3 v3.2024121.3
+	goauthentik.io/api/v3 v3.2024122.1
 	golang.org/x/exp v0.0.0-20230210204819-062eb4c674ab
 	golang.org/x/oauth2 v0.25.0
 	golang.org/x/sync v0.10.0

go.sum

@@ -299,8 +299,8 @@ go.opentelemetry.io/otel/trace v1.24.0 h1:CsKnnL4dUAr/0llH9FKuc698G04IrpWV0MQA/Y
 go.opentelemetry.io/otel/trace v1.24.0/go.mod h1:HPc3Xr/cOApsBI154IU0OI0HJexz+aw5uPdbs3UCjNU=
 go.uber.org/goleak v1.3.0 h1:2K3zAYmnTNqV73imy9J1T3WC+gmCePx2hEGkimedGto=
 go.uber.org/goleak v1.3.0/go.mod h1:CoHD4mav9JJNrW/WLlf7HGZPjdw8EucARQHekz1X6bE=
-goauthentik.io/api/v3 v3.2024121.3 h1:0s4a/3ktiGEr0jbIJqm8PNHWhYD8vwuoI8SCQo1ptiI=
-goauthentik.io/api/v3 v3.2024121.3/go.mod h1:zz+mEZg8rY/7eEjkMGWJ2DnGqk+zqxuybGCGrR2O4Kw=
+goauthentik.io/api/v3 v3.2024122.1 h1:LsGUztpcDrKN2XY+//ITQm9GE0Iplc3wWHQN9QO9fQg=
+goauthentik.io/api/v3 v3.2024122.1/go.mod h1:zz+mEZg8rY/7eEjkMGWJ2DnGqk+zqxuybGCGrR2O4Kw=
 golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w=
 golang.org/x/crypto v0.0.0-20190510104115-cbcb75029529/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI=
 golang.org/x/crypto v0.0.0-20190605123033-f99c8df09eb5/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI=

internal/constants/constants.go

@@ -29,4 +29,4 @@ func UserAgent() string {
 	return fmt.Sprintf("authentik@%s", FullVersion())
 }
 
-const VERSION = "2024.12.1"
+const VERSION = "2024.12.2"

package.json

@@ -1,5 +1,5 @@
 {
     "name": "@goauthentik/authentik",
-    "version": "2024.12.1",
+    "version": "2024.12.2",
     "private": true
 }

pyproject.toml

@@ -1,6 +1,6 @@
 [tool.poetry]
 name = "authentik"
-version = "2024.12.1"
+version = "2024.12.2"
 description = ""
 authors = ["authentik Team <hello@goauthentik.io>"]
 
@@ -131,7 +131,7 @@ pydantic-scim = "*"
 pyjwt = "*"
 pyrad = "*"
 python = "~3.12"
-python-kadmin-rs = "0.5.2"
+python-kadmin-rs = "0.5.3"
 pyyaml = "*"
 requests-oauthlib = "*"
 scim2-filter-parser = "*"

schema.yml

@@ -1,7 +1,7 @@
 openapi: 3.0.3
 info:
   title: authentik
-  version: 2024.12.1
+  version: 2024.12.2
   description: Making authentication simple.
   contact:
     email: hello@goauthentik.io

web/package-lock.json

@@ -23,7 +23,7 @@
                 "@floating-ui/dom": "^1.6.11",
                 "@formatjs/intl-listformat": "^7.5.7",
                 "@fortawesome/fontawesome-free": "^6.6.0",
-                "@goauthentik/api": "^2024.12.1-1735590820",
+                "@goauthentik/api": "^2024.12.2-1736451530",
                 "@lit-labs/ssr": "^3.2.2",
                 "@lit/context": "^1.1.2",
                 "@lit/localize": "^0.12.2",
@@ -1775,9 +1775,9 @@
             }
         },
         "node_modules/@goauthentik/api": {
-            "version": "2024.12.1-1735590820",
-            "resolved": "https://registry.npmjs.org/@goauthentik/api/-/api-2024.12.1-1735590820.tgz",
-            "integrity": "sha512-hO8spA23oqaK/QLwfdDH1iL24S30VanFI2zPXFxfNZ0kT8N08ejcuilwYbRo5EBlnoxGMMQNx+1ML6m8c4QvqA=="
+            "version": "2024.12.2-1736451530",
+            "resolved": "https://registry.npmjs.org/@goauthentik/api/-/api-2024.12.2-1736451530.tgz",
+            "integrity": "sha512-Ha75ca1fW067HurmnjJec8Bw++yYS8UWj1d3ZjCQgSu8o7OcUggILA+jXhNtBC7cfHqtueE+mAa7tYNnrCib9A=="
         },
         "node_modules/@goauthentik/web": {
             "resolved": "",

web/package.json

@@ -11,7 +11,7 @@
         "@floating-ui/dom": "^1.6.11",
         "@formatjs/intl-listformat": "^7.5.7",
         "@fortawesome/fontawesome-free": "^6.6.0",
-        "@goauthentik/api": "^2024.12.1-1735590820",
+        "@goauthentik/api": "^2024.12.2-1736451530",
         "@lit-labs/ssr": "^3.2.2",
         "@lit/context": "^1.1.2",
         "@lit/localize": "^0.12.2",

web/src/admin/users/UserListPage.ts

@@ -131,9 +131,10 @@ export class UserListPage extends WithBrandConfig(WithCapabilitiesConfig(TablePa
 
     constructor() {
         super();
-        this.activePath = getURLParam<string>("path", "/");
+        const defaultPath = new DefaultUIConfig().defaults.userPath;
+        this.activePath = getURLParam<string>("path", defaultPath);
         uiConfig().then((c) => {
-            if (c.defaults.userPath !== new DefaultUIConfig().defaults.userPath) {
+            if (c.defaults.userPath !== defaultPath) {
                 this.activePath = c.defaults.userPath;
             }
         });

web/src/common/constants.ts

@@ -3,7 +3,7 @@ export const SUCCESS_CLASS = "pf-m-success";
 export const ERROR_CLASS = "pf-m-danger";
 export const PROGRESS_CLASS = "pf-m-in-progress";
 export const CURRENT_CLASS = "pf-m-current";
-export const VERSION = "2024.12.1";
+export const VERSION = "2024.12.2";
 export const TITLE_DEFAULT = "authentik";
 export const ROUTE_SEPARATOR = ";";
 

website/docs/customize/policies/expression/whitelist_email.md

@@ -4,18 +4,32 @@ title: Whitelist email domains
 
 To add specific email addresses to an allow list for signing in through SSO or directly with default policy customization, follow these steps:
 
-1. In the Admin interface, navigate to **Customization > Policies** and modify the default policy named `default-source-enrollment-if-sso`.
+1. In the authentik Admin interface, navigate to **Customization > Policies** and modify the default policy named `default-source-enrollment-if-sso`.
 
 2. Add the following code snippet in the policy-specific settings under **Expression** and then click **Update**.
 
 ```python
-allowed_domains = ["example.net", "example.com"]
+allowed_domains = ["example.org", "example.net", "example.com"]
 
-current_domain = request.context["prompt_data"]["email"].split("@")[1]
-if current_domain not in allowed_domains:
-  ak_message("Access denied for this email domain")
-  return False
-return ak_is_sso_flow
+current_domain = request.context["prompt_data"]["email"].split("@")[1] if request.context.get("prompt_data", {}).get("email") else None
+if current_domain in allowed_domains:
+  email = request.context["prompt_data"]["email"]
+  request.context["prompt_data"]["username"] = email
+  return ak_is_sso_flow
+else:
+  return ak_message("Enrollment denied for this email domain")
 ```
 
 This configuration specifies the `allowed_domains` list of domains for logging in through SSO, such as Google OAuth2. If your email is not in the available domains, you will receive a 'Permission Denied' message on the login screen.
+
+You can also enforce your allowed domains policy for authentication by modifying the policy `default-source-authentication-if-sso` with the following expression:
+
+```python
+allowed_domains = ["example.org", "example.net", "example.com"]
+
+current_domain = request.user.email.split("@")[1] if hasattr(request.user, 'email') and request.user.email else None
+if current_domain in allowed_domains:
+  return ak_is_sso_flow
+else:
+  return ak_message("Authentication denied for this email domain")
+```

website/docs/developer-docs/setup/full-dev-environment.md

@@ -2,14 +2,20 @@
 title: Full development environment
 ---
 
+import Tabs from '@theme/Tabs';
+import TabItem from '@theme/TabItem';
+import ExecutionEnvironment from '@docusaurus/ExecutionEnvironment';
+
 ## Requirements
 
-- Python 3.12
-- Poetry, which is used to manage dependencies
-- Go 1.23 or newer
-- Node.js 21 or newer
-- PostgreSQL 14 or newer
-- Redis (any recent version will do)
+- [Python](https://www.python.org/) 3.12
+- [Poetry](https://python-poetry.org/), which is used to manage dependencies
+    - Poetry 2.0 or higher also requires the [poetry-plugin-shell](https://github.com/python-poetry/poetry-plugin-shell) extension.
+- [Go](https://go.dev/) 1.23 or newer
+- [Node.js](https://nodejs.org/en) 21 or newer
+- [PostgreSQL](https://www.postgresql.org/) 14 or newer
+- [Redis](https://redis.io/) (any recent version will do)
+- [Docker](https://www.docker.com/) (Community Edition will do)
 
 ## Services Setup
 
@@ -23,53 +29,100 @@ If you use locally installed databases, the PostgreSQL credentials given to auth
 ## Backend Setup
 
 :::info
-Depending on your platform, some native dependencies might be required. On macOS, run `brew install libxmlsec1 libpq krb5`, and for the CLI tools `brew install postgresql redis node@20`.
+Depending on your platform, some native dependencies might be required.
+
+<Tabs
+defaultValue={ (ExecutionEnvironment.canUseDOM) ? (() => {
+const ua = window.navigator.userAgent.toLowerCase();
+return ["linux", "windows", "mac"].find((p) => ua.includes(p)) || "mac";
+})() : "mac" }
+
+values={[
+{label: "macOS", value: "mac"},
+{label: "Linux", value: "linux"},
+{label: "Windows", value: "windows"},
+]}>
+
+  <TabItem value="mac">
+    To install the native dependencies on macOS, run:
+    
+    ```sh
+    $ pip install poetry poetry-plugin-shell
+    $ brew install libxmlsec1 libpq krb5   # Required development libraries,
+    $ brew install postgresql redis node@22 golangci-lint   # Required CLI tools
+  ```
+
+  </TabItem>
+
+  <TabItem value="linux">
+  To install native dependencies on Debian or Ubuntu, run:
+
+```sh
+$ pip install poetry poetry-plugin-shell
+$ sudo apt-get install  libgss-dev krb5-config libkrb5-dev postgresql-server-dev-all
+$ sudo apt-get install postresql redis
+```
+
+Adjust your needs as required for other distributions such as Red Hat, SUSE, or Arch.
+
+Install golangci-lint locally [from the site
+instructions](https://golangci-lint.run/welcome/install/#other-ci).
+
+  </TabItem>
+
+<TabItem value="windows">[We request community input on running the full dev environment on Windows]</TabItem>
+
+</Tabs>
+
 :::
 
 1. Create an isolated Python environment. To create the environment and install dependencies, run the following commands in the same directory as your local authentik git repository:
 
 ```shell
-poetry shell # Creates a python virtualenv, and activates it in a new shell
-make install # Installs all required dependencies for Python and Javascript, including development dependencies
+poetry shell   # Creates a python virtualenv, and activates it in a new shell
+make install   # Installs all required dependencies for Python and Javascript, including development dependencies
 ```
 
 2. Configure authentik to use the local databases using a local config file. To generate this file, run the following command in the same directory as your local authentik git repository:
 
 ```shell
-make gen-dev-config # Generates a local config file
+make gen-dev-config   # Generates a local config file
 ```
 
 Generally speaking, authentik is a Django application, ran by gunicorn, proxied by a Go application. The Go application serves static files.
 
 Most functions and classes have type-hints and docstrings, so it is recommended to install a Python Type-checking Extension in your IDE to navigate around the code.
 
-Before committing code, run the following commands in the same directory as your local authentik git repository:
-
-```shell
-make lint # Ensures your code is well-formatted
-make gen # Generates an updated OpenAPI Docs for any changes you make
-```
-
 ## Frontend Setup
 
 By default, no compiled bundle of the frontend is included so this step is required even if you're not developing for the UI.
 
+The UI requires the authentik API files for Typescript be built and installed:
+
+```
+$ make migrate   # On a fresh install, ensures the API schema file is available
+$ make gen       # Generates the API based on the schema file
+```
+
+If you make changes to the authentik API, you must re-run `make gen` so that the corresponding
+changes are made to the API library that is used by the UI.
+
 To build the UI once, run the following command in the same directory as your local authentik git repository:
 
 ```shell
-make web-build # Builds the UI once
+make web-build   # Builds the UI once
 ```
 
 If you want to live-edit the UI, you can run the following command in the same directory as your local authentik git repository instead, which will immediately update the UI with any changes you make so you can see the results in real time without needing to rebuild:
 
 ```shell
-make web-watch # Updates the UI with any changes you make
+make web-watch   # Updates the UI with any changes you make
 ```
 
 To format the frontend code, run the following command in the same directory as your authentik git repository:
 
 ```shell
-make web # Formats the frontend code
+make web   # Formats the frontend code
 ```
 
 ## Running authentik
@@ -77,7 +130,7 @@ make web # Formats the frontend code
 Now that the backend and frontend have been setup and built, you can start authentik by running the following command in the same directory as your local authentik git repository:
 
 ```shell
-ak server # Starts authentik server
+ak server   # Starts authentik server
 ```
 
 And now, authentik should now be accessible at `http://localhost:9000`.
@@ -87,3 +140,13 @@ To define a password for the default admin (called **akadmin**), you can manuall
 
 In case of issues in this process, feel free to use `make dev-reset` which drops and restores the Authentik PostgreSQL instance to a "fresh install" state.
 :::
+
+## Submitting Pull Requests
+
+Before submitting a pull request, run the following commands in the same directory as your local authentik git repository:
+
+```shell
+make lint   # Ensures your code is well-formatted
+make gen    # Generates an updated OpenAPI Docs for any changes you make
+make web    # Formats the front-end code
+```

website/docs/enterprise/entsupport.md

@@ -4,6 +4,10 @@ title: Support
 
 Enterprise authentik provides expert support, with a Support center where you can open a request and view the progress and communications for your current requests.
 
+:::info
+Only licensed instances of authentik can access the Support center.
+:::
+
 ### Managing tickets and requests
 
 To access the Support center, where you can open a request and view current requests, go to the Customer Portal and then click **Support** in the top menu.
@@ -16,4 +20,4 @@ You can also always reach out to us via email, using hello@goauthentik.io email
 
 ### Product version support
 
-We [support](../security/policy.mdx) the current, released version of authentik and one version back (including all major, minor, and patch versions).
+We [support](../security/policy#supported-versions) the current, released version of authentik and one version back (including all major, minor, and patch versions).

website/docs/enterprise/get-started.md

@@ -17,9 +17,9 @@ If this is a fresh install, refer to our [technical documentation](../install-co
 
 Access your Enterprise features by first [purchasing a license](./manage-enterprise.md#buy-a-license) for the organization.
 
-To open the Customer portal and buy a license, go to the Admin interface and in the left pane, navigate to **Enterprise -> Licenses**, and then click **Go to Customer portal**.
+To open the Customer Portal and buy a license, go to the Admin interface and in the left pane, navigate to **Enterprise -> Licenses**, and then click **Go to Customer Portal**.
 
-The license key provides direct access to the Customer portal, where you define your organization and its members, manage billing, and access our Support center.
+In the Customer Portal you define your organization and its members, manage your licenses and billing, and access our Support center.
 
 :::info
 A license is associated with a specific Organization in the customer portal and a specific authentik instance (with a unique Install ID), and not with individual users. A single license is purchased for a specified number of users. Additional users can be added to a license, or additional licenses purchased for the same instance, if more users need to be added later.
@@ -29,4 +29,8 @@ A license is associated with a specific Organization in the customer portal and
 
 Enterprise authentik provides dedicated support, with a Support center where you can open a request and view the progress and communications for your current requests.
 
+:::info
+Access to the Support Center and the ticketing system requires a licensed instance of authentik.
+:::
+
 To learn about our Support center, see ["Enterprise support"](./entsupport.md).

website/docs/enterprise/index.md

@@ -10,4 +10,4 @@ Refer to our Enterprise documentation for information about creating and managin
 - [Manage your Enterprise account](./manage-enterprise.md)
 - [Support for Enterprise accounts](./entsupport.md)
 
-Our standard technical documentation covers how to configure, customize, and use authentik, whether the open source version that we have built our reputation on, or our Enterprise version with dedicated support.
+Our standard technical documentation covers how to configure, customize, and use authentik, whether the open source version that we have built our reputation on or our Enterprise version with dedicated support.

website/docs/enterprise/manage-enterprise.md

@@ -8,7 +8,7 @@ Your organization defines the members, their roles, the licenses associated with
 
 ### Create an Organization
 
-1. To create a new organization, log in to the [Customer portal](./get-started.md#access-enterprise).
+1. To create a new organization, log in to the [Customer Portal](./get-started.md#access-enterprise).
 
 2. On the **My organizations** page, click **Create an organization**.
 
@@ -22,12 +22,12 @@ If you need to delete an organization open a ticket in the Support center.
 
 ### Add/remove members of an organization
 
-In the Customer portal you can remove members and invite new members to the organization. When you invite new members, you can specify the role for the new member.
+In the Customer Portal you can remove members and invite new members to the organization. When you invite new members, you can specify the role for the new member.
 
 - **Member**: can view licenses, including the license key.
 - **Owner**: can do everything the Member role can do, plus: add and remove members, order and renew licenses, and edit the organization.
 
-1. To manage membership in an organization, log in to the [Customer portal](./get-started.md#access-enterprise).
+1. To manage membership in an organization, log in to the [Customer Portal](./get-started.md#access-enterprise).
 
 2. On the **My organizations** page, click the name of the organization you want to edit membership in.
 
@@ -41,7 +41,7 @@ In the Customer portal you can remove members and invite new members to the orga
 
 ## License management
 
-Note that a license is associated with a specific Organization in the customer portal and a specific authentik instance (with a unique Install ID), and not with individual users. A single license is purchased for a specified number of users. Additional users can be added to a license, or additional licenses purchased for the same instance, if more users need to be added later.
+Note that a license is associated with a specific Organization in the Customer Portal and a specific authentik instance (with a unique Install ID), and not with individual users. A single license is purchased for a specified number of users. Additional users can be added to a license, or additional licenses purchased for the same instance, if more users need to be added later.
 
 ### Buy a license
 
@@ -53,7 +53,7 @@ Note that a license is associated with a specific Organization in the customer p
 
 !["Admin interface licenses page"](./licenses-page-admin.png)
 
-2. On the **Admin interface**, navigate to **Enterprise → Licenses** in the left menu, and then click **Go to Customer portal** under the **Get a license** section.
+2. On the **Admin interface**, navigate to **Enterprise → Licenses** in the left menu, and then click **Go to Customer Portal** under the **Get a license** section.
 
 3. In the Authentik login screen, sign up and then log in to the Customer Portal.
 
@@ -74,7 +74,7 @@ Note that a license is associated with a specific Organization in the customer p
     When ready, the license displays on the organization's page.
 
 :::info
-If you access the checkout page directly from the Customer portal, and not through the admin interface, you are prompted to provide the Install ID for your authentik installation. This ID can be found in the Admin interface on the **Licenses** page; click **Install** to view the **Install ID** number.
+If you access the checkout page directly from the Customer Portal, and not through the admin interface, you are prompted to provide the Install ID for your authentik installation. This ID can be found in the Admin interface on the **Licenses** page; click **Install** to view the **Install ID** number.
 :::
 
 8. To retrieve your license key, click on **Details** beside the license name and copy the key to your clipboard.
@@ -87,7 +87,11 @@ To verify that the license was successfully installed, confirm that the expriry
 
 ### How to view your license key
 
-You can view the list of licenses that are applied to your organization on either the Admin interface, on the **Enterprise -> Licenses** page, or in the Customer portal, under your organization's page.
+You can view the list of licenses that are applied to your organization on either the Admin interface, on the **Enterprise -> Licenses** page, or in the Customer Portal, under your organization's page.
+
+### Update your license
+
+If you purchase a new license, or receive a new one due to a change in the number of users, you will need to remove the old license and add the new one. To do so open the Admin interface, navigate to **Enterprise -> Licenses** page, click on **Install**, paste the new key, and then click **Install**.
 
 ### About the license expiry date
 
@@ -97,11 +101,9 @@ The **Enterprise -> Licenses** page shows your current licenses' **Cumulative li
 
 The following events occur when a license expires or the internal/external user count is over the licensed user count for the time period below.
 
-- After 2 weeks of the expiry date administrators see a warning banner on the Admin interface
-
-- After another 2 weeks, users get a warning banner
-
-- After another 2 weeks, the authentik Enterprise instance becomes "read-only"
+    - After 2 weeks of the expiry date administrators see a warning banner on the Admin interface
+    - After another 2 weeks, users get a warning banner
+    - After another 2 weeks, the authentik Enterprise instance becomes "read-only"
 
     When an authentik instance is in read-only mode, the following actions are still possible:
 
@@ -129,7 +131,7 @@ The second way is to [open a support ticket](./entsupport.md) with us and we'll
 
 Billing is based on each individual organization.
 
-1. To manage your billing, go to the Customer portal and click "My organizations" in the top menu bar.
+1. To manage your billing, go to the Customer Portal and click "My organizations" in the top menu bar.
 
 2. Select the organization for which you want to manage bulling.
 

website/docs/install-config/install/aws/template.yaml

@@ -24,7 +24,7 @@ Parameters:
     Description: authentik server memory in MiB
     Type: Number
   AuthentikVersion:
-    Default: 2024.12.1
+    Default: 2024.12.2
     Description: authentik Docker image tag
     Type: String
   AuthentikWorkerCPU:

website/docs/releases/2024/v2024.12.md

@@ -161,6 +161,15 @@ helm upgrade authentik authentik/authentik -f values.yaml --version ^2024.12
 - website/docs: add content about bindings (cherry-pick #11787) (#12428)
 - website/docs: add new section about impersonation (cherry-pick #12328) (#12424)
 
+## Fixed in 2024.12.2
+
+- core: fix error when creating new user with default path (cherry-pick #12609) (#12612)
+- internal: fix missing trailing slash in outpost websocket (cherry-pick #12470) (#12471)
+- providers/saml: fix invalid SAML Response when assertion and response are signed (cherry-pick #12611) (#12613)
+- rbac: permissions endpoint: allow authenticated users (cherry-pick #12608) (#12610)
+- sources/kerberos: authenticate with the user's username instead of the first username in authentik (cherry-pick #12497) (#12579)
+- web: fix source selection and outpost integration health (#12530)
+
 ## API Changes
 
 #### What's New

website/package-lock.json

@@ -35,10 +35,10 @@
                 "@docusaurus/tsconfig": "^3.7.0",
                 "@docusaurus/types": "^3.3.2",
                 "@types/react": "^18.3.13",
-                "aws-cdk": "^2.174.1",
+                "aws-cdk": "^2.175.0",
                 "cross-env": "^7.0.3",
                 "prettier": "3.4.2",
-                "typescript": "~5.7.2",
+                "typescript": "~5.7.3",
                 "wireit": "^0.14.9"
             },
             "engines": {
@@ -5715,9 +5715,9 @@
             }
         },
         "node_modules/aws-cdk": {
-            "version": "2.174.1",
-            "resolved": "https://registry.npmjs.org/aws-cdk/-/aws-cdk-2.174.1.tgz",
-            "integrity": "sha512-wwInII0MDcql7DuEn7C0/2wcGkCIIxOkOpn3BGgsw+RsjvYtX2jnlbZE3RSrH9EvIeaB1QeZfilNzex9eSk04w==",
+            "version": "2.175.0",
+            "resolved": "https://registry.npmjs.org/aws-cdk/-/aws-cdk-2.175.0.tgz",
+            "integrity": "sha512-vWMI/DRicvqH+yfOE0ykZolZwn/U9oRvpt1GyoNx1USS/NWc/60Pico9zx8Ui6fc1fYK3ow+Gwl3p/Cch9uscQ==",
             "dev": true,
             "bin": {
                 "cdk": "bin/cdk"
@@ -22027,9 +22027,9 @@
             }
         },
         "node_modules/typescript": {
-            "version": "5.7.2",
-            "resolved": "https://registry.npmjs.org/typescript/-/typescript-5.7.2.tgz",
-            "integrity": "sha512-i5t66RHxDvVN40HfDd1PsEThGNnlMCMT3jMUuoh9/0TaqWevNontacunWyN02LA9/fIbEWlcHZcgTKb9QoaLfg==",
+            "version": "5.7.3",
+            "resolved": "https://registry.npmjs.org/typescript/-/typescript-5.7.3.tgz",
+            "integrity": "sha512-84MVSjMEHP+FQRPy3pX9sTVV/INIex71s9TL2Gm5FG/WG1SqXeKyZ0k7/blY/4FdOzI12CBy1vGc4og/eus0fw==",
             "bin": {
                 "tsc": "bin/tsc",
                 "tsserver": "bin/tsserver"

website/package.json

@@ -56,10 +56,10 @@
         "@docusaurus/tsconfig": "^3.7.0",
         "@docusaurus/types": "^3.3.2",
         "@types/react": "^18.3.13",
-        "aws-cdk": "^2.174.1",
+        "aws-cdk": "^2.175.0",
         "cross-env": "^7.0.3",
         "prettier": "3.4.2",
-        "typescript": "~5.7.2",
+        "typescript": "~5.7.3",
         "wireit": "^0.14.9"
     },
     "wireit": {