core, events: reduce memory usage when batch deleting objects

Signed-off-by: Marc 'risson' Schmitt <marc.schmitt@risson.space>
core, web: update translations (#12432 )
2024-12-20 11:57:53 +01:00 · 2024-12-20 10:42:51 +01:00 · 2024-12-20 03:27:28 +01:00 · 2024-12-19 20:52:20 +00:00 · 2024-12-19 21:27:13 +01:00 · 2024-12-19 20:35:20 +01:00
92 changed files with 2466 additions and 2975 deletions
--- a/.bumpversion.cfg
+++ b/.bumpversion.cfg
@ -1,16 +1,16 @@
 [bumpversion]
-current_version = 2024.12.4
+current_version = 2024.12.0
 tag = True
 commit = True
 parse = (?P<major>\d+)\.(?P<minor>\d+)\.(?P<patch>\d+)(?:-(?P<rc_t>[a-zA-Z-]+)(?P<rc_n>[1-9]\\d*))?
-serialize = 
+serialize =
 	{major}.{minor}.{patch}-{rc_t}{rc_n}
 	{major}.{minor}.{patch}
 message = release: {new_version}
 tag_name = version/{new_version}

 [bumpversion:part:rc_t]
-values = 
+values =
 	rc
 	final
 optional_value = final
--- a/.github/actions/comment-pr-instructions/action.yml
+++ b/.github/actions/comment-pr-instructions/action.yml
@ -35,6 +35,14 @@ runs:
            AUTHENTIK_OUTPOSTS__CONTAINER_IMAGE_BASE=ghcr.io/goauthentik/dev-%(type)s:gh-%(build_hash)s
            ```

+            For arm64, use these values:
+
+            ```shell
+            AUTHENTIK_IMAGE=ghcr.io/goauthentik/dev-server
+            AUTHENTIK_TAG=${{ inputs.tag }}-arm64
+            AUTHENTIK_OUTPOSTS__CONTAINER_IMAGE_BASE=ghcr.io/goauthentik/dev-%(type)s:gh-%(build_hash)s
+            ```
+
            Afterwards, run the upgrade commands from the latest release notes.
          </details>
          <details>
@ -52,6 +60,18 @@ runs:
                    tag: ${{ inputs.tag }}
            ```

+            For arm64, use these values:
+
+            ```yaml
+            authentik:
+                outposts:
+                    container_image_base: ghcr.io/goauthentik/dev-%(type)s:gh-%(build_hash)s
+            global:
+                image:
+                    repository: ghcr.io/goauthentik/dev-server
+                    tag: ${{ inputs.tag }}-arm64
+            ```
+
            Afterwards, run the upgrade commands from the latest release notes.
          </details>
        edit-mode: replace
--- a/.github/actions/docker-push-variables/action.yml
+++ b/.github/actions/docker-push-variables/action.yml
@ -9,9 +9,6 @@ inputs:
  image-arch:
    required: false
    description: "Docker image arch"
-  release:
-    required: true
-    description: "True if this is a release build, false if this is a dev/PR build"

 outputs:
  shouldPush:
@ -32,24 +29,15 @@ outputs:
  imageTags:
    description: "Docker image tags"
    value: ${{ steps.ev.outputs.imageTags }}
-  imageTagsJSON:
-    description: "Docker image tags, as a JSON array"
-    value: ${{ steps.ev.outputs.imageTagsJSON }}
  attestImageNames:
    description: "Docker image names used for attestation"
    value: ${{ steps.ev.outputs.attestImageNames }}
-  cacheTo:
-    description: "cache-to value for the docker build step"
-    value: ${{ steps.ev.outputs.cacheTo }}
  imageMainTag:
    description: "Docker image main tag"
    value: ${{ steps.ev.outputs.imageMainTag }}
  imageMainName:
    description: "Docker image main name"
    value: ${{ steps.ev.outputs.imageMainName }}
-  imageBuildArgs:
-    description: "Docker image build args"
-    value: ${{ steps.ev.outputs.imageBuildArgs }}

 runs:
  using: "composite"
@ -60,8 +48,6 @@ runs:
      env:
        IMAGE_NAME: ${{ inputs.image-name }}
        IMAGE_ARCH: ${{ inputs.image-arch }}
-        RELEASE: ${{ inputs.release }}
        PR_HEAD_SHA: ${{ github.event.pull_request.head.sha }}
-        REF: ${{ github.ref }}
      run: |
        python3 ${{ github.action_path }}/push_vars.py
--- a/.github/actions/docker-push-variables/push_vars.py
+++ b/.github/actions/docker-push-variables/push_vars.py
@ -2,7 +2,6 @@

 import configparser
 import os
-from json import dumps
 from time import time

 parser = configparser.ConfigParser()
@ -49,7 +48,7 @@ if is_release:
            ]
 else:
    suffix = ""
-    if image_arch:
+    if image_arch and image_arch != "amd64":
        suffix = f"-{image_arch}"
    for name in image_names:
        image_tags += [
@ -71,31 +70,12 @@ def get_attest_image_names(image_with_tags: list[str]):
    return ",".join(set(image_tags))


-# Generate `cache-to` param
-cache_to = ""
-if should_push:
-    _cache_tag = "buildcache"
-    if image_arch:
-        _cache_tag += f"-{image_arch}"
-    cache_to = f"type=registry,ref={get_attest_image_names(image_tags)}:{_cache_tag},mode=max"
-
-
-image_build_args = []
-if os.getenv("RELEASE", "false").lower() == "true":
-    image_build_args = [f"VERSION={os.getenv('REF')}"]
-else:
-    image_build_args = [f"GIT_BUILD_HASH={sha}"]
-image_build_args = "\n".join(image_build_args)
-
 with open(os.environ["GITHUB_OUTPUT"], "a+", encoding="utf-8") as _output:
    print(f"shouldPush={str(should_push).lower()}", file=_output)
    print(f"sha={sha}", file=_output)
    print(f"version={version}", file=_output)
    print(f"prerelease={prerelease}", file=_output)
    print(f"imageTags={','.join(image_tags)}", file=_output)
-    print(f"imageTagsJSON={dumps(image_tags)}", file=_output)
    print(f"attestImageNames={get_attest_image_names(image_tags)}", file=_output)
    print(f"imageMainTag={image_main_tag}", file=_output)
    print(f"imageMainName={image_tags[0]}", file=_output)
-    print(f"cacheTo={cache_to}", file=_output)
-    print(f"imageBuildArgs={image_build_args}", file=_output)
--- a/.github/actions/docker-push-variables/test.sh
+++ b/.github/actions/docker-push-variables/test.sh
@ -1,18 +1,7 @@
 #!/bin/bash -x
 SCRIPT_DIR=$( cd -- "$( dirname -- "${BASH_SOURCE[0]}" )" &> /dev/null && pwd )
-# Non-pushing PR
 GITHUB_OUTPUT=/dev/stdout \
    GITHUB_REF=ref \
    GITHUB_SHA=sha \
    IMAGE_NAME=ghcr.io/goauthentik/server,beryju/authentik \
-    GITHUB_REPOSITORY=goauthentik/authentik \
-    python $SCRIPT_DIR/push_vars.py
-
-# Pushing PR/main
-GITHUB_OUTPUT=/dev/stdout \
-    GITHUB_REF=ref \
-    GITHUB_SHA=sha \
-    IMAGE_NAME=ghcr.io/goauthentik/server,beryju/authentik \
-    GITHUB_REPOSITORY=goauthentik/authentik \
-    DOCKER_USERNAME=foo \
    python $SCRIPT_DIR/push_vars.py
--- a/.github/workflows/_reusable-docker-build-single.yaml
+++ b/.github/workflows/_reusable-docker-build-single.yaml
@ -1,95 +0,0 @@
-# Re-usable workflow for a single-architecture build
-name: Single-arch Container build
-
-on:
-  workflow_call:
-    inputs:
-      image_name:
-        required: true
-        type: string
-      image_arch:
-        required: true
-        type: string
-      runs-on:
-        required: true
-        type: string
-      registry_dockerhub:
-        default: false
-        type: boolean
-      registry_ghcr:
-        default: false
-        type: boolean
-      release:
-        default: false
-        type: boolean
-    outputs:
-      image-digest:
-        value: ${{ jobs.build.outputs.image-digest }}
-
-jobs:
-  build:
-    name: Build ${{ inputs.image_arch }}
-    runs-on: ${{ inputs.runs-on }}
-    outputs:
-      image-digest: ${{ steps.push.outputs.digest }}
-    permissions:
-      # Needed to upload container images to ghcr.io
-      packages: write
-      # Needed for attestation
-      id-token: write
-      attestations: write
-    steps:
-      - uses: actions/checkout@v4
-      - uses: docker/setup-qemu-action@v3.3.0
-      - uses: docker/setup-buildx-action@v3
-      - name: prepare variables
-        uses: ./.github/actions/docker-push-variables
-        id: ev
-        env:
-          DOCKER_USERNAME: ${{ secrets.DOCKER_USERNAME }}
-        with:
-          image-name: ${{ inputs.image_name }}
-          image-arch: ${{ inputs.image_arch }}
-          release: ${{ inputs.release }}
-      - name: Login to Docker Hub
-        if: ${{ inputs.registry_dockerhub }}
-        uses: docker/login-action@v3
-        with:
-          username: ${{ secrets.DOCKER_USERNAME }}
-          password: ${{ secrets.DOCKER_PASSWORD }}
-      - name: Login to GitHub Container Registry
-        if: ${{ inputs.registry_ghcr }}
-        uses: docker/login-action@v3
-        with:
-          registry: ghcr.io
-          username: ${{ github.repository_owner }}
-          password: ${{ secrets.GITHUB_TOKEN }}
-      - name: make empty clients
-        if: ${{ inputs.release }}
-        run: |
-          mkdir -p ./gen-ts-api
-          mkdir -p ./gen-go-api
-      - name: generate ts client
-        if: ${{ !inputs.release }}
-        run: make gen-client-ts
-      - name: Build Docker Image
-        uses: docker/build-push-action@v6
-        id: push
-        with:
-          context: .
-          push: true
-          secrets: |
-            GEOIPUPDATE_ACCOUNT_ID=${{ secrets.GEOIPUPDATE_ACCOUNT_ID }}
-            GEOIPUPDATE_LICENSE_KEY=${{ secrets.GEOIPUPDATE_LICENSE_KEY }}
-          build-args: |
-            ${{ steps.ev.outputs.imageBuildArgs }}
-          tags: ${{ steps.ev.outputs.imageTags }}
-          platforms: linux/${{ inputs.image_arch }}
-          cache-from: type=registry,ref=${{ steps.ev.outputs.attestImageNames }}:buildcache-${{ inputs.image_arch }}
-          cache-to: ${{ steps.ev.outputs.cacheTo }}
-      - uses: actions/attest-build-provenance@v2
-        id: attest
-        with:
-          subject-name: ${{ steps.ev.outputs.attestImageNames }}
-          subject-digest: ${{ steps.push.outputs.digest }}
-          push-to-registry: true
--- a/.github/workflows/_reusable-docker-build.yaml
+++ b/.github/workflows/_reusable-docker-build.yaml
@ -1,102 +0,0 @@
-# Re-usable workflow for a multi-architecture build
-name: Multi-arch container build
-
-on:
-  workflow_call:
-    inputs:
-      image_name:
-        required: true
-        type: string
-      registry_dockerhub:
-        default: false
-        type: boolean
-      registry_ghcr:
-        default: true
-        type: boolean
-      release:
-        default: false
-        type: boolean
-    outputs: {}
-
-jobs:
-  build-server-amd64:
-    uses: ./.github/workflows/_reusable-docker-build-single.yaml
-    secrets: inherit
-    with:
-      image_name: ${{ inputs.image_name }}
-      image_arch: amd64
-      runs-on: ubuntu-latest
-      registry_dockerhub: ${{ inputs.registry_dockerhub }}
-      registry_ghcr: ${{ inputs.registry_ghcr }}
-      release: ${{ inputs.release }}
-  build-server-arm64:
-    uses: ./.github/workflows/_reusable-docker-build-single.yaml
-    secrets: inherit
-    with:
-      image_name: ${{ inputs.image_name }}
-      image_arch: arm64
-      runs-on: ubuntu-22.04-arm
-      registry_dockerhub: ${{ inputs.registry_dockerhub }}
-      registry_ghcr: ${{ inputs.registry_ghcr }}
-      release: ${{ inputs.release }}
-  get-tags:
-    runs-on: ubuntu-latest
-    needs:
-      - build-server-amd64
-      - build-server-arm64
-    outputs:
-      tags: ${{ steps.ev.outputs.imageTagsJSON }}
-    steps:
-      - uses: actions/checkout@v4
-      - name: prepare variables
-        uses: ./.github/actions/docker-push-variables
-        id: ev
-        env:
-          DOCKER_USERNAME: ${{ secrets.DOCKER_USERNAME }}
-        with:
-          image-name: ${{ inputs.image_name }}
-  merge-server:
-    runs-on: ubuntu-latest
-    needs:
-      - get-tags
-      - build-server-amd64
-      - build-server-arm64
-    strategy:
-      fail-fast: false
-      matrix:
-        tag: ${{ fromJson(needs.get-tags.outputs.tags) }}
-    steps:
-      - uses: actions/checkout@v4
-      - name: prepare variables
-        uses: ./.github/actions/docker-push-variables
-        id: ev
-        env:
-          DOCKER_USERNAME: ${{ secrets.DOCKER_USERNAME }}
-        with:
-          image-name: ${{ inputs.image_name }}
-      - name: Login to Docker Hub
-        if: ${{ inputs.registry_dockerhub }}
-        uses: docker/login-action@v3
-        with:
-          username: ${{ secrets.DOCKER_USERNAME }}
-          password: ${{ secrets.DOCKER_PASSWORD }}
-      - name: Login to GitHub Container Registry
-        if: ${{ inputs.registry_ghcr }}
-        uses: docker/login-action@v3
-        with:
-          registry: ghcr.io
-          username: ${{ github.repository_owner }}
-          password: ${{ secrets.GITHUB_TOKEN }}
-      - uses: int128/docker-manifest-create-action@v2
-        id: build
-        with:
-          tags: ${{ matrix.tag }}
-          sources: |
-            ${{ steps.ev.outputs.attestImageNames }}@${{ needs.build-server-amd64.outputs.image-digest }}
-            ${{ steps.ev.outputs.attestImageNames }}@${{ needs.build-server-arm64.outputs.image-digest }}
-      - uses: actions/attest-build-provenance@v2
-        id: attest
-        with:
-          subject-name: ${{ steps.ev.outputs.attestImageNames }}
-          subject-digest: ${{ steps.build.outputs.digest }}
-          push-to-registry: true
--- a/.github/workflows/ci-main.yml
+++ b/.github/workflows/ci-main.yml
@ -223,18 +223,68 @@ jobs:
        with:
          jobs: ${{ toJSON(needs) }}
  build:
+    strategy:
+      fail-fast: false
+      matrix:
+        arch:
+          - amd64
+          - arm64
+    needs: ci-core-mark
+    runs-on: ubuntu-latest
    permissions:
-      # Needed to upload container images to ghcr.io
+      # Needed to upload contianer images to ghcr.io
      packages: write
      # Needed for attestation
      id-token: write
      attestations: write
-    needs: ci-core-mark
-    uses: ./.github/workflows/_reusable-docker-build.yaml
-    secrets: inherit
-    with:
-      image_name: ghcr.io/goauthentik/dev-server
-      release: false
+    timeout-minutes: 120
+    steps:
+      - uses: actions/checkout@v4
+        with:
+          ref: ${{ github.event.pull_request.head.sha }}
+      - name: Set up QEMU
+        uses: docker/setup-qemu-action@v3.2.0
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v3
+      - name: prepare variables
+        uses: ./.github/actions/docker-push-variables
+        id: ev
+        env:
+          DOCKER_USERNAME: ${{ secrets.DOCKER_USERNAME }}
+        with:
+          image-name: ghcr.io/goauthentik/dev-server
+          image-arch: ${{ matrix.arch }}
+      - name: Login to Container Registry
+        if: ${{ steps.ev.outputs.shouldPush == 'true' }}
+        uses: docker/login-action@v3
+        with:
+          registry: ghcr.io
+          username: ${{ github.repository_owner }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+      - name: generate ts client
+        run: make gen-client-ts
+      - name: Build Docker Image
+        uses: docker/build-push-action@v6
+        id: push
+        with:
+          context: .
+          secrets: |
+            GEOIPUPDATE_ACCOUNT_ID=${{ secrets.GEOIPUPDATE_ACCOUNT_ID }}
+            GEOIPUPDATE_LICENSE_KEY=${{ secrets.GEOIPUPDATE_LICENSE_KEY }}
+          tags: ${{ steps.ev.outputs.imageTags }}
+          push: ${{ steps.ev.outputs.shouldPush == 'true' }}
+          build-args: |
+            GIT_BUILD_HASH=${{ steps.ev.outputs.sha }}
+          cache-from: type=registry,ref=ghcr.io/goauthentik/dev-server:buildcache
+          cache-to: ${{ steps.ev.outputs.shouldPush == 'true' && 'type=registry,ref=ghcr.io/goauthentik/dev-server:buildcache,mode=max' || '' }}
+          platforms: linux/${{ matrix.arch }}
+      - uses: actions/attest-build-provenance@v2
+        id: attest
+        if: ${{ steps.ev.outputs.shouldPush == 'true' }}
+        with:
+          subject-name: ${{ steps.ev.outputs.attestImageNames }}
+          subject-digest: ${{ steps.push.outputs.digest }}
+          push-to-registry: true
  pr-comment:
    needs:
      - build
--- a/.github/workflows/ci-outpost.yml
+++ b/.github/workflows/ci-outpost.yml
@ -72,7 +72,7 @@ jobs:
          - rac
    runs-on: ubuntu-latest
    permissions:
-      # Needed to upload container images to ghcr.io
+      # Needed to upload contianer images to ghcr.io
      packages: write
      # Needed for attestation
      id-token: write
--- a/.github/workflows/codeql-analysis.yml
+++ b/.github/workflows/codeql-analysis.yml
@ -2,7 +2,7 @@ name: "CodeQL"

 on:
  push:
-    branches: [main, next, version*]
+    branches: [main, "*", next, version*]
  pull_request:
    branches: [main]
  schedule:
--- a/.github/workflows/release-publish.yml
+++ b/.github/workflows/release-publish.yml
@ -7,23 +7,64 @@ on:

 jobs:
  build-server:
-    uses: ./.github/workflows/_reusable-docker-build.yaml
-    secrets: inherit
+    runs-on: ubuntu-latest
    permissions:
-      # Needed to upload container images to ghcr.io
+      # Needed to upload contianer images to ghcr.io
      packages: write
      # Needed for attestation
      id-token: write
      attestations: write
-    with:
-      image_name: ghcr.io/goauthentik/server,beryju/authentik
-      release: true
-      registry_dockerhub: true
-      registry_ghcr: true
+    steps:
+      - uses: actions/checkout@v4
+      - name: Set up QEMU
+        uses: docker/setup-qemu-action@v3.2.0
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v3
+      - name: prepare variables
+        uses: ./.github/actions/docker-push-variables
+        id: ev
+        env:
+          DOCKER_USERNAME: ${{ secrets.DOCKER_USERNAME }}
+        with:
+          image-name: ghcr.io/goauthentik/server,beryju/authentik
+      - name: Docker Login Registry
+        uses: docker/login-action@v3
+        with:
+          username: ${{ secrets.DOCKER_USERNAME }}
+          password: ${{ secrets.DOCKER_PASSWORD }}
+      - name: Login to GitHub Container Registry
+        uses: docker/login-action@v3
+        with:
+          registry: ghcr.io
+          username: ${{ github.repository_owner }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+      - name: make empty clients
+        run: |
+          mkdir -p ./gen-ts-api
+          mkdir -p ./gen-go-api
+      - name: Build Docker Image
+        uses: docker/build-push-action@v6
+        id: push
+        with:
+          context: .
+          push: true
+          secrets: |
+            GEOIPUPDATE_ACCOUNT_ID=${{ secrets.GEOIPUPDATE_ACCOUNT_ID }}
+            GEOIPUPDATE_LICENSE_KEY=${{ secrets.GEOIPUPDATE_LICENSE_KEY }}
+          build-args: |
+            VERSION=${{ github.ref }}
+          tags: ${{ steps.ev.outputs.imageTags }}
+          platforms: linux/amd64,linux/arm64
+      - uses: actions/attest-build-provenance@v2
+        id: attest
+        with:
+          subject-name: ${{ steps.ev.outputs.attestImageNames }}
+          subject-digest: ${{ steps.push.outputs.digest }}
+          push-to-registry: true
  build-outpost:
    runs-on: ubuntu-latest
    permissions:
-      # Needed to upload container images to ghcr.io
+      # Needed to upload contianer images to ghcr.io
      packages: write
      # Needed for attestation
      id-token: write
@ -147,8 +188,8 @@ jobs:
          aws-region: ${{ env.AWS_REGION }}
      - name: Upload template
        run: |
-          aws s3 cp --acl=public-read website/docs/install-config/install/aws/template.yaml s3://authentik-cloudformation-templates/authentik.ecs.${{ github.ref }}.yaml
-          aws s3 cp --acl=public-read website/docs/install-config/install/aws/template.yaml s3://authentik-cloudformation-templates/authentik.ecs.latest.yaml
+          aws s3 cp website/docs/install-config/install/aws/template.yaml s3://authentik-cloudformation-templates/authentik.ecs.${{ github.ref }}.yaml
+          aws s3 cp website/docs/install-config/install/aws/template.yaml s3://authentik-cloudformation-templates/authentik.ecs.latest.yaml
  test-release:
    needs:
      - build-server
--- a/.github/workflows/release-tag.yml
+++ b/.github/workflows/release-tag.yml
@ -14,7 +14,16 @@ jobs:
      - uses: actions/checkout@v4
      - name: Pre-release test
        run: |
-          make test-docker
+          echo "PG_PASS=$(openssl rand 32 | base64 -w 0)" >> .env
+          echo "AUTHENTIK_SECRET_KEY=$(openssl rand 32 | base64 -w 0)" >> .env
+          docker buildx install
+          mkdir -p ./gen-ts-api
+          docker build -t testing:latest .
+          echo "AUTHENTIK_IMAGE=testing" >> .env
+          echo "AUTHENTIK_TAG=latest" >> .env
+          docker compose up --no-start
+          docker compose start postgresql redis
+          docker compose run -u root server test-all
      - id: generate_token
        uses: tibdex/github-app-token@v2
        with:
--- a/32
+++ b/32
@ -94,7 +94,7 @@ RUN --mount=type=secret,id=GEOIPUPDATE_ACCOUNT_ID \
    /bin/sh -c "/usr/bin/entry.sh || echo 'Failed to get GeoIP database, disabling'; exit 0"

 # Stage 5: Python dependencies
-FROM ghcr.io/goauthentik/fips-python:3.12.8-slim-bookworm-fips AS python-deps
+FROM ghcr.io/goauthentik/fips-python:3.12.7-slim-bookworm-fips-full AS python-deps

 ARG TARGETARCH
 ARG TARGETVARIANT
@ -116,30 +116,15 @@ RUN --mount=type=bind,target=./pyproject.toml,src=./pyproject.toml \
    --mount=type=bind,target=./poetry.lock,src=./poetry.lock \
    --mount=type=cache,target=/root/.cache/pip \
    --mount=type=cache,target=/root/.cache/pypoetry \
-    pip install --no-cache cffi && \
-    apt-get update && \
-    apt-get install -y --no-install-recommends \
-        build-essential libffi-dev \
-        # Required for cryptography
-        curl pkg-config \
-        # Required for lxml
-        libxslt-dev zlib1g-dev \
-        # Required for xmlsec
-        libltdl-dev \
-        # Required for kadmin
-        sccache clang && \
-    curl https://sh.rustup.rs -sSf | sh -s -- -y && \
-    . "$HOME/.cargo/env" && \
    python -m venv /ak-root/venv/ && \
    bash -c "source ${VENV_PATH}/bin/activate && \
-    pip3 install --upgrade pip poetry && \
-    poetry config --local installer.no-binary cryptography,xmlsec,lxml,python-kadmin-rs && \
+    pip3 install --upgrade pip && \
+    pip3 install poetry && \
    poetry install --only=main --no-ansi --no-interaction --no-root && \
-    pip uninstall cryptography -y && \
-    poetry install --only=main --no-ansi --no-interaction --no-root"
+    pip install --force-reinstall /wheels/*"

 # Stage 6: Run
-FROM ghcr.io/goauthentik/fips-python:3.12.8-slim-bookworm-fips AS final-image
+FROM ghcr.io/goauthentik/fips-python:3.12.7-slim-bookworm-fips-full AS final-image

 ARG VERSION
 ARG GIT_BUILD_HASH
@ -156,7 +141,7 @@ WORKDIR /
 # We cannot cache this layer otherwise we'll end up with a bigger image
 RUN apt-get update && \
    # Required for runtime
-    apt-get install -y --no-install-recommends libpq5 libmaxminddb0 ca-certificates libkrb5-3 libkadm5clnt-mit12 libkdb5-10 libltdl7 libxslt1.1 && \
+    apt-get install -y --no-install-recommends libpq5 libmaxminddb0 ca-certificates libkrb5-3 libkadm5clnt-mit12 libkdb5-10 && \
    # Required for bootstrap & healtcheck
    apt-get install -y --no-install-recommends runit && \
    apt-get clean && \
@ -191,8 +176,9 @@ ENV TMPDIR=/dev/shm/ \
    PYTHONUNBUFFERED=1 \
    PATH="/ak-root/venv/bin:/lifecycle:$PATH" \
    VENV_PATH="/ak-root/venv" \
-    POETRY_VIRTUALENVS_CREATE=false \
-    GOFIPS=1
+    POETRY_VIRTUALENVS_CREATE=false
+
+ENV GOFIPS=1

 HEALTHCHECK --interval=30s --timeout=30s --start-period=60s --retries=3 CMD [ "ak", "healthcheck" ]

--- a/12
+++ b/12
@ -45,6 +45,15 @@ help:  ## Show this help
 go-test:
 	go test -timeout 0 -v -race -cover ./...

+test-docker:  ## Run all tests in a docker-compose
+	echo "PG_PASS=$(shell openssl rand 32 | base64 -w 0)" >> .env
+	echo "AUTHENTIK_SECRET_KEY=$(shell openssl rand 32 | base64 -w 0)" >> .env
+	docker compose pull -q
+	docker compose up --no-start
+	docker compose start postgresql redis
+	docker compose run -u root server test-all
+	rm -f .env
+
 test: ## Run the server tests and produce a coverage report (locally)
 	coverage run manage.py test --keepdb authentik
 	coverage html
@ -254,9 +263,6 @@ docker:  ## Build a docker image of the current source tree
 	mkdir -p ${GEN_API_TS}
 	DOCKER_BUILDKIT=1 docker build . --progress plain --tag ${DOCKER_IMAGE}

-test-docker:
-	./scripts/test_docker.sh
-
 #########################
 ## CI
 #########################
--- a/authentik/init.py
+++ b/authentik/init.py
@ -2,7 +2,7 @@

 from os import environ

-__version__ = "2024.12.4"
+__version__ = "2024.12.0"
 ENV_GIT_HASH_KEY = "GIT_BUILD_HASH"


--- a/authentik/blueprints/management/commands/make_blueprint_schema.py
+++ b/authentik/blueprints/management/commands/make_blueprint_schema.py
@ -126,7 +126,7 @@ class Command(BaseCommand):
        def_name_perm = f"model_{model_path}_permissions"
        def_path_perm = f"#/$defs/{def_name_perm}"
        self.schema["$defs"][def_name_perm] = self.model_permissions(model)
-        return {
+        template = {
            "type": "object",
            "required": ["model", "identifiers"],
            "properties": {
@ -143,6 +143,11 @@ class Command(BaseCommand):
                "identifiers": {"$ref": def_path},
            },
        }
+        # Meta models don't require identifiers, as there's no matching database model to find
+        if issubclass(model, BaseMetaModel):
+            del template["properties"]["identifiers"]
+            template["required"].remove("identifiers")
+        return template

    def field_to_jsonschema(self, field: Field) -> dict:
        """Convert a single field to json schema"""
--- a/authentik/core/api/application_entitlements.py
+++ b/authentik/core/api/application_entitlements.py
@ -1,16 +1,15 @@
 """Application Roles API Viewset"""

-from django.http import HttpRequest
 from django.utils.translation import gettext_lazy as _
 from rest_framework.exceptions import ValidationError
 from rest_framework.viewsets import ModelViewSet

-from authentik.blueprints.v1.importer import SERIALIZER_CONTEXT_BLUEPRINT
 from authentik.core.api.used_by import UsedByMixin
 from authentik.core.api.utils import ModelSerializer
 from authentik.core.models import (
    Application,
    ApplicationEntitlement,
+    User,
 )


@ -19,10 +18,7 @@ class ApplicationEntitlementSerializer(ModelSerializer):

    def validate_app(self, app: Application) -> Application:
        """Ensure user has permission to view"""
-        request: HttpRequest = self.context.get("request")
-        if not request and SERIALIZER_CONTEXT_BLUEPRINT in self.context:
-            return app
-        user = request.user
+        user: User = self._context["request"].user
        if user.has_perm("view_application", app) or user.has_perm(
            "authentik_core.view_application"
        ):
--- a/authentik/core/api/devices.py
+++ b/authentik/core/api/devices.py
@ -3,7 +3,6 @@
 from django.utils.translation import gettext_lazy as _
 from drf_spectacular.types import OpenApiTypes
 from drf_spectacular.utils import OpenApiParameter, extend_schema
-from guardian.shortcuts import get_objects_for_user
 from rest_framework.fields import (
    BooleanField,
    CharField,
@ -17,6 +16,7 @@ from rest_framework.viewsets import ViewSet

 from authentik.core.api.utils import MetaNameSerializer
 from authentik.enterprise.stages.authenticator_endpoint_gdtc.models import EndpointDevice
+from authentik.rbac.decorators import permission_required
 from authentik.stages.authenticator import device_classes, devices_for_user
 from authentik.stages.authenticator.models import Device
 from authentik.stages.authenticator_webauthn.models import WebAuthnDevice
@ -73,9 +73,7 @@ class AdminDeviceViewSet(ViewSet):
    def get_devices(self, **kwargs):
        """Get all devices in all child classes"""
        for model in device_classes():
-            device_set = get_objects_for_user(
-                self.request.user, f"{model._meta.app_label}.view_{model._meta.model_name}", model
-            ).filter(**kwargs)
+            device_set = model.objects.filter(**kwargs)
            yield from device_set

    @extend_schema(
@ -88,6 +86,10 @@ class AdminDeviceViewSet(ViewSet):
        ],
        responses={200: DeviceSerializer(many=True)},
    )
+    @permission_required(
+        None,
+        [f"{model._meta.app_label}.view_{model._meta.model_name}" for model in device_classes()],
+    )
    def list(self, request: Request) -> Response:
        """Get all devices for current user"""
        kwargs = {}
--- a/authentik/core/api/sources.py
+++ b/authentik/core/api/sources.py
@ -21,7 +21,6 @@ from authentik.core.api.used_by import UsedByMixin
 from authentik.core.api.utils import MetaNameSerializer, ModelSerializer
 from authentik.core.models import GroupSourceConnection, Source, UserSourceConnection
 from authentik.core.types import UserSettingSerializer
-from authentik.lib.api import MultipleFieldLookupMixin
 from authentik.lib.utils.file import (
    FilePathSerializer,
    FileUploadSerializer,
@ -76,7 +75,6 @@ class SourceSerializer(ModelSerializer, MetaNameSerializer):


 class SourceViewSet(
-    MultipleFieldLookupMixin,
    TypesMixin,
    mixins.RetrieveModelMixin,
    mixins.DestroyModelMixin,
@ -89,7 +87,6 @@ class SourceViewSet(
    queryset = Source.objects.none()
    serializer_class = SourceSerializer
    lookup_field = "slug"
-    lookup_fields = ["slug", "pbm_uuid"]
    search_fields = ["slug", "name"]
    filterset_fields = ["slug", "name", "managed"]

--- a/authentik/core/api/users.py
+++ b/authentik/core/api/users.py
@ -1,14 +1,13 @@
 """User API Views"""

 from datetime import timedelta
-from importlib import import_module
 from json import loads
 from typing import Any

-from django.conf import settings
 from django.contrib.auth import update_session_auth_hash
 from django.contrib.auth.models import Permission
-from django.contrib.sessions.backends.base import SessionBase
+from django.contrib.sessions.backends.cache import KEY_PREFIX
+from django.core.cache import cache
 from django.db.models.functions import ExtractHour
 from django.db.transaction import atomic
 from django.db.utils import IntegrityError
@ -92,7 +91,6 @@ from authentik.stages.email.tasks import send_mails
 from authentik.stages.email.utils import TemplateEmailMessage

 LOGGER = get_logger()
-SessionStore: SessionBase = import_module(settings.SESSION_ENGINE).SessionStore


 class UserGroupSerializer(ModelSerializer):
@ -769,8 +767,7 @@ class UserViewSet(UsedByMixin, ModelViewSet):
        if not instance.is_active:
            sessions = AuthenticatedSession.objects.filter(user=instance)
            session_ids = sessions.values_list("session_key", flat=True)
-            for session in session_ids:
-                SessionStore(session).delete()
+            cache.delete_many(f"{KEY_PREFIX}{session}" for session in session_ids)
            sessions.delete()
            LOGGER.debug("Deleted user's sessions", user=instance.username)
        return response
--- a/authentik/core/signals.py
+++ b/authentik/core/signals.py
@ -1,10 +1,7 @@
 """authentik core signals"""

-from importlib import import_module
-
-from django.conf import settings
 from django.contrib.auth.signals import user_logged_in, user_logged_out
-from django.contrib.sessions.backends.base import SessionBase
+from django.contrib.sessions.backends.cache import KEY_PREFIX
 from django.core.cache import cache
 from django.core.signals import Signal
 from django.db.models import Model
@ -28,7 +25,6 @@ password_changed = Signal()
 login_failed = Signal()

 LOGGER = get_logger()
-SessionStore: SessionBase = import_module(settings.SESSION_ENGINE).SessionStore


@receiver(post_save, sender=Application)
@ -64,7 +60,8 @@ def user_logged_out_session(sender, request: HttpRequest, user: User, **_):
@receiver(pre_delete, sender=AuthenticatedSession)
 def authenticated_session_delete(sender: type[Model], instance: "AuthenticatedSession", **_):
    """Delete session when authenticated session is deleted"""
-    SessionStore(instance.session_key).delete()
+    cache_key = f"{KEY_PREFIX}{instance.session_key}"
+    cache.delete(cache_key)


@receiver(pre_save)
--- a/authentik/core/sources/flow_manager.py
+++ b/authentik/core/sources/flow_manager.py
@ -36,7 +36,7 @@ from authentik.flows.planner import (
 )
 from authentik.flows.stage import StageView
 from authentik.flows.views.executor import NEXT_ARG_NAME, SESSION_KEY_GET, SESSION_KEY_PLAN
-from authentik.lib.utils.urls import is_url_absolute, redirect_with_qs
+from authentik.lib.utils.urls import redirect_with_qs
 from authentik.lib.views import bad_request_message
 from authentik.policies.denied import AccessDeniedResponse
 from authentik.policies.utils import delete_none_values
@ -208,8 +208,6 @@ class SourceFlowManager:
        final_redirect = self.request.session.get(SESSION_KEY_GET, {}).get(
            NEXT_ARG_NAME, "authentik_core:if-user"
        )
-        if not is_url_absolute(final_redirect):
-            final_redirect = "authentik_core:if-user"
        flow_context.update(
            {
                # Since we authenticate the user by their token, they have no backend set
--- a/authentik/core/tasks.py
+++ b/authentik/core/tasks.py
@ -18,6 +18,7 @@ from authentik.core.models import (
 )
 from authentik.events.system_tasks import SystemTask, TaskStatus, prefill_task
 from authentik.lib.config import CONFIG
+from authentik.lib.utils.db import qs_batch_iter
 from authentik.root.celery import CELERY_APP

 LOGGER = get_logger()
@ -34,14 +35,14 @@ def clean_expired_models(self: SystemTask):
            cls.objects.all().exclude(expiring=False).exclude(expiring=True, expires__gt=now())
        )
        amount = objects.count()
-        for obj in objects:
+        for obj in qs_batch_iter(objects):
            obj.expire_action()
        LOGGER.debug("Expired models", model=cls, amount=amount)
        messages.append(f"Expired {amount} {cls._meta.verbose_name_plural}")
    # Special case
    amount = 0

-    for session in AuthenticatedSession.objects.all():
+    for session in qs_batch_iter(AuthenticatedSession.objects.all()):
        match CONFIG.get("session_storage", "cache"):
            case "cache":
                cache_key = f"{KEY_PREFIX}{session.session_key}"
--- a/authentik/enterprise/providers/rac/models.py
+++ b/authentik/enterprise/providers/rac/models.py
@ -159,9 +159,9 @@ class ConnectionToken(ExpiringModel):
            default_settings["port"] = str(port)
        else:
            default_settings["hostname"] = self.endpoint.host
-        if self.endpoint.protocol == Protocols.RDP:
-            default_settings["resize-method"] = "display-update"
-        default_settings["client-name"] = f"authentik - {self.session.user}"
+        default_settings["client-name"] = "authentik"
+        # default_settings["enable-drive"] = "true"
+        # default_settings["drive-name"] = "authentik"
        settings = {}
        always_merger.merge(settings, default_settings)
        always_merger.merge(settings, self.endpoint.provider.settings)
--- a/authentik/enterprise/providers/rac/tests/test_models.py
+++ b/authentik/enterprise/providers/rac/tests/test_models.py
@ -50,10 +50,9 @@ class TestModels(TransactionTestCase):
            {
                "hostname": self.endpoint.host.split(":")[0],
                "port": "1324",
-                "client-name": f"authentik - {self.user}",
+                "client-name": "authentik",
                "drive-path": path,
                "create-drive-path": "true",
-                "resize-method": "display-update",
            },
        )
        # Set settings in provider
@ -64,11 +63,10 @@ class TestModels(TransactionTestCase):
            {
                "hostname": self.endpoint.host.split(":")[0],
                "port": "1324",
-                "client-name": f"authentik - {self.user}",
+                "client-name": "authentik",
                "drive-path": path,
                "create-drive-path": "true",
                "level": "provider",
-                "resize-method": "display-update",
            },
        )
        # Set settings in endpoint
@ -81,11 +79,10 @@ class TestModels(TransactionTestCase):
            {
                "hostname": self.endpoint.host.split(":")[0],
                "port": "1324",
-                "client-name": f"authentik - {self.user}",
+                "client-name": "authentik",
                "drive-path": path,
                "create-drive-path": "true",
                "level": "endpoint",
-                "resize-method": "display-update",
            },
        )
        # Set settings in token
@ -98,11 +95,10 @@ class TestModels(TransactionTestCase):
            {
                "hostname": self.endpoint.host.split(":")[0],
                "port": "1324",
-                "client-name": f"authentik - {self.user}",
+                "client-name": "authentik",
                "drive-path": path,
                "create-drive-path": "true",
                "level": "token",
-                "resize-method": "display-update",
            },
        )
        # Set settings in property mapping (provider)
@ -118,11 +114,10 @@ class TestModels(TransactionTestCase):
            {
                "hostname": self.endpoint.host.split(":")[0],
                "port": "1324",
-                "client-name": f"authentik - {self.user}",
+                "client-name": "authentik",
                "drive-path": path,
                "create-drive-path": "true",
                "level": "property_mapping_provider",
-                "resize-method": "display-update",
            },
        )
        # Set settings in property mapping (endpoint)
@ -140,12 +135,11 @@ class TestModels(TransactionTestCase):
            {
                "hostname": self.endpoint.host.split(":")[0],
                "port": "1324",
-                "client-name": f"authentik - {self.user}",
+                "client-name": "authentik",
                "drive-path": path,
                "create-drive-path": "true",
                "level": "property_mapping_endpoint",
                "foo": "true",
                "bar": "6",
-                "resize-method": "display-update",
            },
        )
--- a/authentik/events/tasks.py
+++ b/authentik/events/tasks.py
@ -15,6 +15,7 @@ from authentik.events.models import (
    TaskStatus,
 )
 from authentik.events.system_tasks import SystemTask, prefill_task
+from authentik.lib.utils.db import qs_batch_iter
 from authentik.policies.engine import PolicyEngine
 from authentik.policies.models import PolicyBinding, PolicyEngineMode
 from authentik.root.celery import CELERY_APP
@ -129,7 +130,8 @@ def gdpr_cleanup(user_pk: int):
    """cleanup events from gdpr_compliance"""
    events = Event.objects.filter(user__pk=user_pk)
    LOGGER.debug("GDPR cleanup, removing events from user", events=events.count())
-    events.delete()
+    for event in qs_batch_iter(events):
+        event.delete()


@CELERY_APP.task(bind=True, base=SystemTask)
@ -138,6 +140,7 @@ def notification_cleanup(self: SystemTask):
    """Cleanup seen notifications and notifications whose event expired."""
    notifications = Notification.objects.filter(Q(event=None) | Q(seen=True))
    amount = notifications.count()
-    notifications.delete()
+    for notification in qs_batch_iter(notifications):
+        notification.delete()
    LOGGER.debug("Expired notifications", amount=amount)
    self.set_status(TaskStatus.SUCCESSFUL, f"Expired {amount} Notifications")
--- a/authentik/flows/planner.py
+++ b/authentik/flows/planner.py
@ -109,8 +109,6 @@ class FlowPlan:

    def pop(self):
        """Pop next pending stage from bottom of list"""
-        if not self.markers and not self.bindings:
-            return
        self.markers.pop(0)
        self.bindings.pop(0)

@ -158,13 +156,8 @@ class FlowPlan:
            final_stage: type[StageView] = self.bindings[-1].stage.view
            temp_exec = FlowExecutorView(flow=flow, request=request, plan=self)
            temp_exec.current_stage = self.bindings[-1].stage
-            temp_exec.current_stage_view = final_stage
-            temp_exec.setup(request, flow.slug)
            stage = final_stage(request=request, executor=temp_exec)
-            response = stage.dispatch(request)
-            # Ensure we clean the flow state we have in the session before we redirect away
-            temp_exec.stage_ok()
-            return response
+            return stage.dispatch(request)

        return redirect_with_qs(
            "authentik_core:if-flow",
--- a/authentik/flows/views/executor.py
+++ b/authentik/flows/views/executor.py
@ -103,7 +103,7 @@ class FlowExecutorView(APIView):

    permission_classes = [AllowAny]

-    flow: Flow = None
+    flow: Flow

    plan: FlowPlan | None = None
    current_binding: FlowStageBinding | None = None
@ -114,8 +114,7 @@ class FlowExecutorView(APIView):

    def setup(self, request: HttpRequest, flow_slug: str):
        super().setup(request, flow_slug=flow_slug)
-        if not self.flow:
-            self.flow = get_object_or_404(Flow.objects.select_related(), slug=flow_slug)
+        self.flow = get_object_or_404(Flow.objects.select_related(), slug=flow_slug)
        self._logger = get_logger().bind(flow_slug=flow_slug)
        set_tag("authentik.flow", self.flow.slug)

--- a/authentik/flows/views/inspector.py
+++ b/authentik/flows/views/inspector.py
@ -78,9 +78,7 @@ class FlowInspectorView(APIView):
        self.flow = get_object_or_404(Flow.objects.select_related(), slug=flow_slug)
        if settings.DEBUG:
            return
-        if request.user.has_perm("authentik_flows.inspect_flow") or request.user.has_perm(
-            "authentik_flows.inspect_flow", self.flow
-        ):
+        if request.user.has_perm("authentik_flow.inspect_flow", self.flow):
            return
        raise Http404

--- a/authentik/lib/api.py
+++ b/authentik/lib/api.py
@ -1,37 +0,0 @@
-from collections.abc import Callable, Sequence
-from typing import Self
-from uuid import UUID
-
-from django.db.models import Model, Q, QuerySet, UUIDField
-from django.shortcuts import get_object_or_404
-
-
-class MultipleFieldLookupMixin:
-    """Helper mixin class to add support for multiple lookup_fields.
-    `lookup_fields` needs to be set which specifies the actual fields to query, `lookup_field`
-    is only used to generate the URL."""
-
-    lookup_field: str
-    lookup_fields: str | Sequence[str]
-
-    get_queryset: Callable[[Self], QuerySet]
-    filter_queryset: Callable[[Self, QuerySet], QuerySet]
-
-    def get_object(self):
-        queryset: QuerySet = self.get_queryset()
-        queryset = self.filter_queryset(queryset)
-        if isinstance(self.lookup_fields, str):
-            self.lookup_fields = [self.lookup_fields]
-        query = Q()
-        model: Model = queryset.model
-        for field in self.lookup_fields:
-            field_inst = model._meta.get_field(field)
-            # Sanity check, if the field we're filtering again, only apply the filter if
-            # our value looks like a UUID
-            if isinstance(field_inst, UUIDField):
-                try:
-                    UUID(self.kwargs[self.lookup_field])
-                except ValueError:
-                    continue
-            query |= Q(**{field: self.kwargs[self.lookup_field]})
-        return get_object_or_404(queryset, query)
--- a/authentik/lib/config.py
+++ b/authentik/lib/config.py
@ -283,8 +283,7 @@ class ConfigLoader:
    def get_optional_int(self, path: str, default=None) -> int | None:
        """Wrapper for get that converts value into int or None if set"""
        value = self.get(path, default)
-        if value is UNSET:
-            return default
+
        try:
            return int(value)
        except (ValueError, TypeError) as exc:
--- a/authentik/lib/utils/db.py
+++ b/authentik/lib/utils/db.py
@ -0,0 +1,22 @@
+"""authentik database utilities"""
+
+import gc
+
+from django.db.models import QuerySet
+
+
+def qs_batch_iter(qs: QuerySet, batch_size: int = 10_000, gc_collect: bool = True):
+    pk_iter = qs.values_list("pk", flat=True).order_by("pk").distinct().iterator()
+    eof = False
+    while not eof:
+        pk_buffer = []
+        i = 0
+        try:
+            while i < batch_size:
+                pk_buffer.append(pk_iter.next())
+                i += 1
+        except StopIteration:
+            eof = True
+        yield from qs.filter(pk__in=pk_buffer).order_by("pk").iterator()
+        if gc_collect:
+            gc.collect()
--- a/authentik/providers/oauth2/views/authorize.py
+++ b/authentik/providers/oauth2/views/authorize.py
@ -499,11 +499,11 @@ class OAuthFulfillmentStage(StageView):
            )

            challenge.is_valid()
-            self.executor.stage_ok()
+
            return HttpChallengeResponse(
                challenge=challenge,
            )
-        self.executor.stage_ok()
+
        return HttpResponseRedirectScheme(uri, allowed_schemes=[parsed.scheme])

    def post(self, request: HttpRequest, *args, **kwargs) -> HttpResponse:
--- a/authentik/providers/saml/api/providers.py
+++ b/authentik/providers/saml/api/providers.py
@ -54,9 +54,23 @@ class SAMLProviderSerializer(ProviderSerializer):
        if "request" not in self._context:
            return ""
        request: HttpRequest = self._context["request"]._request
-        return request.build_absolute_uri(
-            reverse("authentik_api:samlprovider-metadata", kwargs={"pk": instance.pk}) + "?download"
-        )
+        try:
+            return request.build_absolute_uri(
+                reverse(
+                    "authentik_providers_saml:metadata-download",
+                    kwargs={"application_slug": instance.application.slug},
+                )
+            )
+        except Provider.application.RelatedObjectDoesNotExist:
+            return request.build_absolute_uri(
+                reverse(
+                    "authentik_api:samlprovider-metadata",
+                    kwargs={
+                        "pk": instance.pk,
+                    },
+                )
+                + "?download"
+            )

    def get_url_sso_post(self, instance: SAMLProvider) -> str:
        """Get SSO Post URL"""
--- a/authentik/providers/saml/processors/assertion.py
+++ b/authentik/providers/saml/processors/assertion.py
@ -256,7 +256,7 @@ class AssertionProcessor:
        assertion.attrib["IssueInstant"] = self._issue_instant
        assertion.append(self.get_issuer())

-        if self.provider.signing_kp and self.provider.sign_assertion:
+        if self.provider.signing_kp:
            sign_algorithm_transform = SIGN_ALGORITHM_TRANSFORM_MAP.get(
                self.provider.signature_algorithm, xmlsec.constants.TransformRsaSha1
            )
@ -295,18 +295,6 @@ class AssertionProcessor:

        response.append(self.get_issuer())

-        if self.provider.signing_kp and self.provider.sign_response:
-            sign_algorithm_transform = SIGN_ALGORITHM_TRANSFORM_MAP.get(
-                self.provider.signature_algorithm, xmlsec.constants.TransformRsaSha1
-            )
-            signature = xmlsec.template.create(
-                response,
-                xmlsec.constants.TransformExclC14N,
-                sign_algorithm_transform,
-                ns=xmlsec.constants.DSigNs,
-            )
-            response.append(signature)
-
        status = SubElement(response, f"{{{NS_SAML_PROTOCOL}}}Status")
        status_code = SubElement(status, f"{{{NS_SAML_PROTOCOL}}}StatusCode")
        status_code.attrib["Value"] = "urn:oasis:names:tc:SAML:2.0:status:Success"
--- a/authentik/providers/saml/tests/test_auth_n_request.py
+++ b/authentik/providers/saml/tests/test_auth_n_request.py
@ -2,10 +2,8 @@

 from base64 import b64encode

-from defusedxml.lxml import fromstring
 from django.http.request import QueryDict
 from django.test import TestCase
-from lxml import etree  # nosec

 from authentik.blueprints.tests import apply_blueprint
 from authentik.core.tests.utils import create_test_admin_user, create_test_cert, create_test_flow
@ -13,14 +11,12 @@ from authentik.crypto.models import CertificateKeyPair
 from authentik.events.models import Event, EventAction
 from authentik.lib.generators import generate_id
 from authentik.lib.tests.utils import get_request
-from authentik.lib.xml import lxml_from_string
 from authentik.providers.saml.models import SAMLPropertyMapping, SAMLProvider
 from authentik.providers.saml.processors.assertion import AssertionProcessor
 from authentik.providers.saml.processors.authn_request_parser import AuthNRequestParser
 from authentik.sources.saml.exceptions import MismatchedRequestID
 from authentik.sources.saml.models import SAMLSource
 from authentik.sources.saml.processors.constants import (
-    NS_MAP,
    SAML_BINDING_REDIRECT,
    SAML_NAME_ID_FORMAT_EMAIL,
    SAML_NAME_ID_FORMAT_UNSPECIFIED,
@ -189,19 +185,6 @@ class TestAuthNRequest(TestCase):
        self.assertEqual(response.count(response_proc._assertion_id), 2)
        self.assertEqual(response.count(response_proc._response_id), 2)

-        schema = etree.XMLSchema(
-            etree.parse("schemas/saml-schema-protocol-2.0.xsd", parser=etree.XMLParser())  # nosec
-        )
-        self.assertTrue(schema.validate(lxml_from_string(response)))
-
-        response_xml = fromstring(response)
-        self.assertEqual(
-            len(response_xml.xpath("//saml:Assertion/ds:Signature", namespaces=NS_MAP)), 1
-        )
-        self.assertEqual(
-            len(response_xml.xpath("//samlp:Response/ds:Signature", namespaces=NS_MAP)), 1
-        )
-
        # Now parse the response (source)
        http_request.POST = QueryDict(mutable=True)
        http_request.POST["SAMLResponse"] = b64encode(response.encode()).decode()
--- a/authentik/rbac/api/rbac.py
+++ b/authentik/rbac/api/rbac.py
@ -2,10 +2,9 @@

 from django.apps import apps
 from django.contrib.auth.models import Permission
-from django.db.models import Q, QuerySet
+from django.db.models import QuerySet
 from django_filters.filters import ModelChoiceFilter
 from django_filters.filterset import FilterSet
-from django_filters.rest_framework import DjangoFilterBackend
 from rest_framework.exceptions import ValidationError
 from rest_framework.fields import (
    CharField,
@ -14,11 +13,8 @@ from rest_framework.fields import (
    ReadOnlyField,
    SerializerMethodField,
 )
-from rest_framework.filters import OrderingFilter, SearchFilter
-from rest_framework.permissions import IsAuthenticated
 from rest_framework.viewsets import ReadOnlyModelViewSet

-from authentik.blueprints.v1.importer import excluded_models
 from authentik.core.api.utils import ModelSerializer, PassiveSerializer
 from authentik.core.models import User
 from authentik.lib.validators import RequiredTogetherValidator
@ -96,9 +92,7 @@ class RBACPermissionViewSet(ReadOnlyModelViewSet):
    queryset = Permission.objects.none()
    serializer_class = PermissionSerializer
    ordering = ["name"]
-    filter_backends = [DjangoFilterBackend, OrderingFilter, SearchFilter]
    filterset_class = PermissionFilter
-    permission_classes = [IsAuthenticated]
    search_fields = [
        "codename",
        "content_type__model",
@ -106,13 +100,13 @@ class RBACPermissionViewSet(ReadOnlyModelViewSet):
    ]

    def get_queryset(self) -> QuerySet:
-        query = Q()
-        for model in excluded_models():
-            query |= Q(
-                content_type__app_label=model._meta.app_label,
-                content_type__model=model._meta.model_name,
+        return (
+            Permission.objects.all()
+            .select_related("content_type")
+            .filter(
+                content_type__app_label__startswith="authentik",
            )
-        return Permission.objects.all().select_related("content_type").exclude(query)
+        )


 class PermissionAssignSerializer(PassiveSerializer):
--- a/authentik/sources/kerberos/api/source.py
+++ b/authentik/sources/kerberos/api/source.py
@ -13,7 +13,6 @@ from authentik.core.api.sources import SourceSerializer
 from authentik.core.api.used_by import UsedByMixin
 from authentik.core.api.utils import PassiveSerializer
 from authentik.events.api.tasks import SystemTaskSerializer
-from authentik.lib.api import MultipleFieldLookupMixin
 from authentik.sources.kerberos.models import KerberosSource
 from authentik.sources.kerberos.tasks import CACHE_KEY_STATUS

@ -60,13 +59,12 @@ class KerberosSyncStatusSerializer(PassiveSerializer):
    tasks = SystemTaskSerializer(many=True, read_only=True)


-class KerberosSourceViewSet(MultipleFieldLookupMixin, UsedByMixin, ModelViewSet):
+class KerberosSourceViewSet(UsedByMixin, ModelViewSet):
    """Kerberos Source Viewset"""

    queryset = KerberosSource.objects.all()
    serializer_class = KerberosSourceSerializer
    lookup_field = "slug"
-    lookup_fields = ["slug", "pbm_uuid"]
    filterset_fields = [
        "name",
        "slug",
--- a/authentik/sources/kerberos/auth.py
+++ b/authentik/sources/kerberos/auth.py
@ -38,9 +38,7 @@ class KerberosBackend(InbuiltBackend):
        self, username: str, realm: str | None, password: str, **filters
    ) -> tuple[User | None, KerberosSource | None]:
        sources = KerberosSource.objects.filter(enabled=True)
-        user = User.objects.filter(
-            usersourceconnection__source__in=sources, username=username, **filters
-        ).first()
+        user = User.objects.filter(usersourceconnection__source__in=sources, **filters).first()

        if user is not None:
            # User found, let's get its connections for the sources that are available
@ -79,7 +77,7 @@ class KerberosBackend(InbuiltBackend):
                        password, sender=user_source_connection.source
                    )
                    user_source_connection.user.save()
-                return user_source_connection.user, user_source_connection.source
+                return user, user_source_connection.source
            # Password doesn't match, onto next source
            LOGGER.debug(
                "failed to kinit, password invalid",
--- a/authentik/sources/ldap/api.py
+++ b/authentik/sources/ldap/api.py
@ -18,7 +18,6 @@ from authentik.core.api.property_mappings import PropertyMappingFilterSet, Prope
 from authentik.core.api.sources import SourceSerializer
 from authentik.core.api.used_by import UsedByMixin
 from authentik.crypto.models import CertificateKeyPair
-from authentik.lib.api import MultipleFieldLookupMixin
 from authentik.lib.sync.outgoing.api import SyncStatusSerializer
 from authentik.sources.ldap.models import LDAPSource, LDAPSourcePropertyMapping
 from authentik.sources.ldap.tasks import CACHE_KEY_STATUS, SYNC_CLASSES
@ -104,13 +103,12 @@ class LDAPSourceSerializer(SourceSerializer):
        extra_kwargs = {"bind_password": {"write_only": True}}


-class LDAPSourceViewSet(MultipleFieldLookupMixin, UsedByMixin, ModelViewSet):
+class LDAPSourceViewSet(UsedByMixin, ModelViewSet):
    """LDAP Source Viewset"""

    queryset = LDAPSource.objects.all()
    serializer_class = LDAPSourceSerializer
    lookup_field = "slug"
-    lookup_fields = ["slug", "pbm_uuid"]
    filterset_fields = [
        "name",
        "slug",
--- a/authentik/sources/oauth/api/source.py
+++ b/authentik/sources/oauth/api/source.py
@ -16,7 +16,6 @@ from rest_framework.viewsets import ModelViewSet
 from authentik.core.api.sources import SourceSerializer
 from authentik.core.api.used_by import UsedByMixin
 from authentik.core.api.utils import PassiveSerializer
-from authentik.lib.api import MultipleFieldLookupMixin
 from authentik.lib.utils.http import get_http_session
 from authentik.sources.oauth.models import OAuthSource
 from authentik.sources.oauth.types.registry import SourceType, registry
@ -171,13 +170,12 @@ class OAuthSourceFilter(FilterSet):
        ]


-class OAuthSourceViewSet(MultipleFieldLookupMixin, UsedByMixin, ModelViewSet):
+class OAuthSourceViewSet(UsedByMixin, ModelViewSet):
    """Source Viewset"""

    queryset = OAuthSource.objects.all()
    serializer_class = OAuthSourceSerializer
    lookup_field = "slug"
-    lookup_fields = ["slug", "pbm_uuid"]
    filterset_class = OAuthSourceFilter
    search_fields = ["name", "slug"]
    ordering = ["name"]
--- a/authentik/sources/plex/api/source.py
+++ b/authentik/sources/plex/api/source.py
@ -18,7 +18,6 @@ from authentik.core.api.used_by import UsedByMixin
 from authentik.core.api.utils import PassiveSerializer
 from authentik.flows.challenge import RedirectChallenge
 from authentik.flows.views.executor import to_stage_response
-from authentik.lib.api import MultipleFieldLookupMixin
 from authentik.rbac.decorators import permission_required
 from authentik.sources.plex.models import PlexSource, UserPlexSourceConnection
 from authentik.sources.plex.plex import PlexAuth, PlexSourceFlowManager
@ -46,13 +45,12 @@ class PlexTokenRedeemSerializer(PassiveSerializer):
    plex_token = CharField()


-class PlexSourceViewSet(MultipleFieldLookupMixin, UsedByMixin, ModelViewSet):
+class PlexSourceViewSet(UsedByMixin, ModelViewSet):
    """Plex source Viewset"""

    queryset = PlexSource.objects.all()
    serializer_class = PlexSourceSerializer
    lookup_field = "slug"
-    lookup_fields = ["slug", "pbm_uuid"]
    filterset_fields = [
        "name",
        "slug",
--- a/authentik/sources/saml/api/source.py
+++ b/authentik/sources/saml/api/source.py
@ -9,7 +9,6 @@ from rest_framework.viewsets import ModelViewSet

 from authentik.core.api.sources import SourceSerializer
 from authentik.core.api.used_by import UsedByMixin
-from authentik.lib.api import MultipleFieldLookupMixin
 from authentik.providers.saml.api.providers import SAMLMetadataSerializer
 from authentik.sources.saml.models import SAMLSource
 from authentik.sources.saml.processors.metadata import MetadataProcessor
@ -38,13 +37,12 @@ class SAMLSourceSerializer(SourceSerializer):
        ]


-class SAMLSourceViewSet(MultipleFieldLookupMixin, UsedByMixin, ModelViewSet):
+class SAMLSourceViewSet(UsedByMixin, ModelViewSet):
    """SAMLSource Viewset"""

    queryset = SAMLSource.objects.all()
    serializer_class = SAMLSourceSerializer
    lookup_field = "slug"
-    lookup_fields = ["slug", "pbm_uuid"]
    filterset_fields = [
        "name",
        "slug",
--- a/authentik/sources/saml/views.py
+++ b/authentik/sources/saml/views.py
@ -33,7 +33,6 @@ from authentik.flows.planner import (
 )
 from authentik.flows.stage import ChallengeStageView
 from authentik.flows.views.executor import NEXT_ARG_NAME, SESSION_KEY_GET, SESSION_KEY_PLAN
-from authentik.lib.utils.urls import is_url_absolute
 from authentik.lib.views import bad_request_message
 from authentik.providers.saml.utils.encoding import nice64
 from authentik.sources.saml.exceptions import MissingSAMLResponse, UnsupportedNameIDFormat
@ -74,8 +73,6 @@ class InitiateView(View):
        final_redirect = self.request.session.get(SESSION_KEY_GET, {}).get(
            NEXT_ARG_NAME, "authentik_core:if-user"
        )
-        if not is_url_absolute(final_redirect):
-            final_redirect = "authentik_core:if-user"
        kwargs.update(
            {
                PLAN_CONTEXT_SSO: True,
--- a/authentik/sources/scim/api/sources.py
+++ b/authentik/sources/scim/api/sources.py
@ -7,7 +7,6 @@ from rest_framework.viewsets import ModelViewSet
 from authentik.core.api.sources import SourceSerializer
 from authentik.core.api.tokens import TokenSerializer
 from authentik.core.api.used_by import UsedByMixin
-from authentik.lib.api import MultipleFieldLookupMixin
 from authentik.sources.scim.models import SCIMSource


@ -48,13 +47,12 @@ class SCIMSourceSerializer(SourceSerializer):
        ]


-class SCIMSourceViewSet(MultipleFieldLookupMixin, UsedByMixin, ModelViewSet):
+class SCIMSourceViewSet(UsedByMixin, ModelViewSet):
    """SCIMSource Viewset"""

    queryset = SCIMSource.objects.all()
    serializer_class = SCIMSourceSerializer
    lookup_field = "slug"
-    lookup_fields = ["slug", "pbm_uuid"]
    filterset_fields = ["name", "slug"]
    search_fields = ["name", "slug", "token__identifier", "token__user__username"]
    ordering = ["name"]
--- a/authentik/stages/redirect/stage.py
+++ b/authentik/stages/redirect/stage.py
@ -20,7 +20,7 @@ from authentik.flows.planner import (
    FlowPlanner,
 )
 from authentik.flows.stage import ChallengeStageView
-from authentik.flows.views.executor import SESSION_KEY_GET, SESSION_KEY_PLAN, InvalidStageError
+from authentik.flows.views.executor import SESSION_KEY_PLAN, InvalidStageError
 from authentik.lib.utils.urls import reverse_with_qs
 from authentik.stages.redirect.models import RedirectMode, RedirectStage

@ -72,9 +72,7 @@ class RedirectStageView(ChallengeStageView):
        self.request.session[SESSION_KEY_PLAN] = plan
        kwargs = self.executor.kwargs
        kwargs.update({"flow_slug": flow.slug})
-        return reverse_with_qs(
-            "authentik_core:if-flow", self.request.session[SESSION_KEY_GET], kwargs=kwargs
-        )
+        return reverse_with_qs("authentik_core:if-flow", self.request.GET, kwargs=kwargs)

    def get_challenge(self, *args, **kwargs) -> Challenge:
        """Get the redirect target. Prioritize `redirect_stage_target` if present."""
--- a/authentik/stages/redirect/tests.py
+++ b/authentik/stages/redirect/tests.py
@ -1,7 +1,5 @@
 """Test Redirect stage"""

-from urllib.parse import urlencode
-
 from django.urls.base import reverse
 from rest_framework.exceptions import ValidationError

@ -60,23 +58,6 @@ class TestRedirectStage(FlowTestCase):
            response, reverse("authentik_core:if-flow", kwargs={"flow_slug": self.target_flow.slug})
        )

-    def test_flow_query(self):
-        self.stage.mode = RedirectMode.FLOW
-        self.stage.save()
-
-        response = self.client.get(
-            reverse("authentik_api:flow-executor", kwargs={"flow_slug": self.flow.slug})
-            + "?"
-            + urlencode({"query": urlencode({"test": "foo"})})
-        )
-
-        self.assertStageRedirects(
-            response,
-            reverse("authentik_core:if-flow", kwargs={"flow_slug": self.target_flow.slug})
-            + "?"
-            + urlencode({"test": "foo"}),
-        )
-
    def test_override_static(self):
        policy = ExpressionPolicy.objects.create(
            name=generate_id(),
--- a/blueprints/schema.json
+++ b/blueprints/schema.json
@ -2,7 +2,7 @@
    "$schema": "http://json-schema.org/draft-07/schema",
    "$id": "https://goauthentik.io/blueprints/schema.json",
    "type": "object",
-    "title": "authentik 2024.12.4 Blueprint schema",
+    "title": "authentik 2024.12.0 Blueprint schema",
    "required": [
        "version",
        "entries"
@ -3884,8 +3884,7 @@
                    {
                        "type": "object",
                        "required": [
-                            "model",
-                            "identifiers"
+                            "model"
                        ],
                        "properties": {
                            "model": {
@ -3915,9 +3914,6 @@
                            },
                            "attrs": {
                                "$ref": "#/$defs/model_authentik_blueprints.metaapplyblueprint"
-                            },
-                            "identifiers": {
-                                "$ref": "#/$defs/model_authentik_blueprints.metaapplyblueprint"
                            }
                        }
                    }
--- a/docker-compose.yml
+++ b/docker-compose.yml
@ -31,7 +31,7 @@ services:
    volumes:
      - redis:/data
  server:
-    image: ${AUTHENTIK_IMAGE:-ghcr.io/goauthentik/server}:${AUTHENTIK_TAG:-2024.12.4}
+    image: ${AUTHENTIK_IMAGE:-ghcr.io/goauthentik/server}:${AUTHENTIK_TAG:-2024.12.0}
    restart: unless-stopped
    command: server
    environment:
@ -54,7 +54,7 @@ services:
      redis:
        condition: service_healthy
  worker:
-    image: ${AUTHENTIK_IMAGE:-ghcr.io/goauthentik/server}:${AUTHENTIK_TAG:-2024.12.4}
+    image: ${AUTHENTIK_IMAGE:-ghcr.io/goauthentik/server}:${AUTHENTIK_TAG:-2024.12.0}
    restart: unless-stopped
    command: worker
    environment:
--- a/go.mod
+++ b/go.mod
@ -29,7 +29,7 @@ require (
 	github.com/spf13/cobra v1.8.1
 	github.com/stretchr/testify v1.10.0
 	github.com/wwt/guac v1.3.2
-	goauthentik.io/api/v3 v3.2024105.3
+	goauthentik.io/api/v3 v3.2024105.5
 	golang.org/x/exp v0.0.0-20230210204819-062eb4c674ab
 	golang.org/x/oauth2 v0.24.0
 	golang.org/x/sync v0.10.0
--- a/go.sum
+++ b/go.sum
@ -299,8 +299,8 @@ go.opentelemetry.io/otel/trace v1.24.0 h1:CsKnnL4dUAr/0llH9FKuc698G04IrpWV0MQA/Y
 go.opentelemetry.io/otel/trace v1.24.0/go.mod h1:HPc3Xr/cOApsBI154IU0OI0HJexz+aw5uPdbs3UCjNU=
 go.uber.org/goleak v1.3.0 h1:2K3zAYmnTNqV73imy9J1T3WC+gmCePx2hEGkimedGto=
 go.uber.org/goleak v1.3.0/go.mod h1:CoHD4mav9JJNrW/WLlf7HGZPjdw8EucARQHekz1X6bE=
-goauthentik.io/api/v3 v3.2024105.3 h1:Vl1vwPkCtA8hChsxwO3NUI8nupFC7r93jUHvqM+kYVw=
-goauthentik.io/api/v3 v3.2024105.3/go.mod h1:zz+mEZg8rY/7eEjkMGWJ2DnGqk+zqxuybGCGrR2O4Kw=
+goauthentik.io/api/v3 v3.2024105.5 h1:zBDqIjWN5QNuL6iBLL4o9QwBsSkFQdAnyTjASsyE/fw=
+goauthentik.io/api/v3 v3.2024105.5/go.mod h1:zz+mEZg8rY/7eEjkMGWJ2DnGqk+zqxuybGCGrR2O4Kw=
 golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w=
 golang.org/x/crypto v0.0.0-20190510104115-cbcb75029529/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI=
 golang.org/x/crypto v0.0.0-20190605123033-f99c8df09eb5/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI=
--- a/internal/constants/constants.go
+++ b/internal/constants/constants.go
@ -29,4 +29,4 @@ func UserAgent() string {
 	return fmt.Sprintf("authentik@%s", FullVersion())
 }

-const VERSION = "2024.12.4"
+const VERSION = "2024.12.0"
--- a/internal/outpost/ak/api_ws.go
+++ b/internal/outpost/ak/api_ws.go
@ -4,7 +4,6 @@ import (
 	"context"
 	"crypto/tls"
 	"fmt"
-	"maps"
 	"net/http"
 	"net/url"
 	"strconv"
@ -17,22 +16,11 @@ import (
 	"goauthentik.io/internal/constants"
 )

-func (ac *APIController) getWebsocketURL(akURL url.URL, outpostUUID string, query url.Values) *url.URL {
-	wsUrl := &url.URL{}
-	wsUrl.Scheme = strings.ReplaceAll(akURL.Scheme, "http", "ws")
-	wsUrl.Host = akURL.Host
-	_p, _ := url.JoinPath(akURL.Path, "ws/outpost/", outpostUUID, "/")
-	wsUrl.Path = _p
-	v := url.Values{}
-	maps.Insert(v, maps.All(akURL.Query()))
-	maps.Insert(v, maps.All(query))
-	wsUrl.RawQuery = v.Encode()
-	return wsUrl
-}
-
 func (ac *APIController) initWS(akURL url.URL, outpostUUID string) error {
+	pathTemplate := "%s://%s%sws/outpost/%s/?%s"
 	query := akURL.Query()
 	query.Set("instance_uuid", ac.instanceUUID.String())
+	scheme := strings.ReplaceAll(akURL.Scheme, "http", "ws")

 	authHeader := fmt.Sprintf("Bearer %s", ac.token)

@ -49,9 +37,7 @@ func (ac *APIController) initWS(akURL url.URL, outpostUUID string) error {
 		},
 	}

-	wsu := ac.getWebsocketURL(akURL, outpostUUID, query).String()
-	ac.logger.WithField("url", wsu).Debug("connecting to websocket")
-	ws, _, err := dialer.Dial(wsu, header)
+	ws, _, err := dialer.Dial(fmt.Sprintf(pathTemplate, scheme, akURL.Host, akURL.Path, outpostUUID, akURL.Query().Encode()), header)
 	if err != nil {
 		ac.logger.WithError(err).Warning("failed to connect websocket")
 		return err
--- a/internal/outpost/ak/api_ws_test.go
+++ b/internal/outpost/ak/api_ws_test.go
@ -1,42 +0,0 @@
-package ak
-
-import (
-	"net/url"
-	"testing"
-
-	"github.com/stretchr/testify/assert"
-)
-
-func URLMustParse(u string) *url.URL {
-	ur, err := url.Parse(u)
-	if err != nil {
-		panic(err)
-	}
-	return ur
-}
-
-func TestWebsocketURL(t *testing.T) {
-	u := URLMustParse("http://localhost:9000?foo=bar")
-	uuid := "23470845-7263-4fe3-bd79-ec1d7bf77d77"
-	ac := &APIController{}
-	nu := ac.getWebsocketURL(*u, uuid, url.Values{})
-	assert.Equal(t, "ws://localhost:9000/ws/outpost/23470845-7263-4fe3-bd79-ec1d7bf77d77/?foo=bar", nu.String())
-}
-
-func TestWebsocketURL_Query(t *testing.T) {
-	u := URLMustParse("http://localhost:9000?foo=bar")
-	uuid := "23470845-7263-4fe3-bd79-ec1d7bf77d77"
-	ac := &APIController{}
-	v := url.Values{}
-	v.Set("bar", "baz")
-	nu := ac.getWebsocketURL(*u, uuid, v)
-	assert.Equal(t, "ws://localhost:9000/ws/outpost/23470845-7263-4fe3-bd79-ec1d7bf77d77/?bar=baz&foo=bar", nu.String())
-}
-
-func TestWebsocketURL_Subpath(t *testing.T) {
-	u := URLMustParse("http://localhost:9000/foo/bar/")
-	uuid := "23470845-7263-4fe3-bd79-ec1d7bf77d77"
-	ac := &APIController{}
-	nu := ac.getWebsocketURL(*u, uuid, url.Values{})
-	assert.Equal(t, "ws://localhost:9000/foo/bar/ws/outpost/23470845-7263-4fe3-bd79-ec1d7bf77d77/", nu.String())
-}
--- a/lifecycle/ak
+++ b/lifecycle/ak
@ -1,5 +1,4 @@
-#!/usr/bin/env -S bash
-set -e -o pipefail
+#!/usr/bin/env -S bash -e
 MODE_FILE="${TMPDIR}/authentik-mode"

 function log {
@ -88,6 +87,7 @@ elif [[ "$1" == "bash" ]]; then
 elif [[ "$1" == "test-all" ]]; then
    prepare_debug
    chmod 777 /root
+    pip install --force-reinstall /wheels/*
    check_if_root "python -m manage test authentik"
 elif [[ "$1" == "healthcheck" ]]; then
    run_authentik healthcheck $(cat $MODE_FILE)
--- a/locale/en/LC_MESSAGES/django.po
+++ b/locale/en/LC_MESSAGES/django.po
@ -8,7 +8,7 @@ msgid ""
 msgstr ""
 "Project-Id-Version: PACKAGE VERSION\n"
 "Report-Msgid-Bugs-To: \n"
-"POT-Creation-Date: 2024-12-18 13:31+0000\n"
+"POT-Creation-Date: 2024-12-20 00:08+0000\n"
 "PO-Revision-Date: YEAR-MO-DA HO:MI+ZONE\n"
 "Last-Translator: FULL NAME <EMAIL@ADDRESS>\n"
 "Language-Team: LANGUAGE <LL@li.org>\n"
@ -101,6 +101,10 @@ msgstr ""
 msgid "Brands"
 msgstr ""

+#: authentik/core/api/application_entitlements.py
+msgid "User does not have access to application."
+msgstr ""
+
 #: authentik/core/api/devices.py
 msgid "Extra description not available"
 msgstr ""
@ -225,6 +229,14 @@ msgstr ""
 msgid "Applications"
 msgstr ""

+#: authentik/core/models.py
+msgid "Application Entitlement"
+msgstr ""
+
+#: authentik/core/models.py
+msgid "Application Entitlements"
+msgstr ""
+
 #: authentik/core/models.py
 msgid "Use the source-specific identifier"
 msgstr ""
--- a/locale/it/LC_MESSAGES/django.mo
+++ b/locale/it/LC_MESSAGES/django.mo
--- a/package.json
+++ b/package.json
@ -1,5 +1,5 @@
 {
    "name": "@goauthentik/authentik",
-    "version": "2024.12.4",
+    "version": "2024.12.0",
    "private": true
 }
--- a/poetry.lock
+++ b/poetry.lock
@ -1922,13 +1922,13 @@ grpcio-gcp = ["grpcio-gcp (>=0.2.2,<1.0.dev0)"]

 [[package]]
 name = "google-api-python-client"
-version = "2.155.0"
+version = "2.156.0"
 description = "Google API Client Library for Python"
 optional = false
 python-versions = ">=3.7"
 files = [
-    {file = "google_api_python_client-2.155.0-py2.py3-none-any.whl", hash = "sha256:83fe9b5aa4160899079d7c93a37be306546a17e6686e2549bcc9584f1a229747"},
-    {file = "google_api_python_client-2.155.0.tar.gz", hash = "sha256:25529f89f0d13abcf3c05c089c423fb2858ac16e0b3727543393468d0d7af67c"},
+    {file = "google_api_python_client-2.156.0-py2.py3-none-any.whl", hash = "sha256:6352185c505e1f311f11b0b96c1b636dcb0fec82cd04b80ac5a671ac4dcab339"},
+    {file = "google_api_python_client-2.156.0.tar.gz", hash = "sha256:b809c111ded61716a9c1c7936e6899053f13bae3defcdfda904bd2ca68065b9c"},
 ]

 [package.dependencies]
@ -3107,13 +3107,13 @@ dev = ["bumpver", "isort", "mypy", "pylint", "pytest", "yapf"]

 [[package]]
 name = "msgraph-sdk"
-version = "1.14.0"
+version = "1.15.0"
 description = "The Microsoft Graph Python SDK"
 optional = false
 python-versions = ">=3.8"
 files = [
-    {file = "msgraph_sdk-1.14.0-py3-none-any.whl", hash = "sha256:1a2f327dc8fbe5a5e6d0d84cf71d605e7b118b3066b1e16f011ccd8fd927bb03"},
-    {file = "msgraph_sdk-1.14.0.tar.gz", hash = "sha256:5bbda80941c5d1794682753b8b291bd2ebed719a43d6de949fd0cd613b6dfbbd"},
+    {file = "msgraph_sdk-1.15.0-py3-none-any.whl", hash = "sha256:85332db7ee19eb3d65a2493de83994ce3f5e4d9a084b3643ff6dea797cda81a7"},
+    {file = "msgraph_sdk-1.15.0.tar.gz", hash = "sha256:c920e72cc9de2218f9f9f71682db22ea544d9b440a5f088892bfca686c546b91"},
 ]

 [package.dependencies]
@ -3881,19 +3881,19 @@ files = [

 [[package]]
 name = "pydantic"
-version = "2.10.3"
+version = "2.10.4"
 description = "Data validation using Python type hints"
 optional = false
 python-versions = ">=3.8"
 files = [
-    {file = "pydantic-2.10.3-py3-none-any.whl", hash = "sha256:be04d85bbc7b65651c5f8e6b9976ed9c6f41782a55524cef079a34a0bb82144d"},
-    {file = "pydantic-2.10.3.tar.gz", hash = "sha256:cb5ac360ce894ceacd69c403187900a02c4b20b693a9dd1d643e1effab9eadf9"},
+    {file = "pydantic-2.10.4-py3-none-any.whl", hash = "sha256:597e135ea68be3a37552fb524bc7d0d66dcf93d395acd93a00682f1efcb8ee3d"},
+    {file = "pydantic-2.10.4.tar.gz", hash = "sha256:82f12e9723da6de4fe2ba888b5971157b3be7ad914267dea8f05f82b28254f06"},
 ]

 [package.dependencies]
 annotated-types = ">=0.6.0"
 email-validator = {version = ">=2.0.0", optional = true, markers = "extra == \"email\""}
-pydantic-core = "2.27.1"
+pydantic-core = "2.27.2"
 typing-extensions = ">=4.12.2"

 [package.extras]
@ -3902,111 +3902,111 @@ timezone = ["tzdata"]

 [[package]]
 name = "pydantic-core"
-version = "2.27.1"
+version = "2.27.2"
 description = "Core functionality for Pydantic validation and serialization"
 optional = false
 python-versions = ">=3.8"
 files = [
-    {file = "pydantic_core-2.27.1-cp310-cp310-macosx_10_12_x86_64.whl", hash = "sha256:71a5e35c75c021aaf400ac048dacc855f000bdfed91614b4a726f7432f1f3d6a"},
-    {file = "pydantic_core-2.27.1-cp310-cp310-macosx_11_0_arm64.whl", hash = "sha256:f82d068a2d6ecfc6e054726080af69a6764a10015467d7d7b9f66d6ed5afa23b"},
-    {file = "pydantic_core-2.27.1-cp310-cp310-manylinux_2_17_aarch64.manylinux2014_aarch64.whl", hash = "sha256:121ceb0e822f79163dd4699e4c54f5ad38b157084d97b34de8b232bcaad70278"},
-    {file = "pydantic_core-2.27.1-cp310-cp310-manylinux_2_17_armv7l.manylinux2014_armv7l.whl", hash = "sha256:4603137322c18eaf2e06a4495f426aa8d8388940f3c457e7548145011bb68e05"},
-    {file = "pydantic_core-2.27.1-cp310-cp310-manylinux_2_17_ppc64le.manylinux2014_ppc64le.whl", hash = "sha256:a33cd6ad9017bbeaa9ed78a2e0752c5e250eafb9534f308e7a5f7849b0b1bfb4"},
-    {file = "pydantic_core-2.27.1-cp310-cp310-manylinux_2_17_s390x.manylinux2014_s390x.whl", hash = "sha256:15cc53a3179ba0fcefe1e3ae50beb2784dede4003ad2dfd24f81bba4b23a454f"},
-    {file = "pydantic_core-2.27.1-cp310-cp310-manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:45d9c5eb9273aa50999ad6adc6be5e0ecea7e09dbd0d31bd0c65a55a2592ca08"},
-    {file = "pydantic_core-2.27.1-cp310-cp310-manylinux_2_5_i686.manylinux1_i686.whl", hash = "sha256:8bf7b66ce12a2ac52d16f776b31d16d91033150266eb796967a7e4621707e4f6"},
-    {file = "pydantic_core-2.27.1-cp310-cp310-musllinux_1_1_aarch64.whl", hash = "sha256:655d7dd86f26cb15ce8a431036f66ce0318648f8853d709b4167786ec2fa4807"},
-    {file = "pydantic_core-2.27.1-cp310-cp310-musllinux_1_1_armv7l.whl", hash = "sha256:5556470f1a2157031e676f776c2bc20acd34c1990ca5f7e56f1ebf938b9ab57c"},
-    {file = "pydantic_core-2.27.1-cp310-cp310-musllinux_1_1_x86_64.whl", hash = "sha256:f69ed81ab24d5a3bd93861c8c4436f54afdf8e8cc421562b0c7504cf3be58206"},
-    {file = "pydantic_core-2.27.1-cp310-none-win32.whl", hash = "sha256:f5a823165e6d04ccea61a9f0576f345f8ce40ed533013580e087bd4d7442b52c"},
-    {file = "pydantic_core-2.27.1-cp310-none-win_amd64.whl", hash = "sha256:57866a76e0b3823e0b56692d1a0bf722bffb324839bb5b7226a7dbd6c9a40b17"},
-    {file = "pydantic_core-2.27.1-cp311-cp311-macosx_10_12_x86_64.whl", hash = "sha256:ac3b20653bdbe160febbea8aa6c079d3df19310d50ac314911ed8cc4eb7f8cb8"},
-    {file = "pydantic_core-2.27.1-cp311-cp311-macosx_11_0_arm64.whl", hash = "sha256:a5a8e19d7c707c4cadb8c18f5f60c843052ae83c20fa7d44f41594c644a1d330"},
-    {file = "pydantic_core-2.27.1-cp311-cp311-manylinux_2_17_aarch64.manylinux2014_aarch64.whl", hash = "sha256:7f7059ca8d64fea7f238994c97d91f75965216bcbe5f695bb44f354893f11d52"},
-    {file = "pydantic_core-2.27.1-cp311-cp311-manylinux_2_17_armv7l.manylinux2014_armv7l.whl", hash = "sha256:bed0f8a0eeea9fb72937ba118f9db0cb7e90773462af7962d382445f3005e5a4"},
-    {file = "pydantic_core-2.27.1-cp311-cp311-manylinux_2_17_ppc64le.manylinux2014_ppc64le.whl", hash = "sha256:a3cb37038123447cf0f3ea4c74751f6a9d7afef0eb71aa07bf5f652b5e6a132c"},
-    {file = "pydantic_core-2.27.1-cp311-cp311-manylinux_2_17_s390x.manylinux2014_s390x.whl", hash = "sha256:84286494f6c5d05243456e04223d5a9417d7f443c3b76065e75001beb26f88de"},
-    {file = "pydantic_core-2.27.1-cp311-cp311-manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:acc07b2cfc5b835444b44a9956846b578d27beeacd4b52e45489e93276241025"},
-    {file = "pydantic_core-2.27.1-cp311-cp311-manylinux_2_5_i686.manylinux1_i686.whl", hash = "sha256:4fefee876e07a6e9aad7a8c8c9f85b0cdbe7df52b8a9552307b09050f7512c7e"},
-    {file = "pydantic_core-2.27.1-cp311-cp311-musllinux_1_1_aarch64.whl", hash = "sha256:258c57abf1188926c774a4c94dd29237e77eda19462e5bb901d88adcab6af919"},
-    {file = "pydantic_core-2.27.1-cp311-cp311-musllinux_1_1_armv7l.whl", hash = "sha256:35c14ac45fcfdf7167ca76cc80b2001205a8d5d16d80524e13508371fb8cdd9c"},
-    {file = "pydantic_core-2.27.1-cp311-cp311-musllinux_1_1_x86_64.whl", hash = "sha256:d1b26e1dff225c31897696cab7d4f0a315d4c0d9e8666dbffdb28216f3b17fdc"},
-    {file = "pydantic_core-2.27.1-cp311-none-win32.whl", hash = "sha256:2cdf7d86886bc6982354862204ae3b2f7f96f21a3eb0ba5ca0ac42c7b38598b9"},
-    {file = "pydantic_core-2.27.1-cp311-none-win_amd64.whl", hash = "sha256:3af385b0cee8df3746c3f406f38bcbfdc9041b5c2d5ce3e5fc6637256e60bbc5"},
-    {file = "pydantic_core-2.27.1-cp311-none-win_arm64.whl", hash = "sha256:81f2ec23ddc1b476ff96563f2e8d723830b06dceae348ce02914a37cb4e74b89"},
-    {file = "pydantic_core-2.27.1-cp312-cp312-macosx_10_12_x86_64.whl", hash = "sha256:9cbd94fc661d2bab2bc702cddd2d3370bbdcc4cd0f8f57488a81bcce90c7a54f"},
-    {file = "pydantic_core-2.27.1-cp312-cp312-macosx_11_0_arm64.whl", hash = "sha256:5f8c4718cd44ec1580e180cb739713ecda2bdee1341084c1467802a417fe0f02"},
-    {file = "pydantic_core-2.27.1-cp312-cp312-manylinux_2_17_aarch64.manylinux2014_aarch64.whl", hash = "sha256:15aae984e46de8d376df515f00450d1522077254ef6b7ce189b38ecee7c9677c"},
-    {file = "pydantic_core-2.27.1-cp312-cp312-manylinux_2_17_armv7l.manylinux2014_armv7l.whl", hash = "sha256:1ba5e3963344ff25fc8c40da90f44b0afca8cfd89d12964feb79ac1411a260ac"},
-    {file = "pydantic_core-2.27.1-cp312-cp312-manylinux_2_17_ppc64le.manylinux2014_ppc64le.whl", hash = "sha256:992cea5f4f3b29d6b4f7f1726ed8ee46c8331c6b4eed6db5b40134c6fe1768bb"},
-    {file = "pydantic_core-2.27.1-cp312-cp312-manylinux_2_17_s390x.manylinux2014_s390x.whl", hash = "sha256:0325336f348dbee6550d129b1627cb8f5351a9dc91aad141ffb96d4937bd9529"},
-    {file = "pydantic_core-2.27.1-cp312-cp312-manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:7597c07fbd11515f654d6ece3d0e4e5093edc30a436c63142d9a4b8e22f19c35"},
-    {file = "pydantic_core-2.27.1-cp312-cp312-manylinux_2_5_i686.manylinux1_i686.whl", hash = "sha256:3bbd5d8cc692616d5ef6fbbbd50dbec142c7e6ad9beb66b78a96e9c16729b089"},
-    {file = "pydantic_core-2.27.1-cp312-cp312-musllinux_1_1_aarch64.whl", hash = "sha256:dc61505e73298a84a2f317255fcc72b710b72980f3a1f670447a21efc88f8381"},
-    {file = "pydantic_core-2.27.1-cp312-cp312-musllinux_1_1_armv7l.whl", hash = "sha256:e1f735dc43da318cad19b4173dd1ffce1d84aafd6c9b782b3abc04a0d5a6f5bb"},
-    {file = "pydantic_core-2.27.1-cp312-cp312-musllinux_1_1_x86_64.whl", hash = "sha256:f4e5658dbffe8843a0f12366a4c2d1c316dbe09bb4dfbdc9d2d9cd6031de8aae"},
-    {file = "pydantic_core-2.27.1-cp312-none-win32.whl", hash = "sha256:672ebbe820bb37988c4d136eca2652ee114992d5d41c7e4858cdd90ea94ffe5c"},
-    {file = "pydantic_core-2.27.1-cp312-none-win_amd64.whl", hash = "sha256:66ff044fd0bb1768688aecbe28b6190f6e799349221fb0de0e6f4048eca14c16"},
-    {file = "pydantic_core-2.27.1-cp312-none-win_arm64.whl", hash = "sha256:9a3b0793b1bbfd4146304e23d90045f2a9b5fd5823aa682665fbdaf2a6c28f3e"},
-    {file = "pydantic_core-2.27.1-cp313-cp313-macosx_10_12_x86_64.whl", hash = "sha256:f216dbce0e60e4d03e0c4353c7023b202d95cbaeff12e5fd2e82ea0a66905073"},
-    {file = "pydantic_core-2.27.1-cp313-cp313-macosx_11_0_arm64.whl", hash = "sha256:a2e02889071850bbfd36b56fd6bc98945e23670773bc7a76657e90e6b6603c08"},
-    {file = "pydantic_core-2.27.1-cp313-cp313-manylinux_2_17_aarch64.manylinux2014_aarch64.whl", hash = "sha256:42b0e23f119b2b456d07ca91b307ae167cc3f6c846a7b169fca5326e32fdc6cf"},
-    {file = "pydantic_core-2.27.1-cp313-cp313-manylinux_2_17_armv7l.manylinux2014_armv7l.whl", hash = "sha256:764be71193f87d460a03f1f7385a82e226639732214b402f9aa61f0d025f0737"},
-    {file = "pydantic_core-2.27.1-cp313-cp313-manylinux_2_17_ppc64le.manylinux2014_ppc64le.whl", hash = "sha256:1c00666a3bd2f84920a4e94434f5974d7bbc57e461318d6bb34ce9cdbbc1f6b2"},
-    {file = "pydantic_core-2.27.1-cp313-cp313-manylinux_2_17_s390x.manylinux2014_s390x.whl", hash = "sha256:3ccaa88b24eebc0f849ce0a4d09e8a408ec5a94afff395eb69baf868f5183107"},
-    {file = "pydantic_core-2.27.1-cp313-cp313-manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:c65af9088ac534313e1963443d0ec360bb2b9cba6c2909478d22c2e363d98a51"},
-    {file = "pydantic_core-2.27.1-cp313-cp313-manylinux_2_5_i686.manylinux1_i686.whl", hash = "sha256:206b5cf6f0c513baffaeae7bd817717140770c74528f3e4c3e1cec7871ddd61a"},
-    {file = "pydantic_core-2.27.1-cp313-cp313-musllinux_1_1_aarch64.whl", hash = "sha256:062f60e512fc7fff8b8a9d680ff0ddaaef0193dba9fa83e679c0c5f5fbd018bc"},
-    {file = "pydantic_core-2.27.1-cp313-cp313-musllinux_1_1_armv7l.whl", hash = "sha256:a0697803ed7d4af5e4c1adf1670af078f8fcab7a86350e969f454daf598c4960"},
-    {file = "pydantic_core-2.27.1-cp313-cp313-musllinux_1_1_x86_64.whl", hash = "sha256:58ca98a950171f3151c603aeea9303ef6c235f692fe555e883591103da709b23"},
-    {file = "pydantic_core-2.27.1-cp313-none-win32.whl", hash = "sha256:8065914ff79f7eab1599bd80406681f0ad08f8e47c880f17b416c9f8f7a26d05"},
-    {file = "pydantic_core-2.27.1-cp313-none-win_amd64.whl", hash = "sha256:ba630d5e3db74c79300d9a5bdaaf6200172b107f263c98a0539eeecb857b2337"},
-    {file = "pydantic_core-2.27.1-cp313-none-win_arm64.whl", hash = "sha256:45cf8588c066860b623cd11c4ba687f8d7175d5f7ef65f7129df8a394c502de5"},
-    {file = "pydantic_core-2.27.1-cp38-cp38-macosx_10_12_x86_64.whl", hash = "sha256:5897bec80a09b4084aee23f9b73a9477a46c3304ad1d2d07acca19723fb1de62"},
-    {file = "pydantic_core-2.27.1-cp38-cp38-macosx_11_0_arm64.whl", hash = "sha256:d0165ab2914379bd56908c02294ed8405c252250668ebcb438a55494c69f44ab"},
-    {file = "pydantic_core-2.27.1-cp38-cp38-manylinux_2_17_aarch64.manylinux2014_aarch64.whl", hash = "sha256:6b9af86e1d8e4cfc82c2022bfaa6f459381a50b94a29e95dcdda8442d6d83864"},
-    {file = "pydantic_core-2.27.1-cp38-cp38-manylinux_2_17_armv7l.manylinux2014_armv7l.whl", hash = "sha256:5f6c8a66741c5f5447e047ab0ba7a1c61d1e95580d64bce852e3df1f895c4067"},
-    {file = "pydantic_core-2.27.1-cp38-cp38-manylinux_2_17_ppc64le.manylinux2014_ppc64le.whl", hash = "sha256:9a42d6a8156ff78981f8aa56eb6394114e0dedb217cf8b729f438f643608cbcd"},
-    {file = "pydantic_core-2.27.1-cp38-cp38-manylinux_2_17_s390x.manylinux2014_s390x.whl", hash = "sha256:64c65f40b4cd8b0e049a8edde07e38b476da7e3aaebe63287c899d2cff253fa5"},
-    {file = "pydantic_core-2.27.1-cp38-cp38-manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:9fdcf339322a3fae5cbd504edcefddd5a50d9ee00d968696846f089b4432cf78"},
-    {file = "pydantic_core-2.27.1-cp38-cp38-manylinux_2_5_i686.manylinux1_i686.whl", hash = "sha256:bf99c8404f008750c846cb4ac4667b798a9f7de673ff719d705d9b2d6de49c5f"},
-    {file = "pydantic_core-2.27.1-cp38-cp38-musllinux_1_1_aarch64.whl", hash = "sha256:8f1edcea27918d748c7e5e4d917297b2a0ab80cad10f86631e488b7cddf76a36"},
-    {file = "pydantic_core-2.27.1-cp38-cp38-musllinux_1_1_armv7l.whl", hash = "sha256:159cac0a3d096f79ab6a44d77a961917219707e2a130739c64d4dd46281f5c2a"},
-    {file = "pydantic_core-2.27.1-cp38-cp38-musllinux_1_1_x86_64.whl", hash = "sha256:029d9757eb621cc6e1848fa0b0310310de7301057f623985698ed7ebb014391b"},
-    {file = "pydantic_core-2.27.1-cp38-none-win32.whl", hash = "sha256:a28af0695a45f7060e6f9b7092558a928a28553366519f64083c63a44f70e618"},
-    {file = "pydantic_core-2.27.1-cp38-none-win_amd64.whl", hash = "sha256:2d4567c850905d5eaaed2f7a404e61012a51caf288292e016360aa2b96ff38d4"},
-    {file = "pydantic_core-2.27.1-cp39-cp39-macosx_10_12_x86_64.whl", hash = "sha256:e9386266798d64eeb19dd3677051f5705bf873e98e15897ddb7d76f477131967"},
-    {file = "pydantic_core-2.27.1-cp39-cp39-macosx_11_0_arm64.whl", hash = "sha256:4228b5b646caa73f119b1ae756216b59cc6e2267201c27d3912b592c5e323b60"},
-    {file = "pydantic_core-2.27.1-cp39-cp39-manylinux_2_17_aarch64.manylinux2014_aarch64.whl", hash = "sha256:0b3dfe500de26c52abe0477dde16192ac39c98f05bf2d80e76102d394bd13854"},
-    {file = "pydantic_core-2.27.1-cp39-cp39-manylinux_2_17_armv7l.manylinux2014_armv7l.whl", hash = "sha256:aee66be87825cdf72ac64cb03ad4c15ffef4143dbf5c113f64a5ff4f81477bf9"},
-    {file = "pydantic_core-2.27.1-cp39-cp39-manylinux_2_17_ppc64le.manylinux2014_ppc64le.whl", hash = "sha256:3b748c44bb9f53031c8cbc99a8a061bc181c1000c60a30f55393b6e9c45cc5bd"},
-    {file = "pydantic_core-2.27.1-cp39-cp39-manylinux_2_17_s390x.manylinux2014_s390x.whl", hash = "sha256:5ca038c7f6a0afd0b2448941b6ef9d5e1949e999f9e5517692eb6da58e9d44be"},
-    {file = "pydantic_core-2.27.1-cp39-cp39-manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:6e0bd57539da59a3e4671b90a502da9a28c72322a4f17866ba3ac63a82c4498e"},
-    {file = "pydantic_core-2.27.1-cp39-cp39-manylinux_2_5_i686.manylinux1_i686.whl", hash = "sha256:ac6c2c45c847bbf8f91930d88716a0fb924b51e0c6dad329b793d670ec5db792"},
-    {file = "pydantic_core-2.27.1-cp39-cp39-musllinux_1_1_aarch64.whl", hash = "sha256:b94d4ba43739bbe8b0ce4262bcc3b7b9f31459ad120fb595627eaeb7f9b9ca01"},
-    {file = "pydantic_core-2.27.1-cp39-cp39-musllinux_1_1_armv7l.whl", hash = "sha256:00e6424f4b26fe82d44577b4c842d7df97c20be6439e8e685d0d715feceb9fb9"},
-    {file = "pydantic_core-2.27.1-cp39-cp39-musllinux_1_1_x86_64.whl", hash = "sha256:38de0a70160dd97540335b7ad3a74571b24f1dc3ed33f815f0880682e6880131"},
-    {file = "pydantic_core-2.27.1-cp39-none-win32.whl", hash = "sha256:7ccebf51efc61634f6c2344da73e366c75e735960b5654b63d7e6f69a5885fa3"},
-    {file = "pydantic_core-2.27.1-cp39-none-win_amd64.whl", hash = "sha256:a57847b090d7892f123726202b7daa20df6694cbd583b67a592e856bff603d6c"},
-    {file = "pydantic_core-2.27.1-pp310-pypy310_pp73-macosx_10_12_x86_64.whl", hash = "sha256:3fa80ac2bd5856580e242dbc202db873c60a01b20309c8319b5c5986fbe53ce6"},
-    {file = "pydantic_core-2.27.1-pp310-pypy310_pp73-macosx_11_0_arm64.whl", hash = "sha256:d950caa237bb1954f1b8c9227b5065ba6875ac9771bb8ec790d956a699b78676"},
-    {file = "pydantic_core-2.27.1-pp310-pypy310_pp73-manylinux_2_17_aarch64.manylinux2014_aarch64.whl", hash = "sha256:0e4216e64d203e39c62df627aa882f02a2438d18a5f21d7f721621f7a5d3611d"},
-    {file = "pydantic_core-2.27.1-pp310-pypy310_pp73-manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:02a3d637bd387c41d46b002f0e49c52642281edacd2740e5a42f7017feea3f2c"},
-    {file = "pydantic_core-2.27.1-pp310-pypy310_pp73-manylinux_2_5_i686.manylinux1_i686.whl", hash = "sha256:161c27ccce13b6b0c8689418da3885d3220ed2eae2ea5e9b2f7f3d48f1d52c27"},
-    {file = "pydantic_core-2.27.1-pp310-pypy310_pp73-musllinux_1_1_aarch64.whl", hash = "sha256:19910754e4cc9c63bc1c7f6d73aa1cfee82f42007e407c0f413695c2f7ed777f"},
-    {file = "pydantic_core-2.27.1-pp310-pypy310_pp73-musllinux_1_1_armv7l.whl", hash = "sha256:e173486019cc283dc9778315fa29a363579372fe67045e971e89b6365cc035ed"},
-    {file = "pydantic_core-2.27.1-pp310-pypy310_pp73-musllinux_1_1_x86_64.whl", hash = "sha256:af52d26579b308921b73b956153066481f064875140ccd1dfd4e77db89dbb12f"},
-    {file = "pydantic_core-2.27.1-pp310-pypy310_pp73-win_amd64.whl", hash = "sha256:981fb88516bd1ae8b0cbbd2034678a39dedc98752f264ac9bc5839d3923fa04c"},
-    {file = "pydantic_core-2.27.1-pp39-pypy39_pp73-macosx_10_12_x86_64.whl", hash = "sha256:5fde892e6c697ce3e30c61b239330fc5d569a71fefd4eb6512fc6caec9dd9e2f"},
-    {file = "pydantic_core-2.27.1-pp39-pypy39_pp73-macosx_11_0_arm64.whl", hash = "sha256:816f5aa087094099fff7edabb5e01cc370eb21aa1a1d44fe2d2aefdfb5599b31"},
-    {file = "pydantic_core-2.27.1-pp39-pypy39_pp73-manylinux_2_17_aarch64.manylinux2014_aarch64.whl", hash = "sha256:9c10c309e18e443ddb108f0ef64e8729363adbfd92d6d57beec680f6261556f3"},
-    {file = "pydantic_core-2.27.1-pp39-pypy39_pp73-manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:98476c98b02c8e9b2eec76ac4156fd006628b1b2d0ef27e548ffa978393fd154"},
-    {file = "pydantic_core-2.27.1-pp39-pypy39_pp73-manylinux_2_5_i686.manylinux1_i686.whl", hash = "sha256:c3027001c28434e7ca5a6e1e527487051136aa81803ac812be51802150d880dd"},
-    {file = "pydantic_core-2.27.1-pp39-pypy39_pp73-musllinux_1_1_aarch64.whl", hash = "sha256:7699b1df36a48169cdebda7ab5a2bac265204003f153b4bd17276153d997670a"},
-    {file = "pydantic_core-2.27.1-pp39-pypy39_pp73-musllinux_1_1_armv7l.whl", hash = "sha256:1c39b07d90be6b48968ddc8c19e7585052088fd7ec8d568bb31ff64c70ae3c97"},
-    {file = "pydantic_core-2.27.1-pp39-pypy39_pp73-musllinux_1_1_x86_64.whl", hash = "sha256:46ccfe3032b3915586e469d4972973f893c0a2bb65669194a5bdea9bacc088c2"},
-    {file = "pydantic_core-2.27.1-pp39-pypy39_pp73-win_amd64.whl", hash = "sha256:62ba45e21cf6571d7f716d903b5b7b6d2617e2d5d67c0923dc47b9d41369f840"},
-    {file = "pydantic_core-2.27.1.tar.gz", hash = "sha256:62a763352879b84aa31058fc931884055fd75089cccbd9d58bb6afd01141b235"},
+    {file = "pydantic_core-2.27.2-cp310-cp310-macosx_10_12_x86_64.whl", hash = "sha256:2d367ca20b2f14095a8f4fa1210f5a7b78b8a20009ecced6b12818f455b1e9fa"},
+    {file = "pydantic_core-2.27.2-cp310-cp310-macosx_11_0_arm64.whl", hash = "sha256:491a2b73db93fab69731eaee494f320faa4e093dbed776be1a829c2eb222c34c"},
+    {file = "pydantic_core-2.27.2-cp310-cp310-manylinux_2_17_aarch64.manylinux2014_aarch64.whl", hash = "sha256:7969e133a6f183be60e9f6f56bfae753585680f3b7307a8e555a948d443cc05a"},
+    {file = "pydantic_core-2.27.2-cp310-cp310-manylinux_2_17_armv7l.manylinux2014_armv7l.whl", hash = "sha256:3de9961f2a346257caf0aa508a4da705467f53778e9ef6fe744c038119737ef5"},
+    {file = "pydantic_core-2.27.2-cp310-cp310-manylinux_2_17_ppc64le.manylinux2014_ppc64le.whl", hash = "sha256:e2bb4d3e5873c37bb3dd58714d4cd0b0e6238cebc4177ac8fe878f8b3aa8e74c"},
+    {file = "pydantic_core-2.27.2-cp310-cp310-manylinux_2_17_s390x.manylinux2014_s390x.whl", hash = "sha256:280d219beebb0752699480fe8f1dc61ab6615c2046d76b7ab7ee38858de0a4e7"},
+    {file = "pydantic_core-2.27.2-cp310-cp310-manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:47956ae78b6422cbd46f772f1746799cbb862de838fd8d1fbd34a82e05b0983a"},
+    {file = "pydantic_core-2.27.2-cp310-cp310-manylinux_2_5_i686.manylinux1_i686.whl", hash = "sha256:14d4a5c49d2f009d62a2a7140d3064f686d17a5d1a268bc641954ba181880236"},
+    {file = "pydantic_core-2.27.2-cp310-cp310-musllinux_1_1_aarch64.whl", hash = "sha256:337b443af21d488716f8d0b6164de833e788aa6bd7e3a39c005febc1284f4962"},
+    {file = "pydantic_core-2.27.2-cp310-cp310-musllinux_1_1_armv7l.whl", hash = "sha256:03d0f86ea3184a12f41a2d23f7ccb79cdb5a18e06993f8a45baa8dfec746f0e9"},
+    {file = "pydantic_core-2.27.2-cp310-cp310-musllinux_1_1_x86_64.whl", hash = "sha256:7041c36f5680c6e0f08d922aed302e98b3745d97fe1589db0a3eebf6624523af"},
+    {file = "pydantic_core-2.27.2-cp310-cp310-win32.whl", hash = "sha256:50a68f3e3819077be2c98110c1f9dcb3817e93f267ba80a2c05bb4f8799e2ff4"},
+    {file = "pydantic_core-2.27.2-cp310-cp310-win_amd64.whl", hash = "sha256:e0fd26b16394ead34a424eecf8a31a1f5137094cabe84a1bcb10fa6ba39d3d31"},
+    {file = "pydantic_core-2.27.2-cp311-cp311-macosx_10_12_x86_64.whl", hash = "sha256:8e10c99ef58cfdf2a66fc15d66b16c4a04f62bca39db589ae8cba08bc55331bc"},
+    {file = "pydantic_core-2.27.2-cp311-cp311-macosx_11_0_arm64.whl", hash = "sha256:26f32e0adf166a84d0cb63be85c562ca8a6fa8de28e5f0d92250c6b7e9e2aff7"},
+    {file = "pydantic_core-2.27.2-cp311-cp311-manylinux_2_17_aarch64.manylinux2014_aarch64.whl", hash = "sha256:8c19d1ea0673cd13cc2f872f6c9ab42acc4e4f492a7ca9d3795ce2b112dd7e15"},
+    {file = "pydantic_core-2.27.2-cp311-cp311-manylinux_2_17_armv7l.manylinux2014_armv7l.whl", hash = "sha256:5e68c4446fe0810e959cdff46ab0a41ce2f2c86d227d96dc3847af0ba7def306"},
+    {file = "pydantic_core-2.27.2-cp311-cp311-manylinux_2_17_ppc64le.manylinux2014_ppc64le.whl", hash = "sha256:d9640b0059ff4f14d1f37321b94061c6db164fbe49b334b31643e0528d100d99"},
+    {file = "pydantic_core-2.27.2-cp311-cp311-manylinux_2_17_s390x.manylinux2014_s390x.whl", hash = "sha256:40d02e7d45c9f8af700f3452f329ead92da4c5f4317ca9b896de7ce7199ea459"},
+    {file = "pydantic_core-2.27.2-cp311-cp311-manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:1c1fd185014191700554795c99b347d64f2bb637966c4cfc16998a0ca700d048"},
+    {file = "pydantic_core-2.27.2-cp311-cp311-manylinux_2_5_i686.manylinux1_i686.whl", hash = "sha256:d81d2068e1c1228a565af076598f9e7451712700b673de8f502f0334f281387d"},
+    {file = "pydantic_core-2.27.2-cp311-cp311-musllinux_1_1_aarch64.whl", hash = "sha256:1a4207639fb02ec2dbb76227d7c751a20b1a6b4bc52850568e52260cae64ca3b"},
+    {file = "pydantic_core-2.27.2-cp311-cp311-musllinux_1_1_armv7l.whl", hash = "sha256:3de3ce3c9ddc8bbd88f6e0e304dea0e66d843ec9de1b0042b0911c1663ffd474"},
+    {file = "pydantic_core-2.27.2-cp311-cp311-musllinux_1_1_x86_64.whl", hash = "sha256:30c5f68ded0c36466acede341551106821043e9afaad516adfb6e8fa80a4e6a6"},
+    {file = "pydantic_core-2.27.2-cp311-cp311-win32.whl", hash = "sha256:c70c26d2c99f78b125a3459f8afe1aed4d9687c24fd677c6a4436bc042e50d6c"},
+    {file = "pydantic_core-2.27.2-cp311-cp311-win_amd64.whl", hash = "sha256:08e125dbdc505fa69ca7d9c499639ab6407cfa909214d500897d02afb816e7cc"},
+    {file = "pydantic_core-2.27.2-cp311-cp311-win_arm64.whl", hash = "sha256:26f0d68d4b235a2bae0c3fc585c585b4ecc51382db0e3ba402a22cbc440915e4"},
+    {file = "pydantic_core-2.27.2-cp312-cp312-macosx_10_12_x86_64.whl", hash = "sha256:9e0c8cfefa0ef83b4da9588448b6d8d2a2bf1a53c3f1ae5fca39eb3061e2f0b0"},
+    {file = "pydantic_core-2.27.2-cp312-cp312-macosx_11_0_arm64.whl", hash = "sha256:83097677b8e3bd7eaa6775720ec8e0405f1575015a463285a92bfdfe254529ef"},
+    {file = "pydantic_core-2.27.2-cp312-cp312-manylinux_2_17_aarch64.manylinux2014_aarch64.whl", hash = "sha256:172fce187655fece0c90d90a678424b013f8fbb0ca8b036ac266749c09438cb7"},
+    {file = "pydantic_core-2.27.2-cp312-cp312-manylinux_2_17_armv7l.manylinux2014_armv7l.whl", hash = "sha256:519f29f5213271eeeeb3093f662ba2fd512b91c5f188f3bb7b27bc5973816934"},
+    {file = "pydantic_core-2.27.2-cp312-cp312-manylinux_2_17_ppc64le.manylinux2014_ppc64le.whl", hash = "sha256:05e3a55d124407fffba0dd6b0c0cd056d10e983ceb4e5dbd10dda135c31071d6"},
+    {file = "pydantic_core-2.27.2-cp312-cp312-manylinux_2_17_s390x.manylinux2014_s390x.whl", hash = "sha256:9c3ed807c7b91de05e63930188f19e921d1fe90de6b4f5cd43ee7fcc3525cb8c"},
+    {file = "pydantic_core-2.27.2-cp312-cp312-manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:6fb4aadc0b9a0c063206846d603b92030eb6f03069151a625667f982887153e2"},
+    {file = "pydantic_core-2.27.2-cp312-cp312-manylinux_2_5_i686.manylinux1_i686.whl", hash = "sha256:28ccb213807e037460326424ceb8b5245acb88f32f3d2777427476e1b32c48c4"},
+    {file = "pydantic_core-2.27.2-cp312-cp312-musllinux_1_1_aarch64.whl", hash = "sha256:de3cd1899e2c279b140adde9357c4495ed9d47131b4a4eaff9052f23398076b3"},
+    {file = "pydantic_core-2.27.2-cp312-cp312-musllinux_1_1_armv7l.whl", hash = "sha256:220f892729375e2d736b97d0e51466252ad84c51857d4d15f5e9692f9ef12be4"},
+    {file = "pydantic_core-2.27.2-cp312-cp312-musllinux_1_1_x86_64.whl", hash = "sha256:a0fcd29cd6b4e74fe8ddd2c90330fd8edf2e30cb52acda47f06dd615ae72da57"},
+    {file = "pydantic_core-2.27.2-cp312-cp312-win32.whl", hash = "sha256:1e2cb691ed9834cd6a8be61228471d0a503731abfb42f82458ff27be7b2186fc"},
+    {file = "pydantic_core-2.27.2-cp312-cp312-win_amd64.whl", hash = "sha256:cc3f1a99a4f4f9dd1de4fe0312c114e740b5ddead65bb4102884b384c15d8bc9"},
+    {file = "pydantic_core-2.27.2-cp312-cp312-win_arm64.whl", hash = "sha256:3911ac9284cd8a1792d3cb26a2da18f3ca26c6908cc434a18f730dc0db7bfa3b"},
+    {file = "pydantic_core-2.27.2-cp313-cp313-macosx_10_12_x86_64.whl", hash = "sha256:7d14bd329640e63852364c306f4d23eb744e0f8193148d4044dd3dacdaacbd8b"},
+    {file = "pydantic_core-2.27.2-cp313-cp313-macosx_11_0_arm64.whl", hash = "sha256:82f91663004eb8ed30ff478d77c4d1179b3563df6cdb15c0817cd1cdaf34d154"},
+    {file = "pydantic_core-2.27.2-cp313-cp313-manylinux_2_17_aarch64.manylinux2014_aarch64.whl", hash = "sha256:71b24c7d61131bb83df10cc7e687433609963a944ccf45190cfc21e0887b08c9"},
+    {file = "pydantic_core-2.27.2-cp313-cp313-manylinux_2_17_armv7l.manylinux2014_armv7l.whl", hash = "sha256:fa8e459d4954f608fa26116118bb67f56b93b209c39b008277ace29937453dc9"},
+    {file = "pydantic_core-2.27.2-cp313-cp313-manylinux_2_17_ppc64le.manylinux2014_ppc64le.whl", hash = "sha256:ce8918cbebc8da707ba805b7fd0b382816858728ae7fe19a942080c24e5b7cd1"},
+    {file = "pydantic_core-2.27.2-cp313-cp313-manylinux_2_17_s390x.manylinux2014_s390x.whl", hash = "sha256:eda3f5c2a021bbc5d976107bb302e0131351c2ba54343f8a496dc8783d3d3a6a"},
+    {file = "pydantic_core-2.27.2-cp313-cp313-manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:bd8086fa684c4775c27f03f062cbb9eaa6e17f064307e86b21b9e0abc9c0f02e"},
+    {file = "pydantic_core-2.27.2-cp313-cp313-manylinux_2_5_i686.manylinux1_i686.whl", hash = "sha256:8d9b3388db186ba0c099a6d20f0604a44eabdeef1777ddd94786cdae158729e4"},
+    {file = "pydantic_core-2.27.2-cp313-cp313-musllinux_1_1_aarch64.whl", hash = "sha256:7a66efda2387de898c8f38c0cf7f14fca0b51a8ef0b24bfea5849f1b3c95af27"},
+    {file = "pydantic_core-2.27.2-cp313-cp313-musllinux_1_1_armv7l.whl", hash = "sha256:18a101c168e4e092ab40dbc2503bdc0f62010e95d292b27827871dc85450d7ee"},
+    {file = "pydantic_core-2.27.2-cp313-cp313-musllinux_1_1_x86_64.whl", hash = "sha256:ba5dd002f88b78a4215ed2f8ddbdf85e8513382820ba15ad5ad8955ce0ca19a1"},
+    {file = "pydantic_core-2.27.2-cp313-cp313-win32.whl", hash = "sha256:1ebaf1d0481914d004a573394f4be3a7616334be70261007e47c2a6fe7e50130"},
+    {file = "pydantic_core-2.27.2-cp313-cp313-win_amd64.whl", hash = "sha256:953101387ecf2f5652883208769a79e48db18c6df442568a0b5ccd8c2723abee"},
+    {file = "pydantic_core-2.27.2-cp313-cp313-win_arm64.whl", hash = "sha256:ac4dbfd1691affb8f48c2c13241a2e3b60ff23247cbcf981759c768b6633cf8b"},
+    {file = "pydantic_core-2.27.2-cp38-cp38-macosx_10_12_x86_64.whl", hash = "sha256:d3e8d504bdd3f10835468f29008d72fc8359d95c9c415ce6e767203db6127506"},
+    {file = "pydantic_core-2.27.2-cp38-cp38-macosx_11_0_arm64.whl", hash = "sha256:521eb9b7f036c9b6187f0b47318ab0d7ca14bd87f776240b90b21c1f4f149320"},
+    {file = "pydantic_core-2.27.2-cp38-cp38-manylinux_2_17_aarch64.manylinux2014_aarch64.whl", hash = "sha256:85210c4d99a0114f5a9481b44560d7d1e35e32cc5634c656bc48e590b669b145"},
+    {file = "pydantic_core-2.27.2-cp38-cp38-manylinux_2_17_armv7l.manylinux2014_armv7l.whl", hash = "sha256:d716e2e30c6f140d7560ef1538953a5cd1a87264c737643d481f2779fc247fe1"},
+    {file = "pydantic_core-2.27.2-cp38-cp38-manylinux_2_17_ppc64le.manylinux2014_ppc64le.whl", hash = "sha256:f66d89ba397d92f840f8654756196d93804278457b5fbede59598a1f9f90b228"},
+    {file = "pydantic_core-2.27.2-cp38-cp38-manylinux_2_17_s390x.manylinux2014_s390x.whl", hash = "sha256:669e193c1c576a58f132e3158f9dfa9662969edb1a250c54d8fa52590045f046"},
+    {file = "pydantic_core-2.27.2-cp38-cp38-manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:9fdbe7629b996647b99c01b37f11170a57ae675375b14b8c13b8518b8320ced5"},
+    {file = "pydantic_core-2.27.2-cp38-cp38-manylinux_2_5_i686.manylinux1_i686.whl", hash = "sha256:d262606bf386a5ba0b0af3b97f37c83d7011439e3dc1a9298f21efb292e42f1a"},
+    {file = "pydantic_core-2.27.2-cp38-cp38-musllinux_1_1_aarch64.whl", hash = "sha256:cabb9bcb7e0d97f74df8646f34fc76fbf793b7f6dc2438517d7a9e50eee4f14d"},
+    {file = "pydantic_core-2.27.2-cp38-cp38-musllinux_1_1_armv7l.whl", hash = "sha256:d2d63f1215638d28221f664596b1ccb3944f6e25dd18cd3b86b0a4c408d5ebb9"},
+    {file = "pydantic_core-2.27.2-cp38-cp38-musllinux_1_1_x86_64.whl", hash = "sha256:bca101c00bff0adb45a833f8451b9105d9df18accb8743b08107d7ada14bd7da"},
+    {file = "pydantic_core-2.27.2-cp38-cp38-win32.whl", hash = "sha256:f6f8e111843bbb0dee4cb6594cdc73e79b3329b526037ec242a3e49012495b3b"},
+    {file = "pydantic_core-2.27.2-cp38-cp38-win_amd64.whl", hash = "sha256:fd1aea04935a508f62e0d0ef1f5ae968774a32afc306fb8545e06f5ff5cdf3ad"},
+    {file = "pydantic_core-2.27.2-cp39-cp39-macosx_10_12_x86_64.whl", hash = "sha256:c10eb4f1659290b523af58fa7cffb452a61ad6ae5613404519aee4bfbf1df993"},
+    {file = "pydantic_core-2.27.2-cp39-cp39-macosx_11_0_arm64.whl", hash = "sha256:ef592d4bad47296fb11f96cd7dc898b92e795032b4894dfb4076cfccd43a9308"},
+    {file = "pydantic_core-2.27.2-cp39-cp39-manylinux_2_17_aarch64.manylinux2014_aarch64.whl", hash = "sha256:c61709a844acc6bf0b7dce7daae75195a10aac96a596ea1b776996414791ede4"},
+    {file = "pydantic_core-2.27.2-cp39-cp39-manylinux_2_17_armv7l.manylinux2014_armv7l.whl", hash = "sha256:42c5f762659e47fdb7b16956c71598292f60a03aa92f8b6351504359dbdba6cf"},
+    {file = "pydantic_core-2.27.2-cp39-cp39-manylinux_2_17_ppc64le.manylinux2014_ppc64le.whl", hash = "sha256:4c9775e339e42e79ec99c441d9730fccf07414af63eac2f0e48e08fd38a64d76"},
+    {file = "pydantic_core-2.27.2-cp39-cp39-manylinux_2_17_s390x.manylinux2014_s390x.whl", hash = "sha256:57762139821c31847cfb2df63c12f725788bd9f04bc2fb392790959b8f70f118"},
+    {file = "pydantic_core-2.27.2-cp39-cp39-manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:0d1e85068e818c73e048fe28cfc769040bb1f475524f4745a5dc621f75ac7630"},
+    {file = "pydantic_core-2.27.2-cp39-cp39-manylinux_2_5_i686.manylinux1_i686.whl", hash = "sha256:097830ed52fd9e427942ff3b9bc17fab52913b2f50f2880dc4a5611446606a54"},
+    {file = "pydantic_core-2.27.2-cp39-cp39-musllinux_1_1_aarch64.whl", hash = "sha256:044a50963a614ecfae59bb1eaf7ea7efc4bc62f49ed594e18fa1e5d953c40e9f"},
+    {file = "pydantic_core-2.27.2-cp39-cp39-musllinux_1_1_armv7l.whl", hash = "sha256:4e0b4220ba5b40d727c7f879eac379b822eee5d8fff418e9d3381ee45b3b0362"},
+    {file = "pydantic_core-2.27.2-cp39-cp39-musllinux_1_1_x86_64.whl", hash = "sha256:5e4f4bb20d75e9325cc9696c6802657b58bc1dbbe3022f32cc2b2b632c3fbb96"},
+    {file = "pydantic_core-2.27.2-cp39-cp39-win32.whl", hash = "sha256:cca63613e90d001b9f2f9a9ceb276c308bfa2a43fafb75c8031c4f66039e8c6e"},
+    {file = "pydantic_core-2.27.2-cp39-cp39-win_amd64.whl", hash = "sha256:77d1bca19b0f7021b3a982e6f903dcd5b2b06076def36a652e3907f596e29f67"},
+    {file = "pydantic_core-2.27.2-pp310-pypy310_pp73-macosx_10_12_x86_64.whl", hash = "sha256:2bf14caea37e91198329b828eae1618c068dfb8ef17bb33287a7ad4b61ac314e"},
+    {file = "pydantic_core-2.27.2-pp310-pypy310_pp73-macosx_11_0_arm64.whl", hash = "sha256:b0cb791f5b45307caae8810c2023a184c74605ec3bcbb67d13846c28ff731ff8"},
+    {file = "pydantic_core-2.27.2-pp310-pypy310_pp73-manylinux_2_17_aarch64.manylinux2014_aarch64.whl", hash = "sha256:688d3fd9fcb71f41c4c015c023d12a79d1c4c0732ec9eb35d96e3388a120dcf3"},
+    {file = "pydantic_core-2.27.2-pp310-pypy310_pp73-manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:3d591580c34f4d731592f0e9fe40f9cc1b430d297eecc70b962e93c5c668f15f"},
+    {file = "pydantic_core-2.27.2-pp310-pypy310_pp73-manylinux_2_5_i686.manylinux1_i686.whl", hash = "sha256:82f986faf4e644ffc189a7f1aafc86e46ef70372bb153e7001e8afccc6e54133"},
+    {file = "pydantic_core-2.27.2-pp310-pypy310_pp73-musllinux_1_1_aarch64.whl", hash = "sha256:bec317a27290e2537f922639cafd54990551725fc844249e64c523301d0822fc"},
+    {file = "pydantic_core-2.27.2-pp310-pypy310_pp73-musllinux_1_1_armv7l.whl", hash = "sha256:0296abcb83a797db256b773f45773da397da75a08f5fcaef41f2044adec05f50"},
+    {file = "pydantic_core-2.27.2-pp310-pypy310_pp73-musllinux_1_1_x86_64.whl", hash = "sha256:0d75070718e369e452075a6017fbf187f788e17ed67a3abd47fa934d001863d9"},
+    {file = "pydantic_core-2.27.2-pp310-pypy310_pp73-win_amd64.whl", hash = "sha256:7e17b560be3c98a8e3aa66ce828bdebb9e9ac6ad5466fba92eb74c4c95cb1151"},
+    {file = "pydantic_core-2.27.2-pp39-pypy39_pp73-macosx_10_12_x86_64.whl", hash = "sha256:c33939a82924da9ed65dab5a65d427205a73181d8098e79b6b426bdf8ad4e656"},
+    {file = "pydantic_core-2.27.2-pp39-pypy39_pp73-macosx_11_0_arm64.whl", hash = "sha256:00bad2484fa6bda1e216e7345a798bd37c68fb2d97558edd584942aa41b7d278"},
+    {file = "pydantic_core-2.27.2-pp39-pypy39_pp73-manylinux_2_17_aarch64.manylinux2014_aarch64.whl", hash = "sha256:c817e2b40aba42bac6f457498dacabc568c3b7a986fc9ba7c8d9d260b71485fb"},
+    {file = "pydantic_core-2.27.2-pp39-pypy39_pp73-manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:251136cdad0cb722e93732cb45ca5299fb56e1344a833640bf93b2803f8d1bfd"},
+    {file = "pydantic_core-2.27.2-pp39-pypy39_pp73-manylinux_2_5_i686.manylinux1_i686.whl", hash = "sha256:d2088237af596f0a524d3afc39ab3b036e8adb054ee57cbb1dcf8e09da5b29cc"},
+    {file = "pydantic_core-2.27.2-pp39-pypy39_pp73-musllinux_1_1_aarch64.whl", hash = "sha256:d4041c0b966a84b4ae7a09832eb691a35aec90910cd2dbe7a208de59be77965b"},
+    {file = "pydantic_core-2.27.2-pp39-pypy39_pp73-musllinux_1_1_armv7l.whl", hash = "sha256:8083d4e875ebe0b864ffef72a4304827015cff328a1be6e22cc850753bfb122b"},
+    {file = "pydantic_core-2.27.2-pp39-pypy39_pp73-musllinux_1_1_x86_64.whl", hash = "sha256:f141ee28a0ad2123b6611b6ceff018039df17f32ada8b534e6aa039545a3efb2"},
+    {file = "pydantic_core-2.27.2-pp39-pypy39_pp73-win_amd64.whl", hash = "sha256:7d0c8399fcc1848491f00e0314bd59fb34a9c008761bcb422a057670c3f65e35"},
+    {file = "pydantic_core-2.27.2.tar.gz", hash = "sha256:eb026e5a4c1fee05726072337ff51d1efb6f59090b7da90d30ea58625b1ffb39"},
 ]

 [package.dependencies]
--- a/pyproject.toml
+++ b/pyproject.toml
@ -1,6 +1,6 @@
 [tool.poetry]
 name = "authentik"
-version = "2024.12.4"
+version = "2024.12.0"
 description = ""
 authors = ["authentik Team <hello@goauthentik.io>"]

--- a/schema.yml
+++ b/schema.yml
@ -1,7 +1,7 @@
 openapi: 3.0.3
 info:
  title: authentik
-  version: 2024.12.4
+  version: 2024.12.0
  description: Making authentication simple.
  contact:
    email: hello@goauthentik.io
--- a/scripts/test_docker.sh
+++ b/scripts/test_docker.sh
@ -1,29 +0,0 @@
-#!/bin/bash
-set -e -x -o pipefail
-hash="$(git rev-parse HEAD || openssl rand -base64 36)"
-
-AUTHENTIK_IMAGE="xghcr.io/goauthentik/server"
-AUTHENTIK_TAG="$(echo "$hash" | cut -c1-15)"
-
-if [ -f .env ]; then
-    echo "Existing .env file, aborting"
-    exit 1
-fi
-
-echo PG_PASS="$(openssl rand -base64 36 | tr -d '\n')" >.env
-echo AUTHENTIK_SECRET_KEY="$(openssl rand -base64 60 | tr -d '\n')" >>.env
-echo AUTHENTIK_IMAGE="${AUTHENTIK_IMAGE}" >>.env
-echo AUTHENTIK_TAG="${AUTHENTIK_TAG}" >>.env
-export COMPOSE_PROJECT_NAME="authentik-test-${AUTHENTIK_TAG}"
-
-# Ensure buildx is installed
-docker buildx install
-# For release builds we have an empty client here as we use the NPM package
-mkdir -p ./gen-ts-api
-touch .env
-
-docker build -t "${AUTHENTIK_IMAGE}:${AUTHENTIK_TAG}" .
-docker compose up --no-start
-docker compose start postgresql redis
-docker compose run -u root server test-all
-docker compose down -v
--- a/web/package-lock.json
+++ b/web/package-lock.json
@ -23,7 +23,7 @@
                "@floating-ui/dom": "^1.6.11",
                "@formatjs/intl-listformat": "^7.5.7",
                "@fortawesome/fontawesome-free": "^6.6.0",
-                "@goauthentik/api": "^2024.10.5-1734528783",
+                "@goauthentik/api": "^2024.12.0-1734640050",
                "@lit-labs/ssr": "^3.2.2",
                "@lit/context": "^1.1.2",
                "@lit/localize": "^0.12.2",
@ -1775,9 +1775,9 @@
            }
        },
        "node_modules/@goauthentik/api": {
-            "version": "2024.10.5-1734528783",
-            "resolved": "https://registry.npmjs.org/@goauthentik/api/-/api-2024.10.5-1734528783.tgz",
-            "integrity": "sha512-jYo1hpBcsmyL3r8lnjWX1BVQUtVnwEM9c/TjNyxQX47TEdYEdXnyO037KGJxnGNQS5Dm+gCsKaExI/a18bNZeQ=="
+            "version": "2024.12.0-1734640050",
+            "resolved": "https://registry.npmjs.org/@goauthentik/api/-/api-2024.12.0-1734640050.tgz",
+            "integrity": "sha512-+0F7fpCeWS+53Jt98u5qDVG3ECTHmaFO01719Sxo83qEepoP4KY/I4pUaVTRfHm5qflodwKkuyfd7ZcG9k9hNg=="
        },
        "node_modules/@goauthentik/web": {
            "resolved": "",
--- a/web/package.json
+++ b/web/package.json
@ -11,7 +11,7 @@
        "@floating-ui/dom": "^1.6.11",
        "@formatjs/intl-listformat": "^7.5.7",
        "@fortawesome/fontawesome-free": "^6.6.0",
-        "@goauthentik/api": "^2024.10.5-1734528783",
+        "@goauthentik/api": "^2024.12.0-1734640050",
        "@lit-labs/ssr": "^3.2.2",
        "@lit/context": "^1.1.2",
        "@lit/localize": "^0.12.2",
--- a/web/src/admin/outposts/ServiceConnectionListPage.ts
+++ b/web/src/admin/outposts/ServiceConnectionListPage.ts
@ -46,7 +46,7 @@ export class OutpostServiceConnectionListPage extends TablePage<ServiceConnectio
        const connections = await new OutpostsApi(DEFAULT_CONFIG).outpostsServiceConnectionsAllList(
            await this.defaultEndpointConfig(),
        );
-        await Promise.all(
+        Promise.all(
            connections.results.map((connection) => {
                return new OutpostsApi(DEFAULT_CONFIG)
                    .outpostsServiceConnectionsAllStateRetrieve({
--- a/web/src/admin/providers/proxy/ProxyProviderFormForm.ts
+++ b/web/src/admin/providers/proxy/ProxyProviderFormForm.ts
@ -291,7 +291,7 @@ export function renderForm(

                ${showHttpBasic ? renderHttpBasic(provider) : nothing}
                <ak-form-element-horizontal
-                    label=${msg("Federated OIDC Sources")}
+                    label=${msg("Trusted OIDC Sources")}
                    name="jwtFederationSources"
                >
                    <ak-dual-select-dynamic-selected
--- a/web/src/admin/users/UserListPage.ts
+++ b/web/src/admin/users/UserListPage.ts
@ -131,10 +131,9 @@ export class UserListPage extends WithBrandConfig(WithCapabilitiesConfig(TablePa

    constructor() {
        super();
-        const defaultPath = new DefaultUIConfig().defaults.userPath;
-        this.activePath = getURLParam<string>("path", defaultPath);
+        this.activePath = getURLParam<string>("path", "/");
        uiConfig().then((c) => {
-            if (c.defaults.userPath !== defaultPath) {
+            if (c.defaults.userPath !== new DefaultUIConfig().defaults.userPath) {
                this.activePath = c.defaults.userPath;
            }
        });
--- a/web/src/common/constants.ts
+++ b/web/src/common/constants.ts
@ -3,7 +3,7 @@ export const SUCCESS_CLASS = "pf-m-success";
 export const ERROR_CLASS = "pf-m-danger";
 export const PROGRESS_CLASS = "pf-m-in-progress";
 export const CURRENT_CLASS = "pf-m-current";
-export const VERSION = "2024.12.4";
+export const VERSION = "2024.12.0";
 export const TITLE_DEFAULT = "authentik";
 export const ROUTE_SEPARATOR = ";";

--- a/web/src/elements/LoadingOverlay.ts
+++ b/web/src/elements/LoadingOverlay.ts
@ -18,12 +18,6 @@ export class LoadingOverlay extends AKElement implements ILoadingOverlay {
    @property({ type: Boolean, attribute: "topmost" })
    topmost = false;

-    @property({ type: Boolean })
-    loading = true;
-
-    @property({ type: String })
-    icon = "";
-
    static get styles() {
        return [
            PFBase,
@ -46,7 +40,7 @@ export class LoadingOverlay extends AKElement implements ILoadingOverlay {
    }

    render() {
-        return html`<ak-empty-state ?loading=${this.loading} header="" icon=${this.icon}>
+        return html`<ak-empty-state loading header="">
            <span slot="body"><slot></slot></span>
        </ak-empty-state>`;
    }
--- a/web/src/elements/sidebar/SidebarBrand.ts
+++ b/web/src/elements/sidebar/SidebarBrand.ts
@ -3,7 +3,6 @@ import { AKElement } from "@goauthentik/elements/Base";
 import { WithBrandConfig } from "@goauthentik/elements/Interface/brandProvider";
 import { themeImage } from "@goauthentik/elements/utils/images";

-import { msg } from "@lit/localize";
 import { CSSResult, TemplateResult, css, html } from "lit";
 import { customElement } from "lit/decorators.js";

@ -87,7 +86,7 @@ export class SidebarBrand extends WithBrandConfig(AKElement) {
                <div class="pf-c-brand ak-brand">
                    <img
                        src=${themeImage(this.brand?.brandingLogo ?? DefaultBrand.brandingLogo)}
-                        alt="${msg("authentik Logo")}"
+                        alt="authentik Logo"
                        loading="lazy"
                    />
                </div>
--- a/web/src/enterprise/rac/index.ts
+++ b/web/src/enterprise/rac/index.ts
@ -4,7 +4,7 @@ import "@goauthentik/elements/LoadingOverlay";
 import Guacamole from "guacamole-common-js";

 import { msg, str } from "@lit/localize";
-import { CSSResult, TemplateResult, css, html, nothing } from "lit";
+import { CSSResult, TemplateResult, css, html } from "lit";
 import { customElement, property, state } from "lit/decorators.js";

 import AKGlobal from "@goauthentik/common/styles/authentik.css";
@ -21,23 +21,6 @@ enum GuacClientState {
    DISCONNECTED = 5,
 }

-export function GuacStateToString(state: GuacClientState): string {
-    switch (state) {
-        case GuacClientState.IDLE:
-            return msg("Idle");
-        case GuacClientState.CONNECTING:
-            return msg("Connecting");
-        case GuacClientState.WAITING:
-            return msg("Waiting");
-        case GuacClientState.CONNECTED:
-            return msg("Connected");
-        case GuacClientState.DISCONNECTING:
-            return msg("Disconnecting");
-        case GuacClientState.DISCONNECTED:
-            return msg("Disconnected");
-    }
-}
-
 const AUDIO_INPUT_MIMETYPE = "audio/L16;rate=44100,channels=2";
 const RECONNECT_ATTEMPTS_INITIAL = 5;
 const RECONNECT_ATTEMPTS = 5;
@ -81,9 +64,6 @@ export class RacInterface extends Interface {
    @state()
    clientState?: GuacClientState;

-    @state()
-    clientStatus?: Guacamole.Status;
-
    @state()
    reconnectingMessage = "";

@ -158,7 +138,6 @@ export class RacInterface extends Interface {
        };
        this.client = new Guacamole.Client(this.tunnel);
        this.client.onerror = (err) => {
-            this.clientStatus = err;
            console.debug("authentik/rac: error: ", err);
            this.reconnect();
        };
@ -196,10 +175,6 @@ export class RacInterface extends Interface {
        const params = new URLSearchParams();
        params.set("screen_width", Math.floor(RacInterface.domSize().width).toString());
        params.set("screen_height", Math.floor(RacInterface.domSize().height).toString());
-        // https://github.com/goauthentik/authentik/pull/11757
-        // there are DPI issues when using SSH on HiDPi screens
-        // but if we're not setting DPI at all the resolution is not respected at all
-        params.set("screen_dpi", "96");
        this.client.connect(params.toString());
    }

@ -246,7 +221,6 @@ export class RacInterface extends Interface {
            return;
        }
        this.hasConnected = true;
-        this.clientStatus = undefined;
        this.container = this.client.getDisplay().getElement();
        this.initMouse(this.container);
        this.client?.sendSize(
@ -336,35 +310,19 @@ export class RacInterface extends Interface {
        console.debug("authentik/rac: Sent clipboard");
    }

-    renderOverlay() {
-        if (!this.clientState || this.clientState == GuacClientState.CONNECTED) {
-            return nothing;
-        }
-        let message = html`${GuacStateToString(this.clientState)}`;
-        if (this.clientState == GuacClientState.WAITING) {
-            message = html`${msg("Connecting...")}`;
-        }
-        if (this.hasConnected) {
-            message = html`${this.reconnectingMessage}`;
-        }
-        if (this.clientStatus?.message) {
-            message = html`${message}<br />${this.clientStatus.message}`;
-        }
-        const isLoading = [
-            GuacClientState.CONNECTING,
-            GuacClientState.DISCONNECTING,
-            GuacClientState.WAITING,
-        ].includes(this.clientState);
-        return html`
-            <ak-loading-overlay ?loading=${isLoading} icon="fa fa-times">
-                <span> ${message} </span>
-            </ak-loading-overlay>
-        `;
-    }
-
    render(): TemplateResult {
        return html`
-            ${this.renderOverlay()}
+            ${this.clientState !== GuacClientState.CONNECTED
+                ? html`
+                      <ak-loading-overlay>
+                          <span>
+                              ${this.hasConnected
+                                  ? html`${this.reconnectingMessage}`
+                                  : html`${msg("Connecting...")}`}
+                          </span>
+                      </ak-loading-overlay>
+                  `
+                : html``}
            <div class="container">${this.container}</div>
        `;
    }
--- a/web/src/flow/FlowExecutor.ts
+++ b/web/src/flow/FlowExecutor.ts
@ -511,7 +511,7 @@ export class FlowExecutor extends Interface implements StageHost {
                                                            DefaultBrand.brandingLogo,
                                                        ),
                                                    )}"
-                                                    alt="${msg("authentik Logo")}"
+                                                    alt="authentik Logo"
                                                />
                                            </div>
                                            ${until(this.renderChallenge())}
--- a/web/src/standalone/api-browser/index.ts
+++ b/web/src/standalone/api-browser/index.ts
@ -8,7 +8,6 @@ import { DefaultBrand } from "@goauthentik/elements/sidebar/SidebarBrand";
 import { themeImage } from "@goauthentik/elements/utils/images";
 import "rapidoc";

-import { msg } from "@lit/localize";
 import { CSSResult, TemplateResult, css, html } from "lit";
 import { customElement, property, state } from "lit/decorators.js";
 import { ifDefined } from "lit/directives/if-defined.js";
@ -103,7 +102,7 @@ export class APIBrowser extends Interface {
                >
                    <div slot="nav-logo">
                        <img
-                            alt="${msg("authentik Logo")}"
+                            alt="authentik Logo"
                            class="logo"
                            src="${themeImage(
                                first(this.brand?.brandingLogo, DefaultBrand.brandingLogo),
--- a/web/xliff/de.xlf
+++ b/web/xliff/de.xlf
@ -1189,11 +1189,6 @@
      <trans-unit id="s9e9316a6b0c16231">
        <source>Client Networks</source>
      </trans-unit>
-      <trans-unit id="s7f2dcf01f7a8c0b7">
-        <source>List of CIDRs (comma-seperated) that clients can connect from. A more specific
-                            CIDR will match before a looser one. Clients connecting from a non-specified CIDR
-                            will be dropped.</source>
-      </trans-unit>
      <trans-unit id="s61eacb19db252f5e">
        <source>URL</source>
      </trans-unit>
@ -1647,16 +1642,10 @@
        <source>Run sync again</source>
        <target>Synchronisation erneut ausführen</target>
      </trans-unit>
-      <trans-unit id="sc2cedfb22488ccb2">
-        <source>Modern applications, APIs and Single-page applications.</source>
-      </trans-unit>
      <trans-unit id="sc3259eb55cf91e8c">
        <source>LDAP</source>
        <target>LDAP</target>
      </trans-unit>
-      <trans-unit id="sffd5481034a1bd41">
-        <source>Provide an LDAP interface for applications and users to authenticate against.</source>
-      </trans-unit>
      <trans-unit id="s0c9670f429e74283">
        <source>New application</source>
      </trans-unit>
@ -2014,22 +2003,18 @@ doesn't pass when either or both of the selected options are equal or above the
      <trans-unit id="s2e532e19ed477a56">
        <source>Path</source>
      </trans-unit>
-      <trans-unit id="s67560d7e37d984c3">
-        <source>Policy / User / Group</source>
-        <target>Richtlinie / Benutzer / Gruppe</target>
-      </trans-unit>
      <trans-unit id="s030ac0829bb50a49">
-        <source>Policy <x id="0" equiv-text="${item.policyObj?.name}"/></source>
+        <source>Policy <x id="0" equiv-text="${v.policyObj?.name}"/></source>
        <target>Richtlinie
        <x id="0" equiv-text="${item.policyObj?.name}"/></target>
      </trans-unit>
      <trans-unit id="s2a64d2dca3da9b0e">
-        <source>Group <x id="0" equiv-text="${item.groupObj?.name}"/></source>
+        <source>Group <x id="0" equiv-text="${v.groupObj?.name}"/></source>
        <target>Gruppe
        <x id="0" equiv-text="${item.groupObj?.name}"/></target>
      </trans-unit>
      <trans-unit id="se5dc026819a32ff8">
-        <source>User <x id="0" equiv-text="${item.userObj?.name}"/></source>
+        <source>User <x id="0" equiv-text="${v.userObj?.name}"/></source>
        <target>Benutzer
        <x id="0" equiv-text="${item.userObj?.name}"/></target>
      </trans-unit>
@ -5572,36 +5557,12 @@ Bindings to groups/users are checked against the user of the event.</source>
 <trans-unit id="se2b29e6cfe59414c">
  <source>UI Settings</source>
 </trans-unit>
-<trans-unit id="s836148f721d8913b">
-  <source>Transparent Reverse Proxy</source>
-</trans-unit>
-<trans-unit id="s945a6b94361ee45b">
-  <source>For transparent reverse proxies with required authentication</source>
-</trans-unit>
-<trans-unit id="s40830ec037f34626">
-  <source>Configure SAML provider manually</source>
-</trans-unit>
-<trans-unit id="sea9fc40dfd1d18b1">
-  <source>Configure RADIUS provider manually</source>
-</trans-unit>
-<trans-unit id="sa1b0052ae095b9b3">
-  <source>Configure SCIM provider manually</source>
-</trans-unit>
-<trans-unit id="s15831fa50a116545">
-  <source>Saving Application...</source>
-</trans-unit>
 <trans-unit id="s848288f8c2265aad">
  <source>Your application has been saved</source>
 </trans-unit>
 <trans-unit id="s67d858051b34c38b">
  <source>Method's display Name.</source>
 </trans-unit>
-<trans-unit id="h10ef80d434185070">
-  <source>Use this provider with nginx's <x id="0" equiv-text="&lt;code&gt;"/>auth_request<x id="1" equiv-text="&lt;/code&gt;"/> or traefik's
-                    <x id="2" equiv-text="&lt;code&gt;"/>forwardAuth<x id="3" equiv-text="&lt;/code&gt;"/>. Each application/domain needs its own provider.
-                    Additionally, on each domain, <x id="4" equiv-text="&lt;code&gt;"/>/outpost.goauthentik.io<x id="5" equiv-text="&lt;/code&gt;"/> must be
-                    routed to the outpost (when using a managed outpost, this is done for you).</source>
-</trans-unit>
 <trans-unit id="sd18b18f91b804c3f">
  <source>Custom attributes</source>
 </trans-unit>
@ -5710,9 +5671,6 @@ Bindings to groups/users are checked against the user of the event.</source>
 <trans-unit id="s2da4aa7a9abeb653">
  <source>Pseudolocale (for testing)</source>
 </trans-unit>
-<trans-unit id="s4bd386db7302bb22">
-  <source>Create With Wizard</source>
-</trans-unit>
 <trans-unit id="s070fdfb03034ca9b">
  <source>One hint, 'New Application Wizard', is currently hidden</source>
 </trans-unit>
@ -5722,36 +5680,6 @@ Bindings to groups/users are checked against the user of the event.</source>
 <trans-unit id="s6985c401e1100122">
  <source>Message shown when this stage is run.</source>
 </trans-unit>
-<trans-unit id="s09f0c100d0ad2fec">
-  <source>Open Wizard</source>
-</trans-unit>
-<trans-unit id="sf2ef885f7d0a101d">
-  <source>Demo Wizard</source>
-</trans-unit>
-<trans-unit id="s77505ee5d2e45e53">
-  <source>Run the demo wizard</source>
-</trans-unit>
-<trans-unit id="s4498e890d47a8066">
-  <source>OAuth2/OIDC (Open Authorization/OpenID Connect)</source>
-</trans-unit>
-<trans-unit id="s4f2e195d09e2868c">
-  <source>LDAP (Lightweight Directory Access Protocol)</source>
-</trans-unit>
-<trans-unit id="s7f5bb0c9923315ed">
-  <source>Forward Auth (Single Application)</source>
-</trans-unit>
-<trans-unit id="sf8008d2d6b064b95">
-  <source>Forward Auth (Domain Level)</source>
-</trans-unit>
-<trans-unit id="sfa8a1ffa9fee07d3">
-  <source>SAML (Security Assertion Markup Language)</source>
-</trans-unit>
-<trans-unit id="s848a23972e388662">
-  <source>RADIUS (Remote Authentication Dial-In User Service)</source>
-</trans-unit>
-<trans-unit id="s3e902999ddf7b50e">
-  <source>SCIM (System for Cross-domain Identity Management)</source>
-</trans-unit>
 <trans-unit id="sdc5690be4a342985">
  <source>The token has been copied to your clipboard</source>
 </trans-unit>
@ -5785,12 +5713,6 @@ Bindings to groups/users are checked against the user of the event.</source>
 <trans-unit id="s0924f51b028233a3">
  <source>&lt;No name set&gt;</source>
 </trans-unit>
-<trans-unit id="sdc9a6ad1af30572c">
-  <source>For nginx's auth_request or traefik's forwardAuth</source>
-</trans-unit>
-<trans-unit id="sfc31264ef7ff86ef">
-  <source>For nginx's auth_request or traefik's forwardAuth per root domain</source>
-</trans-unit>
 <trans-unit id="s32babfed740fd3c1">
  <source>User type used for newly created users.</source>
 </trans-unit>
@ -5860,18 +5782,12 @@ Bindings to groups/users are checked against the user of the event.</source>
 <trans-unit id="s21f95eaf151d4ce3">
  <source>Review the provider.</source>
 </trans-unit>
-<trans-unit id="s9fd39a5cb20b4e61">
-  <source>There was an error</source>
-</trans-unit>
 <trans-unit id="s7a6b3453209e1066">
  <source>There was an error creating the application, but no error message was sent. Please review the server logs.</source>
 </trans-unit>
 <trans-unit id="s1a711c19cda48375">
  <source>Configure LDAP Provider</source>
 </trans-unit>
-<trans-unit id="s9368e965b5c292ab">
-  <source>Configure OAuth2/OpenId Provider</source>
-</trans-unit>
 <trans-unit id="sf5cbccdc6254c8dc">
  <source>Configure Proxy Provider</source>
 </trans-unit>
@ -5881,15 +5797,9 @@ Bindings to groups/users are checked against the user of the event.</source>
 <trans-unit id="sfe906cde5dddc041">
  <source>Configure SAML Provider</source>
 </trans-unit>
-<trans-unit id="sb3defbacd01ad972">
-  <source>Property mappings used for user mapping.</source>
-</trans-unit>
 <trans-unit id="s7ccce0ec8d228db6">
  <source>Configure SCIM Provider</source>
 </trans-unit>
-<trans-unit id="sd7728d2b6e1d25e9">
-  <source>Property mappings used for group creation.</source>
-</trans-unit>
 <trans-unit id="s7513372fe60f6387">
  <source>Event volume</source>
 </trans-unit>
@ -6219,15 +6129,6 @@ Bindings to groups/users are checked against the user of the event.</source>
 <trans-unit id="se16b4d412ad1aba9">
  <source>Brand name</source>
 </trans-unit>
-<trans-unit id="sb7e68dcad68a638c">
-  <source>Remote Access Provider</source>
-</trans-unit>
-<trans-unit id="sfb1980a471b7dfb6">
-  <source>Remotely access computers/servers via RDP/SSH/VNC</source>
-</trans-unit>
-<trans-unit id="s9ffdea131dddb3c5">
-  <source>Configure Remote Access Provider Provider</source>
-</trans-unit>
 <trans-unit id="s56bc67239b9255a2">
  <source>Delete authorization on disconnect</source>
 </trans-unit>
@ -6597,15 +6498,6 @@ Bindings to groups/users are checked against the user of the event.</source>
 <trans-unit id="s3dc14a4b8129f989">
  <source>Pagination</source>
 </trans-unit>
-<trans-unit id="s6d46b842e227be57">
-  <source>Application Details</source>
-</trans-unit>
-<trans-unit id="s76415a60e548cafe">
-  <source>Provider Configuration</source>
-</trans-unit>
-<trans-unit id="sde59c64619570b57">
-  <source>Submit Application</source>
-</trans-unit>
 <trans-unit id="sf2da0e95c78f2cb7">
  <source>Restore Application Wizard Hint</source>
 </trans-unit>
@ -6849,9 +6741,6 @@ Bindings to groups/users are checked against the user of the event.</source>
 <trans-unit id="s2d5f69929bb7221d">
  <source><x id="0" equiv-text="${p.name}"/> ("<x id="1" equiv-text="${p.fieldKey}"/>", of type <x id="2" equiv-text="${p.type}"/>)</source>
 </trans-unit>
-<trans-unit id="sa38c5a2731be3a46">
-  <source>authentik was unable to save this application:</source>
-</trans-unit>
 <trans-unit id="s25bacc19d98b444e">
  <source>Parent Group</source>
 </trans-unit>
@ -7038,9 +6927,6 @@ Bindings to groups/users are checked against the user of the event.</source>
 <trans-unit id="s4c49d27de60a532b">
  <source>To allow any redirect URI, set the mode to Regex and the value to ".*". Be aware of the possible security implications this can have.</source>
 </trans-unit>
-<trans-unit id="s43f899a86c6a3484">
-  <source>Redirect URIs/Origins</source>
-</trans-unit>
 <trans-unit id="sa52bf79fe1ccb13e">
  <source>Federated OIDC Sources</source>
 </trans-unit>
@ -7118,6 +7004,135 @@ Bindings to groups/users are checked against the user of the event.</source>
 </trans-unit>
 <trans-unit id="sbfaee8cfbf4e44e8">
  <source>Require Outpost (flow can only be executed from an outpost)</source>
+</trans-unit>
+<trans-unit id="sb80507bed88545a6">
+  <source>An application name is required</source>
+</trans-unit>
+<trans-unit id="s39c052006b2b141a">
+  <source>Not a valid URL</source>
+</trans-unit>
+<trans-unit id="s317f3ab0da3d068a">
+  <source>Not a valid slug</source>
+</trans-unit>
+<trans-unit id="s177577c23ed3ca7e">
+  <source>Configure The Application</source>
+</trans-unit>
+<trans-unit id="s030ed8a3f12c23ff">
+  <source>Configure Bindings</source>
+</trans-unit>
+<trans-unit id="sc387b20e6d629087">
+  <source>Configure Policy/User/Group Bindings</source>
+</trans-unit>
+<trans-unit id="s71c3ec95efe723ca">
+  <source>No bound policies.</source>
+</trans-unit>
+<trans-unit id="sab1786ef3c0383ba">
+  <source>Bind policy/group/user</source>
+</trans-unit>
+<trans-unit id="s082ea0f3c0a854ff">
+  <source>Configure Policy Bindings</source>
+</trans-unit>
+<trans-unit id="sac315d5bd28d4efa">
+  <source>Don't Pass</source>
+</trans-unit>
+<trans-unit id="s54a37223ce938349">
+  <source>Save Binding</source>
+</trans-unit>
+<trans-unit id="s931754aabd4a6a47">
+  <source>Create a Policy/User/Group Binding</source>
+</trans-unit>
+<trans-unit id="s10ba15343fe64890">
+  <source>Choose A Provider</source>
+</trans-unit>
+<trans-unit id="sb7be945aa799b8d7">
+  <source>Please choose a provider type before proceeding.</source>
+</trans-unit>
+<trans-unit id="s2289ff3b411251d8">
+  <source>Choose a Provider Type</source>
+</trans-unit>
+<trans-unit id="sde0ad51b14f77cf6">
+  <source>Redirect URIs/Origins (RegEx)</source>
+</trans-unit>
+<trans-unit id="s89ae85c3a9df8a6f">
+  <source>Configure OAuth2 Provider</source>
+</trans-unit>
+<trans-unit id="s881271a499c9db98">
+  <source>Configure Remote Access Provider</source>
+</trans-unit>
+<trans-unit id="s9b6bf63fddc7362f">
+  <source>List of CIDRs (comma-seperated) that clients can connect from. A more specific CIDR will match before a looser one. Clients connecting from a non-specified CIDR will be dropped.</source>
+</trans-unit>
+<trans-unit id="s19907c16eb319618">
+  <source>Configure Provider</source>
+</trans-unit>
+<trans-unit id="s7055edd8fab866f4">
+  <source>strict</source>
+</trans-unit>
+<trans-unit id="s5e57ca23b946c1b8">
+  <source>regexp</source>
+</trans-unit>
+<trans-unit id="sd226dc54c414585a">
+  <source>Review and Submit Application</source>
+</trans-unit>
+<trans-unit id="s828ded9ade500ffc">
+  <source>There was an error. Please go back and review the application.</source>
+</trans-unit>
+<trans-unit id="s9fdda682893624a1">
+  <source>There was an error:</source>
+</trans-unit>
+<trans-unit id="s201ee6bc6d9f97da">
+  <source>Please go back and review the application.</source>
+</trans-unit>
+<trans-unit id="s9c09ef16900241fa">
+  <source>Review the Application and Provider</source>
+</trans-unit>
+<trans-unit id="s0a0a21f7bcf9d865">
+  <source>Saving application...</source>
+</trans-unit>
+<trans-unit id="se669a4b939be0891">
+  <source>authentik was unable to complete this process.</source>
+</trans-unit>
+<trans-unit id="s8aac845c63f45ca2">
+  <source>Create with wizard</source>
+</trans-unit>
+<trans-unit id="s080af72866b69b3d">
+  <source>Bind existing <x id="0" equiv-text="${this.allowedTypesLabel}"/></source>
+</trans-unit>
+<trans-unit id="sa36117e97f49c86e">
+  <source>Successfully updated entitlement.</source>
+</trans-unit>
+<trans-unit id="s86bee999b735111f">
+  <source>Successfully created entitlement.</source>
+</trans-unit>
+<trans-unit id="s8a48455905fc14e6">
+  <source>Application entitlement(s)</source>
+</trans-unit>
+<trans-unit id="sae971cbff672090b">
+  <source>Update Entitlement</source>
+</trans-unit>
+<trans-unit id="s537a58ae0ff50f1c">
+  <source>These bindings control which users have access to this entitlement.</source>
+</trans-unit>
+<trans-unit id="s05849efeac672dc7">
+  <source>No app entitlements created.</source>
+</trans-unit>
+<trans-unit id="sdc8a8f29af6aa411">
+  <source>This application does currently not have any application entitlement defined.</source>
+</trans-unit>
+<trans-unit id="sf0bd204ce3fea1de">
+  <source>Create Entitlement</source>
+</trans-unit>
+<trans-unit id="s55d8e42d0a1c057e">
+  <source>Create entitlement</source>
+</trans-unit>
+<trans-unit id="sc6479479c936939f">
+  <source>Application entitlements</source>
+</trans-unit>
+<trans-unit id="sfafbd9bddb38d172">
+  <source>Application entitlements are in preview.</source>
+</trans-unit>
+<trans-unit id="s8e1c375a007d1839">
+  <source>These entitlements can be used to configure user access in this application.</source>
 </trans-unit>
    </body>
  </file>
--- a/web/xliff/en.xlf
+++ b/web/xliff/en.xlf
@ -1240,11 +1240,6 @@
        <source>Client Networks</source>
        <target>Client Networks</target>
      </trans-unit>
-      <trans-unit id="s7f2dcf01f7a8c0b7">
-        <source>List of CIDRs (comma-seperated) that clients can connect from. A more specific
-                            CIDR will match before a looser one. Clients connecting from a non-specified CIDR
-                            will be dropped.</source>
-      </trans-unit>
      <trans-unit id="s61eacb19db252f5e">
        <source>URL</source>
        <target>URL</target>
@ -1729,18 +1724,10 @@
        <source>Run sync again</source>
        <target>Run sync again</target>
      </trans-unit>
-      <trans-unit id="sc2cedfb22488ccb2">
-        <source>Modern applications, APIs and Single-page applications.</source>
-        <target>Modern applications, APIs and Single-page applications.</target>
-      </trans-unit>
      <trans-unit id="sc3259eb55cf91e8c">
        <source>LDAP</source>
        <target>LDAP</target>
      </trans-unit>
-      <trans-unit id="sffd5481034a1bd41">
-        <source>Provide an LDAP interface for applications and users to authenticate against.</source>
-        <target>Provide an LDAP interface for applications and users to authenticate against.</target>
-      </trans-unit>
      <trans-unit id="s0c9670f429e74283">
        <source>New application</source>
        <target>New application</target>
@ -2113,22 +2100,18 @@ doesn't pass when either or both of the selected options are equal or above the
        <source>Path</source>
        <target>Path</target>
      </trans-unit>
-      <trans-unit id="s67560d7e37d984c3">
-        <source>Policy / User / Group</source>
-        <target>Policy / User / Group</target>
-      </trans-unit>
      <trans-unit id="s030ac0829bb50a49">
-        <source>Policy <x id="0" equiv-text="${item.policyObj?.name}"/></source>
+        <source>Policy <x id="0" equiv-text="${v.policyObj?.name}"/></source>
        <target>Policy
        <x id="0" equiv-text="${item.policyObj?.name}"/></target>
      </trans-unit>
      <trans-unit id="s2a64d2dca3da9b0e">
-        <source>Group <x id="0" equiv-text="${item.groupObj?.name}"/></source>
+        <source>Group <x id="0" equiv-text="${v.groupObj?.name}"/></source>
        <target>Group
        <x id="0" equiv-text="${item.groupObj?.name}"/></target>
      </trans-unit>
      <trans-unit id="se5dc026819a32ff8">
-        <source>User <x id="0" equiv-text="${item.userObj?.name}"/></source>
+        <source>User <x id="0" equiv-text="${v.userObj?.name}"/></source>
        <target>User
        <x id="0" equiv-text="${item.userObj?.name}"/></target>
      </trans-unit>
@ -5834,36 +5817,12 @@ Bindings to groups/users are checked against the user of the event.</source>
 <trans-unit id="se2b29e6cfe59414c">
  <source>UI Settings</source>
 </trans-unit>
-<trans-unit id="s836148f721d8913b">
-  <source>Transparent Reverse Proxy</source>
-</trans-unit>
-<trans-unit id="s945a6b94361ee45b">
-  <source>For transparent reverse proxies with required authentication</source>
-</trans-unit>
-<trans-unit id="s40830ec037f34626">
-  <source>Configure SAML provider manually</source>
-</trans-unit>
-<trans-unit id="sea9fc40dfd1d18b1">
-  <source>Configure RADIUS provider manually</source>
-</trans-unit>
-<trans-unit id="sa1b0052ae095b9b3">
-  <source>Configure SCIM provider manually</source>
-</trans-unit>
-<trans-unit id="s15831fa50a116545">
-  <source>Saving Application...</source>
-</trans-unit>
 <trans-unit id="s848288f8c2265aad">
  <source>Your application has been saved</source>
 </trans-unit>
 <trans-unit id="s67d858051b34c38b">
  <source>Method's display Name.</source>
 </trans-unit>
-<trans-unit id="h10ef80d434185070">
-  <source>Use this provider with nginx's <x id="0" equiv-text="&lt;code&gt;"/>auth_request<x id="1" equiv-text="&lt;/code&gt;"/> or traefik's
-                    <x id="2" equiv-text="&lt;code&gt;"/>forwardAuth<x id="3" equiv-text="&lt;/code&gt;"/>. Each application/domain needs its own provider.
-                    Additionally, on each domain, <x id="4" equiv-text="&lt;code&gt;"/>/outpost.goauthentik.io<x id="5" equiv-text="&lt;/code&gt;"/> must be
-                    routed to the outpost (when using a managed outpost, this is done for you).</source>
-</trans-unit>
 <trans-unit id="sd18b18f91b804c3f">
  <source>Custom attributes</source>
 </trans-unit>
@ -5972,9 +5931,6 @@ Bindings to groups/users are checked against the user of the event.</source>
 <trans-unit id="s2da4aa7a9abeb653">
  <source>Pseudolocale (for testing)</source>
 </trans-unit>
-<trans-unit id="s4bd386db7302bb22">
-  <source>Create With Wizard</source>
-</trans-unit>
 <trans-unit id="s070fdfb03034ca9b">
  <source>One hint, 'New Application Wizard', is currently hidden</source>
 </trans-unit>
@ -5984,36 +5940,6 @@ Bindings to groups/users are checked against the user of the event.</source>
 <trans-unit id="s6985c401e1100122">
  <source>Message shown when this stage is run.</source>
 </trans-unit>
-<trans-unit id="s09f0c100d0ad2fec">
-  <source>Open Wizard</source>
-</trans-unit>
-<trans-unit id="sf2ef885f7d0a101d">
-  <source>Demo Wizard</source>
-</trans-unit>
-<trans-unit id="s77505ee5d2e45e53">
-  <source>Run the demo wizard</source>
-</trans-unit>
-<trans-unit id="s4498e890d47a8066">
-  <source>OAuth2/OIDC (Open Authorization/OpenID Connect)</source>
-</trans-unit>
-<trans-unit id="s4f2e195d09e2868c">
-  <source>LDAP (Lightweight Directory Access Protocol)</source>
-</trans-unit>
-<trans-unit id="s7f5bb0c9923315ed">
-  <source>Forward Auth (Single Application)</source>
-</trans-unit>
-<trans-unit id="sf8008d2d6b064b95">
-  <source>Forward Auth (Domain Level)</source>
-</trans-unit>
-<trans-unit id="sfa8a1ffa9fee07d3">
-  <source>SAML (Security Assertion Markup Language)</source>
-</trans-unit>
-<trans-unit id="s848a23972e388662">
-  <source>RADIUS (Remote Authentication Dial-In User Service)</source>
-</trans-unit>
-<trans-unit id="s3e902999ddf7b50e">
-  <source>SCIM (System for Cross-domain Identity Management)</source>
-</trans-unit>
 <trans-unit id="sdc5690be4a342985">
  <source>The token has been copied to your clipboard</source>
 </trans-unit>
@ -6047,12 +5973,6 @@ Bindings to groups/users are checked against the user of the event.</source>
 <trans-unit id="s0924f51b028233a3">
  <source>&lt;No name set&gt;</source>
 </trans-unit>
-<trans-unit id="sdc9a6ad1af30572c">
-  <source>For nginx's auth_request or traefik's forwardAuth</source>
-</trans-unit>
-<trans-unit id="sfc31264ef7ff86ef">
-  <source>For nginx's auth_request or traefik's forwardAuth per root domain</source>
-</trans-unit>
 <trans-unit id="s32babfed740fd3c1">
  <source>User type used for newly created users.</source>
 </trans-unit>
@ -6122,18 +6042,12 @@ Bindings to groups/users are checked against the user of the event.</source>
 <trans-unit id="s21f95eaf151d4ce3">
  <source>Review the provider.</source>
 </trans-unit>
-<trans-unit id="s9fd39a5cb20b4e61">
-  <source>There was an error</source>
-</trans-unit>
 <trans-unit id="s7a6b3453209e1066">
  <source>There was an error creating the application, but no error message was sent. Please review the server logs.</source>
 </trans-unit>
 <trans-unit id="s1a711c19cda48375">
  <source>Configure LDAP Provider</source>
 </trans-unit>
-<trans-unit id="s9368e965b5c292ab">
-  <source>Configure OAuth2/OpenId Provider</source>
-</trans-unit>
 <trans-unit id="sf5cbccdc6254c8dc">
  <source>Configure Proxy Provider</source>
 </trans-unit>
@ -6143,15 +6057,9 @@ Bindings to groups/users are checked against the user of the event.</source>
 <trans-unit id="sfe906cde5dddc041">
  <source>Configure SAML Provider</source>
 </trans-unit>
-<trans-unit id="sb3defbacd01ad972">
-  <source>Property mappings used for user mapping.</source>
-</trans-unit>
 <trans-unit id="s7ccce0ec8d228db6">
  <source>Configure SCIM Provider</source>
 </trans-unit>
-<trans-unit id="sd7728d2b6e1d25e9">
-  <source>Property mappings used for group creation.</source>
-</trans-unit>
 <trans-unit id="s7513372fe60f6387">
  <source>Event volume</source>
 </trans-unit>
@ -6481,15 +6389,6 @@ Bindings to groups/users are checked against the user of the event.</source>
 <trans-unit id="se16b4d412ad1aba9">
  <source>Brand name</source>
 </trans-unit>
-<trans-unit id="sb7e68dcad68a638c">
-  <source>Remote Access Provider</source>
-</trans-unit>
-<trans-unit id="sfb1980a471b7dfb6">
-  <source>Remotely access computers/servers via RDP/SSH/VNC</source>
-</trans-unit>
-<trans-unit id="s9ffdea131dddb3c5">
-  <source>Configure Remote Access Provider Provider</source>
-</trans-unit>
 <trans-unit id="s56bc67239b9255a2">
  <source>Delete authorization on disconnect</source>
 </trans-unit>
@ -6859,15 +6758,6 @@ Bindings to groups/users are checked against the user of the event.</source>
 <trans-unit id="s3dc14a4b8129f989">
  <source>Pagination</source>
 </trans-unit>
-<trans-unit id="s6d46b842e227be57">
-  <source>Application Details</source>
-</trans-unit>
-<trans-unit id="s76415a60e548cafe">
-  <source>Provider Configuration</source>
-</trans-unit>
-<trans-unit id="sde59c64619570b57">
-  <source>Submit Application</source>
-</trans-unit>
 <trans-unit id="sf2da0e95c78f2cb7">
  <source>Restore Application Wizard Hint</source>
 </trans-unit>
@ -7111,9 +7001,6 @@ Bindings to groups/users are checked against the user of the event.</source>
 <trans-unit id="s2d5f69929bb7221d">
  <source><x id="0" equiv-text="${p.name}"/> ("<x id="1" equiv-text="${p.fieldKey}"/>", of type <x id="2" equiv-text="${p.type}"/>)</source>
 </trans-unit>
-<trans-unit id="sa38c5a2731be3a46">
-  <source>authentik was unable to save this application:</source>
-</trans-unit>
 <trans-unit id="s25bacc19d98b444e">
  <source>Parent Group</source>
 </trans-unit>
@ -7300,9 +7187,6 @@ Bindings to groups/users are checked against the user of the event.</source>
 <trans-unit id="s4c49d27de60a532b">
  <source>To allow any redirect URI, set the mode to Regex and the value to ".*". Be aware of the possible security implications this can have.</source>
 </trans-unit>
-<trans-unit id="s43f899a86c6a3484">
-  <source>Redirect URIs/Origins</source>
-</trans-unit>
 <trans-unit id="sa52bf79fe1ccb13e">
  <source>Federated OIDC Sources</source>
 </trans-unit>
@ -7380,6 +7264,135 @@ Bindings to groups/users are checked against the user of the event.</source>
 </trans-unit>
 <trans-unit id="sbfaee8cfbf4e44e8">
  <source>Require Outpost (flow can only be executed from an outpost)</source>
+</trans-unit>
+<trans-unit id="sb80507bed88545a6">
+  <source>An application name is required</source>
+</trans-unit>
+<trans-unit id="s39c052006b2b141a">
+  <source>Not a valid URL</source>
+</trans-unit>
+<trans-unit id="s317f3ab0da3d068a">
+  <source>Not a valid slug</source>
+</trans-unit>
+<trans-unit id="s177577c23ed3ca7e">
+  <source>Configure The Application</source>
+</trans-unit>
+<trans-unit id="s030ed8a3f12c23ff">
+  <source>Configure Bindings</source>
+</trans-unit>
+<trans-unit id="sc387b20e6d629087">
+  <source>Configure Policy/User/Group Bindings</source>
+</trans-unit>
+<trans-unit id="s71c3ec95efe723ca">
+  <source>No bound policies.</source>
+</trans-unit>
+<trans-unit id="sab1786ef3c0383ba">
+  <source>Bind policy/group/user</source>
+</trans-unit>
+<trans-unit id="s082ea0f3c0a854ff">
+  <source>Configure Policy Bindings</source>
+</trans-unit>
+<trans-unit id="sac315d5bd28d4efa">
+  <source>Don't Pass</source>
+</trans-unit>
+<trans-unit id="s54a37223ce938349">
+  <source>Save Binding</source>
+</trans-unit>
+<trans-unit id="s931754aabd4a6a47">
+  <source>Create a Policy/User/Group Binding</source>
+</trans-unit>
+<trans-unit id="s10ba15343fe64890">
+  <source>Choose A Provider</source>
+</trans-unit>
+<trans-unit id="sb7be945aa799b8d7">
+  <source>Please choose a provider type before proceeding.</source>
+</trans-unit>
+<trans-unit id="s2289ff3b411251d8">
+  <source>Choose a Provider Type</source>
+</trans-unit>
+<trans-unit id="sde0ad51b14f77cf6">
+  <source>Redirect URIs/Origins (RegEx)</source>
+</trans-unit>
+<trans-unit id="s89ae85c3a9df8a6f">
+  <source>Configure OAuth2 Provider</source>
+</trans-unit>
+<trans-unit id="s881271a499c9db98">
+  <source>Configure Remote Access Provider</source>
+</trans-unit>
+<trans-unit id="s9b6bf63fddc7362f">
+  <source>List of CIDRs (comma-seperated) that clients can connect from. A more specific CIDR will match before a looser one. Clients connecting from a non-specified CIDR will be dropped.</source>
+</trans-unit>
+<trans-unit id="s19907c16eb319618">
+  <source>Configure Provider</source>
+</trans-unit>
+<trans-unit id="s7055edd8fab866f4">
+  <source>strict</source>
+</trans-unit>
+<trans-unit id="s5e57ca23b946c1b8">
+  <source>regexp</source>
+</trans-unit>
+<trans-unit id="sd226dc54c414585a">
+  <source>Review and Submit Application</source>
+</trans-unit>
+<trans-unit id="s828ded9ade500ffc">
+  <source>There was an error. Please go back and review the application.</source>
+</trans-unit>
+<trans-unit id="s9fdda682893624a1">
+  <source>There was an error:</source>
+</trans-unit>
+<trans-unit id="s201ee6bc6d9f97da">
+  <source>Please go back and review the application.</source>
+</trans-unit>
+<trans-unit id="s9c09ef16900241fa">
+  <source>Review the Application and Provider</source>
+</trans-unit>
+<trans-unit id="s0a0a21f7bcf9d865">
+  <source>Saving application...</source>
+</trans-unit>
+<trans-unit id="se669a4b939be0891">
+  <source>authentik was unable to complete this process.</source>
+</trans-unit>
+<trans-unit id="s8aac845c63f45ca2">
+  <source>Create with wizard</source>
+</trans-unit>
+<trans-unit id="s080af72866b69b3d">
+  <source>Bind existing <x id="0" equiv-text="${this.allowedTypesLabel}"/></source>
+</trans-unit>
+<trans-unit id="sa36117e97f49c86e">
+  <source>Successfully updated entitlement.</source>
+</trans-unit>
+<trans-unit id="s86bee999b735111f">
+  <source>Successfully created entitlement.</source>
+</trans-unit>
+<trans-unit id="s8a48455905fc14e6">
+  <source>Application entitlement(s)</source>
+</trans-unit>
+<trans-unit id="sae971cbff672090b">
+  <source>Update Entitlement</source>
+</trans-unit>
+<trans-unit id="s537a58ae0ff50f1c">
+  <source>These bindings control which users have access to this entitlement.</source>
+</trans-unit>
+<trans-unit id="s05849efeac672dc7">
+  <source>No app entitlements created.</source>
+</trans-unit>
+<trans-unit id="sdc8a8f29af6aa411">
+  <source>This application does currently not have any application entitlement defined.</source>
+</trans-unit>
+<trans-unit id="sf0bd204ce3fea1de">
+  <source>Create Entitlement</source>
+</trans-unit>
+<trans-unit id="s55d8e42d0a1c057e">
+  <source>Create entitlement</source>
+</trans-unit>
+<trans-unit id="sc6479479c936939f">
+  <source>Application entitlements</source>
+</trans-unit>
+<trans-unit id="sfafbd9bddb38d172">
+  <source>Application entitlements are in preview.</source>
+</trans-unit>
+<trans-unit id="s8e1c375a007d1839">
+  <source>These entitlements can be used to configure user access in this application.</source>
 </trans-unit>
    </body>
  </file>
--- a/web/xliff/es.xlf
+++ b/web/xliff/es.xlf
@ -1164,11 +1164,6 @@
      <trans-unit id="s9e9316a6b0c16231">
        <source>Client Networks</source>
      </trans-unit>
-      <trans-unit id="s7f2dcf01f7a8c0b7">
-        <source>List of CIDRs (comma-seperated) that clients can connect from. A more specific
-                            CIDR will match before a looser one. Clients connecting from a non-specified CIDR
-                            will be dropped.</source>
-      </trans-unit>
      <trans-unit id="s61eacb19db252f5e">
        <source>URL</source>
      </trans-unit>
@ -1620,16 +1615,10 @@
        <source>Run sync again</source>
        <target>Vuelve a ejecutar la sincronización</target>
      </trans-unit>
-      <trans-unit id="sc2cedfb22488ccb2">
-        <source>Modern applications, APIs and Single-page applications.</source>
-      </trans-unit>
      <trans-unit id="sc3259eb55cf91e8c">
        <source>LDAP</source>
        <target>LDAP</target>
      </trans-unit>
-      <trans-unit id="sffd5481034a1bd41">
-        <source>Provide an LDAP interface for applications and users to authenticate against.</source>
-      </trans-unit>
      <trans-unit id="s0c9670f429e74283">
        <source>New application</source>
      </trans-unit>
@ -1981,22 +1970,18 @@ doesn't pass when either or both of the selected options are equal or above the
      <trans-unit id="s2e532e19ed477a56">
        <source>Path</source>
      </trans-unit>
-      <trans-unit id="s67560d7e37d984c3">
-        <source>Policy / User / Group</source>
-        <target>Política/Usuario/Grupo</target>
-      </trans-unit>
      <trans-unit id="s030ac0829bb50a49">
-        <source>Policy <x id="0" equiv-text="${item.policyObj?.name}"/></source>
+        <source>Policy <x id="0" equiv-text="${v.policyObj?.name}"/></source>
        <target>Política
        <x id="0" equiv-text="${item.policyObj?.name}"/></target>
      </trans-unit>
      <trans-unit id="s2a64d2dca3da9b0e">
-        <source>Group <x id="0" equiv-text="${item.groupObj?.name}"/></source>
+        <source>Group <x id="0" equiv-text="${v.groupObj?.name}"/></source>
        <target>Grupo
        <x id="0" equiv-text="${item.groupObj?.name}"/></target>
      </trans-unit>
      <trans-unit id="se5dc026819a32ff8">
-        <source>User <x id="0" equiv-text="${item.userObj?.name}"/></source>
+        <source>User <x id="0" equiv-text="${v.userObj?.name}"/></source>
        <target>Usuario
        <x id="0" equiv-text="${item.userObj?.name}"/></target>
      </trans-unit>
@ -5490,36 +5475,12 @@ Bindings to groups/users are checked against the user of the event.</source>
 <trans-unit id="se2b29e6cfe59414c">
  <source>UI Settings</source>
 </trans-unit>
-<trans-unit id="s836148f721d8913b">
-  <source>Transparent Reverse Proxy</source>
-</trans-unit>
-<trans-unit id="s945a6b94361ee45b">
-  <source>For transparent reverse proxies with required authentication</source>
-</trans-unit>
-<trans-unit id="s40830ec037f34626">
-  <source>Configure SAML provider manually</source>
-</trans-unit>
-<trans-unit id="sea9fc40dfd1d18b1">
-  <source>Configure RADIUS provider manually</source>
-</trans-unit>
-<trans-unit id="sa1b0052ae095b9b3">
-  <source>Configure SCIM provider manually</source>
-</trans-unit>
-<trans-unit id="s15831fa50a116545">
-  <source>Saving Application...</source>
-</trans-unit>
 <trans-unit id="s848288f8c2265aad">
  <source>Your application has been saved</source>
 </trans-unit>
 <trans-unit id="s67d858051b34c38b">
  <source>Method's display Name.</source>
 </trans-unit>
-<trans-unit id="h10ef80d434185070">
-  <source>Use this provider with nginx's <x id="0" equiv-text="&lt;code&gt;"/>auth_request<x id="1" equiv-text="&lt;/code&gt;"/> or traefik's
-                    <x id="2" equiv-text="&lt;code&gt;"/>forwardAuth<x id="3" equiv-text="&lt;/code&gt;"/>. Each application/domain needs its own provider.
-                    Additionally, on each domain, <x id="4" equiv-text="&lt;code&gt;"/>/outpost.goauthentik.io<x id="5" equiv-text="&lt;/code&gt;"/> must be
-                    routed to the outpost (when using a managed outpost, this is done for you).</source>
-</trans-unit>
 <trans-unit id="sd18b18f91b804c3f">
  <source>Custom attributes</source>
 </trans-unit>
@ -5628,9 +5589,6 @@ Bindings to groups/users are checked against the user of the event.</source>
 <trans-unit id="s2da4aa7a9abeb653">
  <source>Pseudolocale (for testing)</source>
 </trans-unit>
-<trans-unit id="s4bd386db7302bb22">
-  <source>Create With Wizard</source>
-</trans-unit>
 <trans-unit id="s070fdfb03034ca9b">
  <source>One hint, 'New Application Wizard', is currently hidden</source>
 </trans-unit>
@ -5640,36 +5598,6 @@ Bindings to groups/users are checked against the user of the event.</source>
 <trans-unit id="s6985c401e1100122">
  <source>Message shown when this stage is run.</source>
 </trans-unit>
-<trans-unit id="s09f0c100d0ad2fec">
-  <source>Open Wizard</source>
-</trans-unit>
-<trans-unit id="sf2ef885f7d0a101d">
-  <source>Demo Wizard</source>
-</trans-unit>
-<trans-unit id="s77505ee5d2e45e53">
-  <source>Run the demo wizard</source>
-</trans-unit>
-<trans-unit id="s4498e890d47a8066">
-  <source>OAuth2/OIDC (Open Authorization/OpenID Connect)</source>
-</trans-unit>
-<trans-unit id="s4f2e195d09e2868c">
-  <source>LDAP (Lightweight Directory Access Protocol)</source>
-</trans-unit>
-<trans-unit id="s7f5bb0c9923315ed">
-  <source>Forward Auth (Single Application)</source>
-</trans-unit>
-<trans-unit id="sf8008d2d6b064b95">
-  <source>Forward Auth (Domain Level)</source>
-</trans-unit>
-<trans-unit id="sfa8a1ffa9fee07d3">
-  <source>SAML (Security Assertion Markup Language)</source>
-</trans-unit>
-<trans-unit id="s848a23972e388662">
-  <source>RADIUS (Remote Authentication Dial-In User Service)</source>
-</trans-unit>
-<trans-unit id="s3e902999ddf7b50e">
-  <source>SCIM (System for Cross-domain Identity Management)</source>
-</trans-unit>
 <trans-unit id="sdc5690be4a342985">
  <source>The token has been copied to your clipboard</source>
 </trans-unit>
@ -5703,12 +5631,6 @@ Bindings to groups/users are checked against the user of the event.</source>
 <trans-unit id="s0924f51b028233a3">
  <source>&lt;No name set&gt;</source>
 </trans-unit>
-<trans-unit id="sdc9a6ad1af30572c">
-  <source>For nginx's auth_request or traefik's forwardAuth</source>
-</trans-unit>
-<trans-unit id="sfc31264ef7ff86ef">
-  <source>For nginx's auth_request or traefik's forwardAuth per root domain</source>
-</trans-unit>
 <trans-unit id="s32babfed740fd3c1">
  <source>User type used for newly created users.</source>
 </trans-unit>
@ -5778,18 +5700,12 @@ Bindings to groups/users are checked against the user of the event.</source>
 <trans-unit id="s21f95eaf151d4ce3">
  <source>Review the provider.</source>
 </trans-unit>
-<trans-unit id="s9fd39a5cb20b4e61">
-  <source>There was an error</source>
-</trans-unit>
 <trans-unit id="s7a6b3453209e1066">
  <source>There was an error creating the application, but no error message was sent. Please review the server logs.</source>
 </trans-unit>
 <trans-unit id="s1a711c19cda48375">
  <source>Configure LDAP Provider</source>
 </trans-unit>
-<trans-unit id="s9368e965b5c292ab">
-  <source>Configure OAuth2/OpenId Provider</source>
-</trans-unit>
 <trans-unit id="sf5cbccdc6254c8dc">
  <source>Configure Proxy Provider</source>
 </trans-unit>
@ -5799,15 +5715,9 @@ Bindings to groups/users are checked against the user of the event.</source>
 <trans-unit id="sfe906cde5dddc041">
  <source>Configure SAML Provider</source>
 </trans-unit>
-<trans-unit id="sb3defbacd01ad972">
-  <source>Property mappings used for user mapping.</source>
-</trans-unit>
 <trans-unit id="s7ccce0ec8d228db6">
  <source>Configure SCIM Provider</source>
 </trans-unit>
-<trans-unit id="sd7728d2b6e1d25e9">
-  <source>Property mappings used for group creation.</source>
-</trans-unit>
 <trans-unit id="s7513372fe60f6387">
  <source>Event volume</source>
 </trans-unit>
@ -6137,15 +6047,6 @@ Bindings to groups/users are checked against the user of the event.</source>
 <trans-unit id="se16b4d412ad1aba9">
  <source>Brand name</source>
 </trans-unit>
-<trans-unit id="sb7e68dcad68a638c">
-  <source>Remote Access Provider</source>
-</trans-unit>
-<trans-unit id="sfb1980a471b7dfb6">
-  <source>Remotely access computers/servers via RDP/SSH/VNC</source>
-</trans-unit>
-<trans-unit id="s9ffdea131dddb3c5">
-  <source>Configure Remote Access Provider Provider</source>
-</trans-unit>
 <trans-unit id="s56bc67239b9255a2">
  <source>Delete authorization on disconnect</source>
 </trans-unit>
@ -6515,15 +6416,6 @@ Bindings to groups/users are checked against the user of the event.</source>
 <trans-unit id="s3dc14a4b8129f989">
  <source>Pagination</source>
 </trans-unit>
-<trans-unit id="s6d46b842e227be57">
-  <source>Application Details</source>
-</trans-unit>
-<trans-unit id="s76415a60e548cafe">
-  <source>Provider Configuration</source>
-</trans-unit>
-<trans-unit id="sde59c64619570b57">
-  <source>Submit Application</source>
-</trans-unit>
 <trans-unit id="sf2da0e95c78f2cb7">
  <source>Restore Application Wizard Hint</source>
 </trans-unit>
@ -6767,9 +6659,6 @@ Bindings to groups/users are checked against the user of the event.</source>
 <trans-unit id="s2d5f69929bb7221d">
  <source><x id="0" equiv-text="${p.name}"/> ("<x id="1" equiv-text="${p.fieldKey}"/>", of type <x id="2" equiv-text="${p.type}"/>)</source>
 </trans-unit>
-<trans-unit id="sa38c5a2731be3a46">
-  <source>authentik was unable to save this application:</source>
-</trans-unit>
 <trans-unit id="s25bacc19d98b444e">
  <source>Parent Group</source>
 </trans-unit>
@ -6956,9 +6845,6 @@ Bindings to groups/users are checked against the user of the event.</source>
 <trans-unit id="s4c49d27de60a532b">
  <source>To allow any redirect URI, set the mode to Regex and the value to ".*". Be aware of the possible security implications this can have.</source>
 </trans-unit>
-<trans-unit id="s43f899a86c6a3484">
-  <source>Redirect URIs/Origins</source>
-</trans-unit>
 <trans-unit id="sa52bf79fe1ccb13e">
  <source>Federated OIDC Sources</source>
 </trans-unit>
@ -7036,6 +6922,135 @@ Bindings to groups/users are checked against the user of the event.</source>
 </trans-unit>
 <trans-unit id="sbfaee8cfbf4e44e8">
  <source>Require Outpost (flow can only be executed from an outpost)</source>
+</trans-unit>
+<trans-unit id="sb80507bed88545a6">
+  <source>An application name is required</source>
+</trans-unit>
+<trans-unit id="s39c052006b2b141a">
+  <source>Not a valid URL</source>
+</trans-unit>
+<trans-unit id="s317f3ab0da3d068a">
+  <source>Not a valid slug</source>
+</trans-unit>
+<trans-unit id="s177577c23ed3ca7e">
+  <source>Configure The Application</source>
+</trans-unit>
+<trans-unit id="s030ed8a3f12c23ff">
+  <source>Configure Bindings</source>
+</trans-unit>
+<trans-unit id="sc387b20e6d629087">
+  <source>Configure Policy/User/Group Bindings</source>
+</trans-unit>
+<trans-unit id="s71c3ec95efe723ca">
+  <source>No bound policies.</source>
+</trans-unit>
+<trans-unit id="sab1786ef3c0383ba">
+  <source>Bind policy/group/user</source>
+</trans-unit>
+<trans-unit id="s082ea0f3c0a854ff">
+  <source>Configure Policy Bindings</source>
+</trans-unit>
+<trans-unit id="sac315d5bd28d4efa">
+  <source>Don't Pass</source>
+</trans-unit>
+<trans-unit id="s54a37223ce938349">
+  <source>Save Binding</source>
+</trans-unit>
+<trans-unit id="s931754aabd4a6a47">
+  <source>Create a Policy/User/Group Binding</source>
+</trans-unit>
+<trans-unit id="s10ba15343fe64890">
+  <source>Choose A Provider</source>
+</trans-unit>
+<trans-unit id="sb7be945aa799b8d7">
+  <source>Please choose a provider type before proceeding.</source>
+</trans-unit>
+<trans-unit id="s2289ff3b411251d8">
+  <source>Choose a Provider Type</source>
+</trans-unit>
+<trans-unit id="sde0ad51b14f77cf6">
+  <source>Redirect URIs/Origins (RegEx)</source>
+</trans-unit>
+<trans-unit id="s89ae85c3a9df8a6f">
+  <source>Configure OAuth2 Provider</source>
+</trans-unit>
+<trans-unit id="s881271a499c9db98">
+  <source>Configure Remote Access Provider</source>
+</trans-unit>
+<trans-unit id="s9b6bf63fddc7362f">
+  <source>List of CIDRs (comma-seperated) that clients can connect from. A more specific CIDR will match before a looser one. Clients connecting from a non-specified CIDR will be dropped.</source>
+</trans-unit>
+<trans-unit id="s19907c16eb319618">
+  <source>Configure Provider</source>
+</trans-unit>
+<trans-unit id="s7055edd8fab866f4">
+  <source>strict</source>
+</trans-unit>
+<trans-unit id="s5e57ca23b946c1b8">
+  <source>regexp</source>
+</trans-unit>
+<trans-unit id="sd226dc54c414585a">
+  <source>Review and Submit Application</source>
+</trans-unit>
+<trans-unit id="s828ded9ade500ffc">
+  <source>There was an error. Please go back and review the application.</source>
+</trans-unit>
+<trans-unit id="s9fdda682893624a1">
+  <source>There was an error:</source>
+</trans-unit>
+<trans-unit id="s201ee6bc6d9f97da">
+  <source>Please go back and review the application.</source>
+</trans-unit>
+<trans-unit id="s9c09ef16900241fa">
+  <source>Review the Application and Provider</source>
+</trans-unit>
+<trans-unit id="s0a0a21f7bcf9d865">
+  <source>Saving application...</source>
+</trans-unit>
+<trans-unit id="se669a4b939be0891">
+  <source>authentik was unable to complete this process.</source>
+</trans-unit>
+<trans-unit id="s8aac845c63f45ca2">
+  <source>Create with wizard</source>
+</trans-unit>
+<trans-unit id="s080af72866b69b3d">
+  <source>Bind existing <x id="0" equiv-text="${this.allowedTypesLabel}"/></source>
+</trans-unit>
+<trans-unit id="sa36117e97f49c86e">
+  <source>Successfully updated entitlement.</source>
+</trans-unit>
+<trans-unit id="s86bee999b735111f">
+  <source>Successfully created entitlement.</source>
+</trans-unit>
+<trans-unit id="s8a48455905fc14e6">
+  <source>Application entitlement(s)</source>
+</trans-unit>
+<trans-unit id="sae971cbff672090b">
+  <source>Update Entitlement</source>
+</trans-unit>
+<trans-unit id="s537a58ae0ff50f1c">
+  <source>These bindings control which users have access to this entitlement.</source>
+</trans-unit>
+<trans-unit id="s05849efeac672dc7">
+  <source>No app entitlements created.</source>
+</trans-unit>
+<trans-unit id="sdc8a8f29af6aa411">
+  <source>This application does currently not have any application entitlement defined.</source>
+</trans-unit>
+<trans-unit id="sf0bd204ce3fea1de">
+  <source>Create Entitlement</source>
+</trans-unit>
+<trans-unit id="s55d8e42d0a1c057e">
+  <source>Create entitlement</source>
+</trans-unit>
+<trans-unit id="sc6479479c936939f">
+  <source>Application entitlements</source>
+</trans-unit>
+<trans-unit id="sfafbd9bddb38d172">
+  <source>Application entitlements are in preview.</source>
+</trans-unit>
+<trans-unit id="s8e1c375a007d1839">
+  <source>These entitlements can be used to configure user access in this application.</source>
 </trans-unit>
    </body>
  </file>
--- a/web/xliff/fr.xlf
+++ b/web/xliff/fr.xlf
@ -1,4 +1,4 @@
-<?xml version="1.0" ?><xliff xmlns="urn:oasis:names:tc:xliff:document:1.2" version="1.2">
+<?xml version="1.0"?><xliff xmlns="urn:oasis:names:tc:xliff:document:1.2" version="1.2">
  <file target-language="fr" source-language="en" original="lit-localize-inputs" datatype="plaintext">
    <body>
      <trans-unit id="s4caed5b7a7e5d89b">
@ -596,9 +596,9 @@
        
      </trans-unit>
      <trans-unit id="saa0e2675da69651b">
-        <source>The URL &quot;<x id="0" equiv-text="${this.url}"/>&quot; was not found.</source>
-        <target>L'URL &quot;
-        <x id="0" equiv-text="${this.url}"/>&quot; n'a pas été trouvée.</target>
+        <source>The URL "<x id="0" equiv-text="${this.url}"/>" was not found.</source>
+        <target>L'URL "
+        <x id="0" equiv-text="${this.url}"/>" n'a pas été trouvée.</target>
        
      </trans-unit>
      <trans-unit id="s58cd9c2fe836d9c6">
@ -1545,12 +1545,6 @@
        <target>Réseaux du client</target>
        
      </trans-unit>
-      <trans-unit id="s7f2dcf01f7a8c0b7">
-        <source>List of CIDRs (comma-seperated) that clients can connect from. A more specific
-                            CIDR will match before a looser one. Clients connecting from a non-specified CIDR
-                            will be dropped.</source>
-        <target>Liste des CIDRs (séparés par des virgules) à partir desquels les clients peuvent se connecter. Un CIDR plus spécifique sera pris en compte avant un CIDR plus général. Les clients se connectant à partir d'un CIDR non spécifié seront refusés.</target>
-      </trans-unit>
      <trans-unit id="s61eacb19db252f5e">
        <source>URL</source>
        <target>URL</target>
@ -1568,7 +1562,7 @@
      </trans-unit>
      <trans-unit id="s33ed903c210a6209">
        <source>Token to authenticate with. Currently only bearer authentication is supported.</source>
-        <target>Jeton d'authentification à utiliser. Actuellement, seule l'authentification &quot;bearer authentication&quot; est prise en charge.</target>
+        <target>Jeton d'authentification à utiliser. Actuellement, seule l'authentification "bearer authentication" est prise en charge.</target>
        
      </trans-unit>
      <trans-unit id="sfc8bb104e2c05af8">
@ -1736,8 +1730,8 @@
        
      </trans-unit>
      <trans-unit id="sa90b7809586c35ce">
-        <source>Either input a full URL, a relative path, or use 'fa://fa-test' to use the Font Awesome icon &quot;fa-test&quot;.</source>
-        <target>Entrez une URL complète, un chemin relatif ou utilisez 'fa://fa-test' pour utiliser l'icône Font Awesome &quot;fa-test&quot;.</target>
+        <source>Either input a full URL, a relative path, or use 'fa://fa-test' to use the Font Awesome icon "fa-test".</source>
+        <target>Entrez une URL complète, un chemin relatif ou utilisez 'fa://fa-test' pour utiliser l'icône Font Awesome "fa-test".</target>
        
      </trans-unit>
      <trans-unit id="s0410779cb47de312">
@ -2154,21 +2148,11 @@
        <source>Run sync again</source>
        <target>Relancer la synchro</target>
        
-      </trans-unit>
-      <trans-unit id="sc2cedfb22488ccb2">
-        <source>Modern applications, APIs and Single-page applications.</source>
-        <target>Applications modernes, API et applications à page unique.</target>
-        
      </trans-unit>
      <trans-unit id="sc3259eb55cf91e8c">
        <source>LDAP</source>
        <target>LDAP</target>
        
-      </trans-unit>
-      <trans-unit id="sffd5481034a1bd41">
-        <source>Provide an LDAP interface for applications and users to authenticate against.</source>
-        <target>Fournir une interface LDAP permettant aux applications et aux utilisateurs de s'authentifier.</target>
-        
      </trans-unit>
      <trans-unit id="s0c9670f429e74283">
        <source>New application</source>
@ -2634,26 +2618,21 @@ doesn't pass when either or both of the selected options are equal or above the
        <source>Path</source>
        <target>Chemin</target>
        
-      </trans-unit>
-      <trans-unit id="s67560d7e37d984c3">
-        <source>Policy / User / Group</source>
-        <target>Politique / Utilisateur / Groupe</target>
-        
      </trans-unit>
      <trans-unit id="s030ac0829bb50a49">
-        <source>Policy <x id="0" equiv-text="${item.policyObj?.name}"/></source>
+        <source>Policy <x id="0" equiv-text="${v.policyObj?.name}"/></source>
        <target>Politique
        <x id="0" equiv-text="${item.policyObj?.name}"/></target>
        
      </trans-unit>
      <trans-unit id="s2a64d2dca3da9b0e">
-        <source>Group <x id="0" equiv-text="${item.groupObj?.name}"/></source>
+        <source>Group <x id="0" equiv-text="${v.groupObj?.name}"/></source>
        <target>Groupe
        <x id="0" equiv-text="${item.groupObj?.name}"/></target>
        
      </trans-unit>
      <trans-unit id="se5dc026819a32ff8">
-        <source>User <x id="0" equiv-text="${item.userObj?.name}"/></source>
+        <source>User <x id="0" equiv-text="${v.userObj?.name}"/></source>
        <target>Utilisateur
        <x id="0" equiv-text="${item.userObj?.name}"/></target>
        
@ -2815,7 +2794,7 @@ doesn't pass when either or both of the selected options are equal or above the
      </trans-unit>
      <trans-unit id="s33683c3b1dbaf264">
        <source>To use SSL instead, use 'ldaps://' and disable this option.</source>
-        <target>Pour utiliser SSL à la base, utilisez &quot;ldaps://&quot; et désactviez cette option.</target>
+        <target>Pour utiliser SSL à la base, utilisez "ldaps://" et désactviez cette option.</target>
        
      </trans-unit>
      <trans-unit id="s2221fef80f4753a2">
@ -2899,8 +2878,8 @@ doesn't pass when either or both of the selected options are equal or above the
        
      </trans-unit>
      <trans-unit id="s76768bebabb7d543">
-        <source>Field which contains members of a group. Note that if using the &quot;memberUid&quot; field, the value is assumed to contain a relative distinguished name. e.g. 'memberUid=some-user' instead of 'memberUid=cn=some-user,ou=groups,...'</source>
-        <target>Champ qui contient les membres d'un groupe. Si vous utilisez le champ &quot;memberUid&quot;, la valeur est censée contenir un nom distinctif relatif, par exemple 'memberUid=un-utilisateur' au lieu de 'memberUid=cn=un-utilisateur,ou=groups,...'</target>
+        <source>Field which contains members of a group. Note that if using the "memberUid" field, the value is assumed to contain a relative distinguished name. e.g. 'memberUid=some-user' instead of 'memberUid=cn=some-user,ou=groups,...'</source>
+        <target>Champ qui contient les membres d'un groupe. Si vous utilisez le champ "memberUid", la valeur est censée contenir un nom distinctif relatif, par exemple 'memberUid=un-utilisateur' au lieu de 'memberUid=cn=un-utilisateur,ou=groups,...'</target>
        
      </trans-unit>
      <trans-unit id="s026555347e589f0e">
@ -3195,7 +3174,7 @@ doesn't pass when either or both of the selected options are equal or above the
      </trans-unit>
      <trans-unit id="s3198c384c2f68b08">
        <source>Time offset when temporary users should be deleted. This only applies if your IDP uses the NameID Format 'transient', and the user doesn't log out manually.</source>
-        <target>Moment où les utilisateurs temporaires doivent être supprimés. Cela ne s'applique que si votre IDP utilise le format NameID &quot;transient&quot; et que l'utilisateur ne se déconnecte pas manuellement.</target>
+        <target>Moment où les utilisateurs temporaires doivent être supprimés. Cela ne s'applique que si votre IDP utilise le format NameID "transient" et que l'utilisateur ne se déconnecte pas manuellement.</target>
        
      </trans-unit>
      <trans-unit id="sb32e9c1faa0b8673">
@ -3337,7 +3316,7 @@ doesn't pass when either or both of the selected options are equal or above the
      </trans-unit>
      <trans-unit id="s9f8aac89fe318acc">
        <source>Optionally set the 'FriendlyName' value of the Assertion attribute.</source>
-        <target>Indiquer la valeur &quot;FriendlyName&quot; de l'attribut d'assertion (optionnel)</target>
+        <target>Indiquer la valeur "FriendlyName" de l'attribut d'assertion (optionnel)</target>
        
      </trans-unit>
      <trans-unit id="s851c108679653d2a">
@ -3646,8 +3625,8 @@ doesn't pass when either or both of the selected options are equal or above the
        
      </trans-unit>
      <trans-unit id="s7b1fba26d245cb1c">
-        <source>When using an external logging solution for archiving, this can be set to &quot;minutes=5&quot;.</source>
-        <target>En cas d'utilisation d'une solution de journalisation externe pour l'archivage, cette valeur peut être fixée à &quot;minutes=5&quot;.</target>
+        <source>When using an external logging solution for archiving, this can be set to "minutes=5".</source>
+        <target>En cas d'utilisation d'une solution de journalisation externe pour l'archivage, cette valeur peut être fixée à "minutes=5".</target>
        
      </trans-unit>
      <trans-unit id="s44536d20bb5c8257">
@ -3823,10 +3802,10 @@ doesn't pass when either or both of the selected options are equal or above the
        
      </trans-unit>
      <trans-unit id="sa95a538bfbb86111">
-        <source>Are you sure you want to update <x id="0" equiv-text="${this.objectLabel}"/> &quot;<x id="1" equiv-text="${this.obj?.name}"/>&quot;?</source>
+        <source>Are you sure you want to update <x id="0" equiv-text="${this.objectLabel}"/> "<x id="1" equiv-text="${this.obj?.name}"/>"?</source>
        <target>Êtes-vous sûr de vouloir mettre à jour
-        <x id="0" equiv-text="${this.objectLabel}"/>&quot;
-        <x id="1" equiv-text="${this.obj?.name}"/>&quot;?</target>
+        <x id="0" equiv-text="${this.objectLabel}"/>"
+        <x id="1" equiv-text="${this.obj?.name}"/>"?</target>
        
      </trans-unit>
      <trans-unit id="sc92d7cfb6ee1fec6">
@ -4902,8 +4881,8 @@ doesn't pass when either or both of the selected options are equal or above the
        
      </trans-unit>
      <trans-unit id="sdf1d8edef27236f0">
-        <source>A &quot;roaming&quot; authenticator, like a YubiKey</source>
-        <target>Un authentificateur &quot;itinérant&quot;, comme une YubiKey</target>
+        <source>A "roaming" authenticator, like a YubiKey</source>
+        <target>Un authentificateur "itinérant", comme une YubiKey</target>
        
      </trans-unit>
      <trans-unit id="sfffba7b23d8fb40c">
@ -5218,7 +5197,7 @@ doesn't pass when either or both of the selected options are equal or above the
      </trans-unit>
      <trans-unit id="s5170f9ef331949c0">
        <source>Show arbitrary input fields to the user, for example during enrollment. Data is saved in the flow context under the 'prompt_data' variable.</source>
-        <target>Afficher des champs de saisie arbitraires à l'utilisateur, par exemple pendant l'inscription. Les données sont enregistrées dans le contexte du flux sous la variable &quot;prompt_data&quot;.</target>
+        <target>Afficher des champs de saisie arbitraires à l'utilisateur, par exemple pendant l'inscription. Les données sont enregistrées dans le contexte du flux sous la variable "prompt_data".</target>
        
      </trans-unit>
      <trans-unit id="s36cb242ac90353bc">
@ -5271,8 +5250,8 @@ doesn't pass when either or both of the selected options are equal or above the
        
      </trans-unit>
      <trans-unit id="s1608b2f94fa0dbd4">
-        <source>If set to a duration above 0, the user will have the option to choose to &quot;stay signed in&quot;, which will extend their session by the time specified here.</source>
-        <target>Si défini à une durée supérieure à 0, l'utilisateur aura la possibilité de choisir de &quot;rester connecté&quot;, ce qui prolongera sa session jusqu'à la durée spécifiée ici.</target>
+        <source>If set to a duration above 0, the user will have the option to choose to "stay signed in", which will extend their session by the time specified here.</source>
+        <target>Si défini à une durée supérieure à 0, l'utilisateur aura la possibilité de choisir de "rester connecté", ce qui prolongera sa session jusqu'à la durée spécifiée ici.</target>
        
      </trans-unit>
      <trans-unit id="s542a71bb8f41e057">
@ -6030,7 +6009,7 @@ Les liaisons avec les groupes/utilisateurs sont vérifiées par rapport à l'uti
      </trans-unit>
      <trans-unit id="sa7fcf026bd25f231">
        <source>Can be in the format of 'unix://' when connecting to a local docker daemon, using 'ssh://' to connect via SSH, or 'https://:2376' when connecting to a remote system.</source>
-        <target>Peut être au format &quot;unix://&quot; pour une connexion à un service docker local, &quot;ssh://&quot; pour une connexion via SSH, ou &quot;https://:2376&quot; pour une connexion à un système distant.</target>
+        <target>Peut être au format "unix://" pour une connexion à un service docker local, "ssh://" pour une connexion via SSH, ou "https://:2376" pour une connexion à un système distant.</target>
        
      </trans-unit>
      <trans-unit id="saf1d289e3137c2ea">
@ -7282,7 +7261,7 @@ Les liaisons avec les groupes/utilisateurs sont vérifiées par rapport à l'uti
 </trans-unit>
 <trans-unit id="sff0ac1ace2d90709">
  <source>Use this provider with nginx's auth_request or traefik's forwardAuth. Each application/domain needs its own provider. Additionally, on each domain, /outpost.goauthentik.io must be routed to the outpost (when using a managed outpost, this is done for you).</source>
-  <target>Utilisez ce fournisseur avec l'option &quot;auth_request&quot; de Nginx ou &quot;forwardAuth&quot; de Traefik. Chaque application/domaine a besoin de son propre fournisseur. De plus, sur chaque domaine, &quot;/outpost.goauthentik.io&quot; doit être routé vers le poste avancé (lorsque vous utilisez un poste avancé géré, cela est fait pour vous).</target>
+  <target>Utilisez ce fournisseur avec l'option "auth_request" de Nginx ou "forwardAuth" de Traefik. Chaque application/domaine a besoin de son propre fournisseur. De plus, sur chaque domaine, "/outpost.goauthentik.io" doit être routé vers le poste avancé (lorsque vous utilisez un poste avancé géré, cela est fait pour vous).</target>
 </trans-unit>
 <trans-unit id="scb58b8a60cad8762">
  <source>Default relay state</source>
@ -7313,30 +7292,6 @@ Les liaisons avec les groupes/utilisateurs sont vérifiées par rapport à l'uti
  <source>UI Settings</source>
  <target>Paramètres d'UI</target>
 </trans-unit>
-<trans-unit id="s836148f721d8913b">
-  <source>Transparent Reverse Proxy</source>
-  <target>Reverse Proxy Transparent</target>
-</trans-unit>
-<trans-unit id="s945a6b94361ee45b">
-  <source>For transparent reverse proxies with required authentication</source>
-  <target>Pour les reverses proxy transparents avec authentification requise</target>
-</trans-unit>
-<trans-unit id="s40830ec037f34626">
-  <source>Configure SAML provider manually</source>
-  <target>Configurer le fournisseur SAML manuellement</target>
-</trans-unit>
-<trans-unit id="sea9fc40dfd1d18b1">
-  <source>Configure RADIUS provider manually</source>
-  <target>Configurer le fournisseur RADIUS manuellement</target>
-</trans-unit>
-<trans-unit id="sa1b0052ae095b9b3">
-  <source>Configure SCIM provider manually</source>
-  <target>Configurer le fournisseur SCIM manuellement</target>
-</trans-unit>
-<trans-unit id="s15831fa50a116545">
-  <source>Saving Application...</source>
-  <target>Enregistrement de l'application...</target>
-</trans-unit>
 <trans-unit id="s848288f8c2265aad">
  <source>Your application has been saved</source>
  <target>L'application a été sauvegardée</target>
@ -7345,16 +7300,6 @@ Les liaisons avec les groupes/utilisateurs sont vérifiées par rapport à l'uti
  <source>Method's display Name.</source>
  <target>Nom d'affichage de la méthode.</target>
 </trans-unit>
-<trans-unit id="h10ef80d434185070">
-  <source>Use this provider with nginx's <x id="0" equiv-text="&lt;code&gt;"/>auth_request<x id="1" equiv-text="&lt;/code&gt;"/> or traefik's
-                    <x id="2" equiv-text="&lt;code&gt;"/>forwardAuth<x id="3" equiv-text="&lt;/code&gt;"/>. Each application/domain needs its own provider.
-                    Additionally, on each domain, <x id="4" equiv-text="&lt;code&gt;"/>/outpost.goauthentik.io<x id="5" equiv-text="&lt;/code&gt;"/> must be
-                    routed to the outpost (when using a managed outpost, this is done for you).</source>
-  <target>Utiliser ce fournisseur avec nginx <x id="0" equiv-text="&lt;code&gt;"/>auth_request<x id="1" equiv-text="&lt;/code&gt;"/> ou traefik
-                    <x id="2" equiv-text="&lt;code&gt;"/>forwardAuth<x id="3" equiv-text="&lt;/code&gt;"/>. Chaque application/domaine a besoin de son fournisseur.
-                    De plus, sur chaque domaine, <x id="4" equiv-text="&lt;code&gt;"/>/outpost.goauthentik.io<x id="5" equiv-text="&lt;/code&gt;"/> doit être
-                    routé vers l'avant-post (lors de l'utilisation d'un avant-poste managé, cela est fait automatiquement).</target>
-</trans-unit>
 <trans-unit id="sd18b18f91b804c3f">
  <source>Custom attributes</source>
  <target>Attributs personnalisés</target>
@ -7499,10 +7444,6 @@ Les liaisons avec les groupes/utilisateurs sont vérifiées par rapport à l'uti
  <source>Pseudolocale (for testing)</source>
  <target>Pseudolocale (pour tests)</target>
 </trans-unit>
-<trans-unit id="s4bd386db7302bb22">
-  <source>Create With Wizard</source>
-  <target>Créer avec l'assistant</target>
-</trans-unit>
 <trans-unit id="s070fdfb03034ca9b">
  <source>One hint, 'New Application Wizard', is currently hidden</source>
  <target>Un indice, l'assistant nouvelle application est actuellement caché</target>
@ -7515,46 +7456,6 @@ Les liaisons avec les groupes/utilisateurs sont vérifiées par rapport à l'uti
  <source>Message shown when this stage is run.</source>
  <target>Message affiché lorsque cette étape est exécutée.</target>
 </trans-unit>
-<trans-unit id="s09f0c100d0ad2fec">
-  <source>Open Wizard</source>
-  <target>Lancer l'assistant</target>
-</trans-unit>
-<trans-unit id="sf2ef885f7d0a101d">
-  <source>Demo Wizard</source>
-  <target>Assistant de démo</target>
-</trans-unit>
-<trans-unit id="s77505ee5d2e45e53">
-  <source>Run the demo wizard</source>
-  <target>Lancer l'assistant de démo</target>
-</trans-unit>
-<trans-unit id="s4498e890d47a8066">
-  <source>OAuth2/OIDC (Open Authorization/OpenID Connect)</source>
-  <target>OAuth2/OIDC (Open Authorization/OpenID Connect)</target>
-</trans-unit>
-<trans-unit id="s4f2e195d09e2868c">
-  <source>LDAP (Lightweight Directory Access Protocol)</source>
-  <target>LDAP (Lightweight Directory Access Protocol)</target>
-</trans-unit>
-<trans-unit id="s7f5bb0c9923315ed">
-  <source>Forward Auth (Single Application)</source>
-  <target>Transférer l'authentification (application unique)</target>
-</trans-unit>
-<trans-unit id="sf8008d2d6b064b95">
-  <source>Forward Auth (Domain Level)</source>
-  <target>Transférer l'authentification (niveau domaine)</target>
-</trans-unit>
-<trans-unit id="sfa8a1ffa9fee07d3">
-  <source>SAML (Security Assertion Markup Language)</source>
-  <target>SAML (Security Assertion Markup Language)</target>
-</trans-unit>
-<trans-unit id="s848a23972e388662">
-  <source>RADIUS (Remote Authentication Dial-In User Service)</source>
-  <target>RADIUS (Remote Authentication Dial-In User Service)</target>
-</trans-unit>
-<trans-unit id="s3e902999ddf7b50e">
-  <source>SCIM (System for Cross-domain Identity Management)</source>
-  <target>SCIM (System for Cross-domain Identity Management)</target>
-</trans-unit>
 <trans-unit id="sdc5690be4a342985">
  <source>The token has been copied to your clipboard</source>
  <target>Le jeton a été copié dans le presse-paper</target>
@ -7599,14 +7500,6 @@ Les liaisons avec les groupes/utilisateurs sont vérifiées par rapport à l'uti
  <source>&lt;No name set&gt;</source>
  <target>&lt;No name set&gt;</target>
 </trans-unit>
-<trans-unit id="sdc9a6ad1af30572c">
-  <source>For nginx's auth_request or traefik's forwardAuth</source>
-  <target>Pour nginx auth_request ou traefik forwardAuth</target>
-</trans-unit>
-<trans-unit id="sfc31264ef7ff86ef">
-  <source>For nginx's auth_request or traefik's forwardAuth per root domain</source>
-  <target>Pour nginx auth_request ou traefik forwardAuth par domaine racine</target>
-</trans-unit>
 <trans-unit id="s32babfed740fd3c1">
  <source>User type used for newly created users.</source>
  <target>Type d'utilisateur pour les utilisateurs nouvellement créés.</target>
@ -7672,7 +7565,7 @@ Les liaisons avec les groupes/utilisateurs sont vérifiées par rapport à l'uti
  <target>Utilisateur créé et ajouté au groupe <x id="0" equiv-text="${this.group.name}"/> avec succès</target>
 </trans-unit>
 <trans-unit id="s824e0943a7104668">
-  <source>This user will be added to the group &quot;<x id="0" equiv-text="${this.targetGroup.name}"/>&quot;.</source>
+  <source>This user will be added to the group "<x id="0" equiv-text="${this.targetGroup.name}"/>".</source>
  <target>Cet utilisateur sera ajouté au groupe &amp;quot;<x id="0" equiv-text="${this.targetGroup.name}"/>&amp;quot;.</target>
 </trans-unit>
 <trans-unit id="s62e7f6ed7d9cb3ca">
@ -7699,10 +7592,6 @@ Les liaisons avec les groupes/utilisateurs sont vérifiées par rapport à l'uti
  <source>Review the provider.</source>
  <target>Passer en revue le fournisseur.</target>
 </trans-unit>
-<trans-unit id="s9fd39a5cb20b4e61">
-  <source>There was an error</source>
-  <target>Il y a eu une erreur</target>
-</trans-unit>
 <trans-unit id="s7a6b3453209e1066">
  <source>There was an error creating the application, but no error message was sent. Please review the server logs.</source>
  <target>Il y a eu une erreur lors de la création de l'application, mais aucun message d'erreur n'a été envoyé. Veuillez consulter les logs du serveur.</target>
@ -7711,10 +7600,6 @@ Les liaisons avec les groupes/utilisateurs sont vérifiées par rapport à l'uti
  <source>Configure LDAP Provider</source>
  <target>Configurer le fournisseur LDAP</target>
 </trans-unit>
-<trans-unit id="s9368e965b5c292ab">
-  <source>Configure OAuth2/OpenId Provider</source>
-  <target>Configurer le fournisseur OAuth2/OpenID</target>
-</trans-unit>
 <trans-unit id="sf5cbccdc6254c8dc">
  <source>Configure Proxy Provider</source>
  <target>Configurer le fournisseur Proxy</target>
@ -7727,18 +7612,10 @@ Les liaisons avec les groupes/utilisateurs sont vérifiées par rapport à l'uti
  <source>Configure SAML Provider</source>
  <target>Configurer le fournisseur SAML</target>
 </trans-unit>
-<trans-unit id="sb3defbacd01ad972">
-  <source>Property mappings used for user mapping.</source>
-  <target>Mappages de propriété utilisés pour la correspondance des utilisateurs.</target>
-</trans-unit>
 <trans-unit id="s7ccce0ec8d228db6">
  <source>Configure SCIM Provider</source>
  <target>Configurer le fournisseur SCIM</target>
 </trans-unit>
-<trans-unit id="sd7728d2b6e1d25e9">
-  <source>Property mappings used for group creation.</source>
-  <target>Mappages de propriétés utilisés lors de la création des groupe</target>
-</trans-unit>
 <trans-unit id="s7513372fe60f6387">
  <source>Event volume</source>
  <target>Volume d'événements</target>
@ -8181,18 +8058,6 @@ Les liaisons avec les groupes/utilisateurs sont vérifiées par rapport à l'uti
  <source>Brand name</source>
  <target>Nom de la marque</target>
 </trans-unit>
-<trans-unit id="sb7e68dcad68a638c">
-  <source>Remote Access Provider</source>
-  <target>Fournisseur d'accès distant</target>
-</trans-unit>
-<trans-unit id="sfb1980a471b7dfb6">
-  <source>Remotely access computers/servers via RDP/SSH/VNC</source>
-  <target>Accéder à des ordinateurs/serveurs via RDP/SSH/VNC</target>
-</trans-unit>
-<trans-unit id="s9ffdea131dddb3c5">
-  <source>Configure Remote Access Provider Provider</source>
-  <target>Configurer le fournisseur d'accès distant</target>
-</trans-unit>
 <trans-unit id="s56bc67239b9255a2">
  <source>Delete authorization on disconnect</source>
  <target>Supprimer l’autorisation à la déconnexion</target>
@ -8685,18 +8550,6 @@ Les liaisons avec les groupes/utilisateurs sont vérifiées par rapport à l'uti
  <source>Pagination</source>
  <target>Pagination</target>
 </trans-unit>
-<trans-unit id="s6d46b842e227be57">
-  <source>Application Details</source>
-  <target>Détails de l'application</target>
-</trans-unit>
-<trans-unit id="s76415a60e548cafe">
-  <source>Provider Configuration</source>
-  <target>Configuration du fournisseur</target>
-</trans-unit>
-<trans-unit id="sde59c64619570b57">
-  <source>Submit Application</source>
-  <target>Soumettre l'application</target>
-</trans-unit>
 <trans-unit id="sf2da0e95c78f2cb7">
  <source>Restore Application Wizard Hint</source>
  <target>Restaurer l'indice de l'assistant de création d'application</target>
@ -9018,13 +8871,9 @@ Les liaisons avec les groupes/utilisateurs sont vérifiées par rapport à l'uti
  <target>Synchroniser le groupe</target>
 </trans-unit>
 <trans-unit id="s2d5f69929bb7221d">
-  <source><x id="0" equiv-text="${p.name}"/> (&quot;<x id="1" equiv-text="${p.fieldKey}"/>&quot;, of type <x id="2" equiv-text="${p.type}"/>)</source>
+  <source><x id="0" equiv-text="${p.name}"/> ("<x id="1" equiv-text="${p.fieldKey}"/>", of type <x id="2" equiv-text="${p.type}"/>)</source>
  <target><x id="0" equiv-text="${p.name}"/> (&amp;quot;<x id="1" equiv-text="${p.fieldKey}"/>&amp;quot;, de type <x id="2" equiv-text="${p.type}"/>)</target>
 </trans-unit>
-<trans-unit id="sa38c5a2731be3a46">
-  <source>authentik was unable to save this application:</source>
-  <target>authentik n'a pas pu sauvegarder cette application :</target>
-</trans-unit>
 <trans-unit id="s25bacc19d98b444e">
  <source>Parent Group</source>
  <target>Groupe parent</target>
@ -9270,12 +9119,8 @@ Les liaisons avec les groupes/utilisateurs sont vérifiées par rapport à l'uti
  <target>URLs de redirection autorisées après un flux d'autorisation réussi. Indiquez également toute origine ici pour les flux implicites.</target>
 </trans-unit>
 <trans-unit id="s4c49d27de60a532b">
-  <source>To allow any redirect URI, set the mode to Regex and the value to &quot;.*&quot;. Be aware of the possible security implications this can have.</source>
-  <target>Pour permettre n'importe quelle URI de redirection, définissez cette valeur sur &quot;.*&quot;. Soyez conscient des possibles implications de sécurité que cela peut avoir.</target>
-</trans-unit>
-<trans-unit id="s43f899a86c6a3484">
-  <source>Redirect URIs/Origins</source>
-  <target>URLs de redirection/Origines</target>
+  <source>To allow any redirect URI, set the mode to Regex and the value to ".*". Be aware of the possible security implications this can have.</source>
+  <target>Pour permettre n'importe quelle URI de redirection, définissez cette valeur sur ".*". Soyez conscient des possibles implications de sécurité que cela peut avoir.</target>
 </trans-unit>
 <trans-unit id="sa52bf79fe1ccb13e">
  <source>Federated OIDC Sources</source>
@ -9380,7 +9225,136 @@ Les liaisons avec les groupes/utilisateurs sont vérifiées par rapport à l'uti
 <trans-unit id="sbfaee8cfbf4e44e8">
  <source>Require Outpost (flow can only be executed from an outpost)</source>
  <target>Forcer l'utilisation d'un avant-poste (le flux ne pourrait être exécuter que depuis un avant-poste)</target>
+</trans-unit>
+<trans-unit id="sb80507bed88545a6">
+  <source>An application name is required</source>
+</trans-unit>
+<trans-unit id="s39c052006b2b141a">
+  <source>Not a valid URL</source>
+</trans-unit>
+<trans-unit id="s317f3ab0da3d068a">
+  <source>Not a valid slug</source>
+</trans-unit>
+<trans-unit id="s177577c23ed3ca7e">
+  <source>Configure The Application</source>
+</trans-unit>
+<trans-unit id="s030ed8a3f12c23ff">
+  <source>Configure Bindings</source>
+</trans-unit>
+<trans-unit id="sc387b20e6d629087">
+  <source>Configure Policy/User/Group Bindings</source>
+</trans-unit>
+<trans-unit id="s71c3ec95efe723ca">
+  <source>No bound policies.</source>
+</trans-unit>
+<trans-unit id="sab1786ef3c0383ba">
+  <source>Bind policy/group/user</source>
+</trans-unit>
+<trans-unit id="s082ea0f3c0a854ff">
+  <source>Configure Policy Bindings</source>
+</trans-unit>
+<trans-unit id="sac315d5bd28d4efa">
+  <source>Don't Pass</source>
+</trans-unit>
+<trans-unit id="s54a37223ce938349">
+  <source>Save Binding</source>
+</trans-unit>
+<trans-unit id="s931754aabd4a6a47">
+  <source>Create a Policy/User/Group Binding</source>
+</trans-unit>
+<trans-unit id="s10ba15343fe64890">
+  <source>Choose A Provider</source>
+</trans-unit>
+<trans-unit id="sb7be945aa799b8d7">
+  <source>Please choose a provider type before proceeding.</source>
+</trans-unit>
+<trans-unit id="s2289ff3b411251d8">
+  <source>Choose a Provider Type</source>
+</trans-unit>
+<trans-unit id="sde0ad51b14f77cf6">
+  <source>Redirect URIs/Origins (RegEx)</source>
+</trans-unit>
+<trans-unit id="s89ae85c3a9df8a6f">
+  <source>Configure OAuth2 Provider</source>
+</trans-unit>
+<trans-unit id="s881271a499c9db98">
+  <source>Configure Remote Access Provider</source>
+</trans-unit>
+<trans-unit id="s9b6bf63fddc7362f">
+  <source>List of CIDRs (comma-seperated) that clients can connect from. A more specific CIDR will match before a looser one. Clients connecting from a non-specified CIDR will be dropped.</source>
+</trans-unit>
+<trans-unit id="s19907c16eb319618">
+  <source>Configure Provider</source>
+</trans-unit>
+<trans-unit id="s7055edd8fab866f4">
+  <source>strict</source>
+</trans-unit>
+<trans-unit id="s5e57ca23b946c1b8">
+  <source>regexp</source>
+</trans-unit>
+<trans-unit id="sd226dc54c414585a">
+  <source>Review and Submit Application</source>
+</trans-unit>
+<trans-unit id="s828ded9ade500ffc">
+  <source>There was an error. Please go back and review the application.</source>
+</trans-unit>
+<trans-unit id="s9fdda682893624a1">
+  <source>There was an error:</source>
+</trans-unit>
+<trans-unit id="s201ee6bc6d9f97da">
+  <source>Please go back and review the application.</source>
+</trans-unit>
+<trans-unit id="s9c09ef16900241fa">
+  <source>Review the Application and Provider</source>
+</trans-unit>
+<trans-unit id="s0a0a21f7bcf9d865">
+  <source>Saving application...</source>
+</trans-unit>
+<trans-unit id="se669a4b939be0891">
+  <source>authentik was unable to complete this process.</source>
+</trans-unit>
+<trans-unit id="s8aac845c63f45ca2">
+  <source>Create with wizard</source>
+</trans-unit>
+<trans-unit id="s080af72866b69b3d">
+  <source>Bind existing <x id="0" equiv-text="${this.allowedTypesLabel}"/></source>
+</trans-unit>
+<trans-unit id="sa36117e97f49c86e">
+  <source>Successfully updated entitlement.</source>
+</trans-unit>
+<trans-unit id="s86bee999b735111f">
+  <source>Successfully created entitlement.</source>
+</trans-unit>
+<trans-unit id="s8a48455905fc14e6">
+  <source>Application entitlement(s)</source>
+</trans-unit>
+<trans-unit id="sae971cbff672090b">
+  <source>Update Entitlement</source>
+</trans-unit>
+<trans-unit id="s537a58ae0ff50f1c">
+  <source>These bindings control which users have access to this entitlement.</source>
+</trans-unit>
+<trans-unit id="s05849efeac672dc7">
+  <source>No app entitlements created.</source>
+</trans-unit>
+<trans-unit id="sdc8a8f29af6aa411">
+  <source>This application does currently not have any application entitlement defined.</source>
+</trans-unit>
+<trans-unit id="sf0bd204ce3fea1de">
+  <source>Create Entitlement</source>
+</trans-unit>
+<trans-unit id="s55d8e42d0a1c057e">
+  <source>Create entitlement</source>
+</trans-unit>
+<trans-unit id="sc6479479c936939f">
+  <source>Application entitlements</source>
+</trans-unit>
+<trans-unit id="sfafbd9bddb38d172">
+  <source>Application entitlements are in preview.</source>
+</trans-unit>
+<trans-unit id="s8e1c375a007d1839">
+  <source>These entitlements can be used to configure user access in this application.</source>
 </trans-unit>
    </body>
  </file>
-</xliff>
+</xliff>
--- a/web/xliff/it.xlf
+++ b/web/xliff/it.xlf
@ -1544,14 +1544,6 @@
        <source>Client Networks</source>
        <target>Client Networks</target>

-      </trans-unit>
-      <trans-unit id="s7f2dcf01f7a8c0b7">
-        <source>List of CIDRs (comma-seperated) that clients can connect from. A more specific
-                            CIDR will match before a looser one. Clients connecting from a non-specified CIDR
-                            will be dropped.</source>
-        <target>Elenco di CIDR (separati da virgola) da cui i client possono connettersi.
-Un CIDR più specifico avrà la precedenza su uno meno restrittivo.
-I client che tentano di connettersi da un CIDR non specificato saranno rifiutati.</target>
      </trans-unit>
      <trans-unit id="s61eacb19db252f5e">
        <source>URL</source>
@ -2156,21 +2148,11 @@ I client che tentano di connettersi da un CIDR non specificato saranno rifiutati
        <source>Run sync again</source>
        <target>Esegui di nuovo la sincronizzazione</target>

-      </trans-unit>
-      <trans-unit id="sc2cedfb22488ccb2">
-        <source>Modern applications, APIs and Single-page applications.</source>
-        <target>Applicazioni moderne, API e applicazioni a pagina singola.</target>
-
      </trans-unit>
      <trans-unit id="sc3259eb55cf91e8c">
        <source>LDAP</source>
        <target>LDAP</target>

-      </trans-unit>
-      <trans-unit id="sffd5481034a1bd41">
-        <source>Provide an LDAP interface for applications and users to authenticate against.</source>
-        <target>Fornire un'interfaccia LDAP per l'autenticazione di applicazioni e utenti.</target>
-
      </trans-unit>
      <trans-unit id="s0c9670f429e74283">
        <source>New application</source>
@ -2637,26 +2619,21 @@ doesn't pass when either or both of the selected options are equal or above the
        <source>Path</source>
        <target>Percorso</target>

-      </trans-unit>
-      <trans-unit id="s67560d7e37d984c3">
-        <source>Policy / User / Group</source>
-        <target>Criterio / Utente / Gruppo</target>
-
      </trans-unit>
      <trans-unit id="s030ac0829bb50a49">
-        <source>Policy <x id="0" equiv-text="${item.policyObj?.name}"/></source>
+        <source>Policy <x id="0" equiv-text="${v.policyObj?.name}"/></source>
        <target>Criterio
        <x id="0" equiv-text="${item.policyObj?.name}"/></target>

      </trans-unit>
      <trans-unit id="s2a64d2dca3da9b0e">
-        <source>Group <x id="0" equiv-text="${item.groupObj?.name}"/></source>
+        <source>Group <x id="0" equiv-text="${v.groupObj?.name}"/></source>
        <target>Gruppo
        <x id="0" equiv-text="${item.groupObj?.name}"/></target>

      </trans-unit>
      <trans-unit id="se5dc026819a32ff8">
-        <source>User <x id="0" equiv-text="${item.userObj?.name}"/></source>
+        <source>User <x id="0" equiv-text="${v.userObj?.name}"/></source>
        <target>Utente
        <x id="0" equiv-text="${item.userObj?.name}"/></target>

@ -7278,30 +7255,6 @@ Bindings to groups/users are checked against the user of the event.</source>
  <source>UI Settings</source>
  <target>Impostazioni dell'Interfaccia Utente</target>
 </trans-unit>
-<trans-unit id="s836148f721d8913b">
-  <source>Transparent Reverse Proxy</source>
-  <target>Transparent Reverse Proxy</target>
-</trans-unit>
-<trans-unit id="s945a6b94361ee45b">
-  <source>For transparent reverse proxies with required authentication</source>
-  <target>Per i proxy inversi trasparenti con l'autenticazione richiesta</target>
-</trans-unit>
-<trans-unit id="s40830ec037f34626">
-  <source>Configure SAML provider manually</source>
-  <target>Configura manualmente il provider SAML</target>
-</trans-unit>
-<trans-unit id="sea9fc40dfd1d18b1">
-  <source>Configure RADIUS provider manually</source>
-  <target>Configura manualmente il provider RADIUS</target>
-</trans-unit>
-<trans-unit id="sa1b0052ae095b9b3">
-  <source>Configure SCIM provider manually</source>
-  <target>Configura manualmente il provider SCIM</target>
-</trans-unit>
-<trans-unit id="s15831fa50a116545">
-  <source>Saving Application...</source>
-  <target>Salvataggio Applicazione...</target>
-</trans-unit>
 <trans-unit id="s848288f8c2265aad">
  <source>Your application has been saved</source>
  <target>La tua applicazione è stata salvata</target>
@ -7455,10 +7408,6 @@ Bindings to groups/users are checked against the user of the event.</source>
  <source>Pseudolocale (for testing)</source>
  <target>Pseudolocale (per testare)</target>
 </trans-unit>
-<trans-unit id="s4bd386db7302bb22">
-  <source>Create With Wizard</source>
-  <target>Crea con la procedura guidata</target>
-</trans-unit>
 <trans-unit id="s070fdfb03034ca9b">
  <source>One hint, 'New Application Wizard', is currently hidden</source>
  <target>Un suggerimento, "New Application Wizard", è attualmente nascosto</target>
@ -7471,46 +7420,6 @@ Bindings to groups/users are checked against the user of the event.</source>
  <source>Message shown when this stage is run.</source>
  <target>Messaggio mostrato quando questa fase è eseguita.</target>
 </trans-unit>
-<trans-unit id="s09f0c100d0ad2fec">
-  <source>Open Wizard</source>
-  <target>Apri Wizard</target>
-</trans-unit>
-<trans-unit id="sf2ef885f7d0a101d">
-  <source>Demo Wizard</source>
-  <target>Demo Wizard</target>
-</trans-unit>
-<trans-unit id="s77505ee5d2e45e53">
-  <source>Run the demo wizard</source>
-  <target>Esegui il demo wizard</target>
-</trans-unit>
-<trans-unit id="s4498e890d47a8066">
-  <source>OAuth2/OIDC (Open Authorization/OpenID Connect)</source>
-  <target>OAuth2/OIDC (Autorizzazione aperta/OpenID Connect)</target>
-</trans-unit>
-<trans-unit id="s4f2e195d09e2868c">
-  <source>LDAP (Lightweight Directory Access Protocol)</source>
-  <target>LDAP (protocollo di accesso alla directory leggero)</target>
-</trans-unit>
-<trans-unit id="s7f5bb0c9923315ed">
-  <source>Forward Auth (Single Application)</source>
-  <target>Auth Auth (Applicazione singola)</target>
-</trans-unit>
-<trans-unit id="sf8008d2d6b064b95">
-  <source>Forward Auth (Domain Level)</source>
-  <target>Auth Auth (livello di dominio)</target>
-</trans-unit>
-<trans-unit id="sfa8a1ffa9fee07d3">
-  <source>SAML (Security Assertion Markup Language)</source>
-  <target>SAML (lingua di markup dell'asserzione di sicurezza)</target>
-</trans-unit>
-<trans-unit id="s848a23972e388662">
-  <source>RADIUS (Remote Authentication Dial-In User Service)</source>
-  <target>RADIUS (servizio utente dial-in autenticazione remota)</target>
-</trans-unit>
-<trans-unit id="s3e902999ddf7b50e">
-  <source>SCIM (System for Cross-domain Identity Management)</source>
-  <target>SCIM (Sistema per la gestione dell'identità a dominio)</target>
-</trans-unit>
 <trans-unit id="sdc5690be4a342985">
  <source>The token has been copied to your clipboard</source>
  <target>Il token è stato copiato negli appunti</target>
@ -7555,14 +7464,6 @@ Bindings to groups/users are checked against the user of the event.</source>
  <source>&lt;No name set&gt;</source>
  <target>&lt;No name set&gt;</target>
 </trans-unit>
-<trans-unit id="sdc9a6ad1af30572c">
-  <source>For nginx's auth_request or traefik's forwardAuth</source>
-  <target>Per l'auth_request di nginx o il forwardAuth di traefik</target>
-</trans-unit>
-<trans-unit id="sfc31264ef7ff86ef">
-  <source>For nginx's auth_request or traefik's forwardAuth per root domain</source>
-  <target>Per l'auth_request di nginx o il forwardAuth di traefik per dominio radice</target>
-</trans-unit>
 <trans-unit id="s32babfed740fd3c1">
  <source>User type used for newly created users.</source>
  <target>Tipo di utente utilizzato per gli utenti appena creati.</target>
@ -7647,10 +7548,6 @@ Bindings to groups/users are checked against the user of the event.</source>
  <source>Review the provider.</source>
  <target>Rivedere il fornitore.</target>
 </trans-unit>
-<trans-unit id="s9fd39a5cb20b4e61">
-  <source>There was an error</source>
-  <target>C'è stato un errore</target>
-</trans-unit>
 <trans-unit id="s7a6b3453209e1066">
  <source>There was an error creating the application, but no error message was sent. Please review the server logs.</source>
  <target>Si è verificato un errore creando l'applicazione, ma non è stato inviato alcun messaggio di errore. Si prega di rivedere i registri del server.</target>
@ -7659,10 +7556,6 @@ Bindings to groups/users are checked against the user of the event.</source>
  <source>Configure LDAP Provider</source>
  <target>Configurare il provider LDAP</target>
 </trans-unit>
-<trans-unit id="s9368e965b5c292ab">
-  <source>Configure OAuth2/OpenId Provider</source>
-  <target>Configura provider OAuth2/OpenID</target>
-</trans-unit>
 <trans-unit id="sf5cbccdc6254c8dc">
  <source>Configure Proxy Provider</source>
  <target>Configurare Proxy Provider</target>
@ -7675,18 +7568,10 @@ Bindings to groups/users are checked against the user of the event.</source>
  <source>Configure SAML Provider</source>
  <target>Configurare il provider SAML</target>
 </trans-unit>
-<trans-unit id="sb3defbacd01ad972">
-  <source>Property mappings used for user mapping.</source>
-  <target>Mappature delle proprietà utilizzate per la mappatura degli utenti.</target>
-</trans-unit>
 <trans-unit id="s7ccce0ec8d228db6">
  <source>Configure SCIM Provider</source>
  <target>Configurare il provider SCIM</target>
 </trans-unit>
-<trans-unit id="sd7728d2b6e1d25e9">
-  <source>Property mappings used for group creation.</source>
-  <target>Mapping di proprietà utilizzati per la creazione di gruppo.</target>
-</trans-unit>
 <trans-unit id="s7513372fe60f6387">
  <source>Event volume</source>
  <target>Volume degli eventi</target>
@ -8111,18 +7996,6 @@ Bindings to groups/users are checked against the user of the event.</source>
  <source>Brand name</source>
  <target>Nome Brand</target>
 </trans-unit>
-<trans-unit id="sb7e68dcad68a638c">
-  <source>Remote Access Provider</source>
-  <target>Remote Access Provider</target>
-</trans-unit>
-<trans-unit id="sfb1980a471b7dfb6">
-  <source>Remotely access computers/servers via RDP/SSH/VNC</source>
-  <target>Accesso remoto a computers/servers via RDP/SSH/VNC</target>
-</trans-unit>
-<trans-unit id="s9ffdea131dddb3c5">
-  <source>Configure Remote Access Provider Provider</source>
-  <target>Configurare provider di provider di accesso remoto</target>
-</trans-unit>
 <trans-unit id="s56bc67239b9255a2">
  <source>Delete authorization on disconnect</source>
  <target>Elimina l'autorizzazione su disconnessione</target>
@ -8615,18 +8488,6 @@ Bindings to groups/users are checked against the user of the event.</source>
  <source>Pagination</source>
  <target>Impaginazione</target>
 </trans-unit>
-<trans-unit id="s6d46b842e227be57">
-  <source>Application Details</source>
-  <target>Dettagli dell'applicazione</target>
-</trans-unit>
-<trans-unit id="s76415a60e548cafe">
-  <source>Provider Configuration</source>
-  <target>Configurazione del provider</target>
-</trans-unit>
-<trans-unit id="sde59c64619570b57">
-  <source>Submit Application</source>
-  <target>Invia domanda</target>
-</trans-unit>
 <trans-unit id="sf2da0e95c78f2cb7">
  <source>Restore Application Wizard Hint</source>
  <target>Ripristina il suggerimento per la procedura guidata dell'applicazione</target>
@ -8939,10 +8800,6 @@ Bindings to groups/users are checked against the user of the event.</source>
  <source>Sync Group</source>
  <target>Gruppo di sincronizzazione</target>
 </trans-unit>
-<trans-unit id="sa38c5a2731be3a46">
-  <source>authentik was unable to save this application:</source>
-  <target>Authenk non è stato in grado di salvare questa applicazione:</target>
-</trans-unit>
 <trans-unit id="s25bacc19d98b444e">
  <source>Parent Group</source>
  <target>Gruppo genitore</target>
@ -9111,12 +8968,6 @@ Bindings to groups/users are checked against the user of the event.</source>
  <source>Endpoint Google Chrome Device Trust is in preview.</source>
  <target>anteprima dell'Endpoint Google Chrome Device Trust</target>
 </trans-unit>
-<trans-unit id="h10ef80d434185070">
-  <source>Use this provider with nginx's <x id="0" equiv-text="&lt;code&gt;"/>auth_request<x id="1" equiv-text="&lt;/code&gt;"/> or traefik's
-                    <x id="2" equiv-text="&lt;code&gt;"/>forwardAuth<x id="3" equiv-text="&lt;/code&gt;"/>. Each application/domain needs its own provider.
-                    Additionally, on each domain, <x id="4" equiv-text="&lt;code&gt;"/>/outpost.goauthentik.io<x id="5" equiv-text="&lt;/code&gt;"/> must be
-                    routed to the outpost (when using a managed outpost, this is done for you).</source>
-</trans-unit>
 <trans-unit id="s3d2a8b86a4f5a810">
  <source>Successfully created user and added to group <x id="0" equiv-text="${this.group.name}"/></source>
 </trans-unit>
@ -9224,9 +9075,6 @@ Bindings to groups/users are checked against the user of the event.</source>
 <trans-unit id="s4c49d27de60a532b">
  <source>To allow any redirect URI, set the mode to Regex and the value to ".*". Be aware of the possible security implications this can have.</source>
 </trans-unit>
-<trans-unit id="s43f899a86c6a3484">
-  <source>Redirect URIs/Origins</source>
-</trans-unit>
 <trans-unit id="sa52bf79fe1ccb13e">
  <source>Federated OIDC Sources</source>
 </trans-unit>
@ -9304,6 +9152,135 @@ Bindings to groups/users are checked against the user of the event.</source>
 </trans-unit>
 <trans-unit id="sbfaee8cfbf4e44e8">
  <source>Require Outpost (flow can only be executed from an outpost)</source>
+</trans-unit>
+<trans-unit id="sb80507bed88545a6">
+  <source>An application name is required</source>
+</trans-unit>
+<trans-unit id="s39c052006b2b141a">
+  <source>Not a valid URL</source>
+</trans-unit>
+<trans-unit id="s317f3ab0da3d068a">
+  <source>Not a valid slug</source>
+</trans-unit>
+<trans-unit id="s177577c23ed3ca7e">
+  <source>Configure The Application</source>
+</trans-unit>
+<trans-unit id="s030ed8a3f12c23ff">
+  <source>Configure Bindings</source>
+</trans-unit>
+<trans-unit id="sc387b20e6d629087">
+  <source>Configure Policy/User/Group Bindings</source>
+</trans-unit>
+<trans-unit id="s71c3ec95efe723ca">
+  <source>No bound policies.</source>
+</trans-unit>
+<trans-unit id="sab1786ef3c0383ba">
+  <source>Bind policy/group/user</source>
+</trans-unit>
+<trans-unit id="s082ea0f3c0a854ff">
+  <source>Configure Policy Bindings</source>
+</trans-unit>
+<trans-unit id="sac315d5bd28d4efa">
+  <source>Don't Pass</source>
+</trans-unit>
+<trans-unit id="s54a37223ce938349">
+  <source>Save Binding</source>
+</trans-unit>
+<trans-unit id="s931754aabd4a6a47">
+  <source>Create a Policy/User/Group Binding</source>
+</trans-unit>
+<trans-unit id="s10ba15343fe64890">
+  <source>Choose A Provider</source>
+</trans-unit>
+<trans-unit id="sb7be945aa799b8d7">
+  <source>Please choose a provider type before proceeding.</source>
+</trans-unit>
+<trans-unit id="s2289ff3b411251d8">
+  <source>Choose a Provider Type</source>
+</trans-unit>
+<trans-unit id="sde0ad51b14f77cf6">
+  <source>Redirect URIs/Origins (RegEx)</source>
+</trans-unit>
+<trans-unit id="s89ae85c3a9df8a6f">
+  <source>Configure OAuth2 Provider</source>
+</trans-unit>
+<trans-unit id="s881271a499c9db98">
+  <source>Configure Remote Access Provider</source>
+</trans-unit>
+<trans-unit id="s9b6bf63fddc7362f">
+  <source>List of CIDRs (comma-seperated) that clients can connect from. A more specific CIDR will match before a looser one. Clients connecting from a non-specified CIDR will be dropped.</source>
+</trans-unit>
+<trans-unit id="s19907c16eb319618">
+  <source>Configure Provider</source>
+</trans-unit>
+<trans-unit id="s7055edd8fab866f4">
+  <source>strict</source>
+</trans-unit>
+<trans-unit id="s5e57ca23b946c1b8">
+  <source>regexp</source>
+</trans-unit>
+<trans-unit id="sd226dc54c414585a">
+  <source>Review and Submit Application</source>
+</trans-unit>
+<trans-unit id="s828ded9ade500ffc">
+  <source>There was an error. Please go back and review the application.</source>
+</trans-unit>
+<trans-unit id="s9fdda682893624a1">
+  <source>There was an error:</source>
+</trans-unit>
+<trans-unit id="s201ee6bc6d9f97da">
+  <source>Please go back and review the application.</source>
+</trans-unit>
+<trans-unit id="s9c09ef16900241fa">
+  <source>Review the Application and Provider</source>
+</trans-unit>
+<trans-unit id="s0a0a21f7bcf9d865">
+  <source>Saving application...</source>
+</trans-unit>
+<trans-unit id="se669a4b939be0891">
+  <source>authentik was unable to complete this process.</source>
+</trans-unit>
+<trans-unit id="s8aac845c63f45ca2">
+  <source>Create with wizard</source>
+</trans-unit>
+<trans-unit id="s080af72866b69b3d">
+  <source>Bind existing <x id="0" equiv-text="${this.allowedTypesLabel}"/></source>
+</trans-unit>
+<trans-unit id="sa36117e97f49c86e">
+  <source>Successfully updated entitlement.</source>
+</trans-unit>
+<trans-unit id="s86bee999b735111f">
+  <source>Successfully created entitlement.</source>
+</trans-unit>
+<trans-unit id="s8a48455905fc14e6">
+  <source>Application entitlement(s)</source>
+</trans-unit>
+<trans-unit id="sae971cbff672090b">
+  <source>Update Entitlement</source>
+</trans-unit>
+<trans-unit id="s537a58ae0ff50f1c">
+  <source>These bindings control which users have access to this entitlement.</source>
+</trans-unit>
+<trans-unit id="s05849efeac672dc7">
+  <source>No app entitlements created.</source>
+</trans-unit>
+<trans-unit id="sdc8a8f29af6aa411">
+  <source>This application does currently not have any application entitlement defined.</source>
+</trans-unit>
+<trans-unit id="sf0bd204ce3fea1de">
+  <source>Create Entitlement</source>
+</trans-unit>
+<trans-unit id="s55d8e42d0a1c057e">
+  <source>Create entitlement</source>
+</trans-unit>
+<trans-unit id="sc6479479c936939f">
+  <source>Application entitlements</source>
+</trans-unit>
+<trans-unit id="sfafbd9bddb38d172">
+  <source>Application entitlements are in preview.</source>
+</trans-unit>
+<trans-unit id="s8e1c375a007d1839">
+  <source>These entitlements can be used to configure user access in this application.</source>
 </trans-unit>
    </body>
  </file>
--- a/web/xliff/ko.xlf
+++ b/web/xliff/ko.xlf
@ -1541,14 +1541,6 @@
        <target>클라이언트 네트워크</target>

      </trans-unit>
-      <trans-unit id="s7f2dcf01f7a8c0b7">
-        <source>List of CIDRs (comma-seperated) that clients can connect from. A more specific
-                            CIDR will match before a looser one. Clients connecting from a non-specified CIDR
-                            will be dropped.</source>
-        <target>클라이언트가 연결할 수 있는 CIDR 목록(쉼표로 구분)입니다. 더 구체적인
-                             CIDR이 더 넓은 것보다 먼저 일치합니다. 지정되지 않은 CIDR에서 연결하는 클라이언트는
-                            거부됩니다.</target>
-      </trans-unit>
      <trans-unit id="s61eacb19db252f5e">
        <source>URL</source>
        <target>URL</target>
@ -2148,21 +2140,11 @@
        <source>Run sync again</source>
        <target>다시 동기화 진행</target>

-      </trans-unit>
-      <trans-unit id="sc2cedfb22488ccb2">
-        <source>Modern applications, APIs and Single-page applications.</source>
-        <target>현대적인 애플리케이션, API 및 단일 페이지 애플리케이션.</target>
-
      </trans-unit>
      <trans-unit id="sc3259eb55cf91e8c">
        <source>LDAP</source>
        <target>LDAP</target>

-      </trans-unit>
-      <trans-unit id="sffd5481034a1bd41">
-        <source>Provide an LDAP interface for applications and users to authenticate against.</source>
-        <target>응용 프로그램 및 사용자가 인증하기 위한 LDAP 인터페이스를 제공하세요.</target>
-
      </trans-unit>
      <trans-unit id="s0c9670f429e74283">
        <source>New application</source>
@ -2628,24 +2610,19 @@ doesn't pass when either or both of the selected options are equal or above the
        <source>Path</source>
        <target>경로</target>

-      </trans-unit>
-      <trans-unit id="s67560d7e37d984c3">
-        <source>Policy / User / Group</source>
-        <target>정책 / 사용자 / 그룹</target>
-
      </trans-unit>
      <trans-unit id="s030ac0829bb50a49">
-        <source>Policy <x id="0" equiv-text="${item.policyObj?.name}"/></source>
+        <source>Policy <x id="0" equiv-text="${v.policyObj?.name}"/></source>
        <target><x id="0" equiv-text="${item.policyObj?.name}"/> 정책</target>

      </trans-unit>
      <trans-unit id="s2a64d2dca3da9b0e">
-        <source>Group <x id="0" equiv-text="${item.groupObj?.name}"/></source>
+        <source>Group <x id="0" equiv-text="${v.groupObj?.name}"/></source>
        <target><x id="0" equiv-text="${item.groupObj?.name}"/> 그룹</target>

      </trans-unit>
      <trans-unit id="se5dc026819a32ff8">
-        <source>User <x id="0" equiv-text="${item.userObj?.name}"/></source>
+        <source>User <x id="0" equiv-text="${v.userObj?.name}"/></source>
        <target><x id="0" equiv-text="${item.userObj?.name}"/> 사용자</target>

      </trans-unit>
@ -7283,30 +7260,6 @@ Bindings to groups/users are checked against the user of the event.</source>
  <source>UI Settings</source>
  <target>UI 설정</target>
 </trans-unit>
-<trans-unit id="s836148f721d8913b">
-  <source>Transparent Reverse Proxy</source>
-  <target>투명 리버스 프록시</target>
-</trans-unit>
-<trans-unit id="s945a6b94361ee45b">
-  <source>For transparent reverse proxies with required authentication</source>
-  <target>인증이 필요한 투명한 리버스 프록시의 경우</target>
-</trans-unit>
-<trans-unit id="s40830ec037f34626">
-  <source>Configure SAML provider manually</source>
-  <target>SAML 공급자를 수동으로 구성</target>
-</trans-unit>
-<trans-unit id="sea9fc40dfd1d18b1">
-  <source>Configure RADIUS provider manually</source>
-  <target>RADIUS 공급자를 수동으로 구성</target>
-</trans-unit>
-<trans-unit id="sa1b0052ae095b9b3">
-  <source>Configure SCIM provider manually</source>
-  <target>SCIM 공급자를 수동으로 구성</target>
-</trans-unit>
-<trans-unit id="s15831fa50a116545">
-  <source>Saving Application...</source>
-  <target>Saving Application...</target>
-</trans-unit>
 <trans-unit id="s848288f8c2265aad">
  <source>Your application has been saved</source>
  <target>애플리케이션 저장됨</target>
@ -7315,16 +7268,6 @@ Bindings to groups/users are checked against the user of the event.</source>
  <source>Method's display Name.</source>
  <target>Method의 표시 이름.</target>
 </trans-unit>
-<trans-unit id="h10ef80d434185070">
-  <source>Use this provider with nginx's <x id="0" equiv-text="&lt;code&gt;"/>auth_request<x id="1" equiv-text="&lt;/code&gt;"/> or traefik's
-                    <x id="2" equiv-text="&lt;code&gt;"/>forwardAuth<x id="3" equiv-text="&lt;/code&gt;"/>. Each application/domain needs its own provider.
-                    Additionally, on each domain, <x id="4" equiv-text="&lt;code&gt;"/>/outpost.goauthentik.io<x id="5" equiv-text="&lt;/code&gt;"/> must be
-                    routed to the outpost (when using a managed outpost, this is done for you).</source>
-  <target>Use this provider with nginx's <x id="0" equiv-text="&lt;code&gt;"/>auth_request<x id="1" equiv-text="&lt;/code&gt;"/> or traefik's
-                    <x id="2" equiv-text="&lt;code&gt;"/>forwardAuth<x id="3" equiv-text="&lt;/code&gt;"/>. Each application/domain needs its own provider.
-                    Additionally, on each domain, <x id="4" equiv-text="&lt;code&gt;"/>/outpost.goauthentik.io<x id="5" equiv-text="&lt;/code&gt;"/> must be
-                    routed to the outpost (when using a managed outpost, this is done for you).</target>
-</trans-unit>
 <trans-unit id="sd18b18f91b804c3f">
  <source>Custom attributes</source>
  <target>사용자 정의 속성(Attribute)</target>
@ -7469,10 +7412,6 @@ Bindings to groups/users are checked against the user of the event.</source>
  <source>Pseudolocale (for testing)</source>
  <target>가짜-로캘 (테스트용)</target>
 </trans-unit>
-<trans-unit id="s4bd386db7302bb22">
-  <source>Create With Wizard</source>
-  <target>authentik 마법사로 생성</target>
-</trans-unit>
 <trans-unit id="s070fdfb03034ca9b">
  <source>One hint, 'New Application Wizard', is currently hidden</source>
  <target>힌트, '새 애플리케이션 마법사'는 현재, 숨겨져 있습니다.</target>
@ -7485,46 +7424,6 @@ Bindings to groups/users are checked against the user of the event.</source>
  <source>Message shown when this stage is run.</source>
  <target>이 스테이지가 실행될 때 표시되는 메시지입니다.</target>
 </trans-unit>
-<trans-unit id="s09f0c100d0ad2fec">
-  <source>Open Wizard</source>
-  <target>마법사 열기</target>
-</trans-unit>
-<trans-unit id="sf2ef885f7d0a101d">
-  <source>Demo Wizard</source>
-  <target>데모 마법사</target>
-</trans-unit>
-<trans-unit id="s77505ee5d2e45e53">
-  <source>Run the demo wizard</source>
-  <target>데모 마법사 실행</target>
-</trans-unit>
-<trans-unit id="s4498e890d47a8066">
-  <source>OAuth2/OIDC (Open Authorization/OpenID Connect)</source>
-  <target>OAuth2/OIDC (Open Authorization/OpenID Connect)</target>
-</trans-unit>
-<trans-unit id="s4f2e195d09e2868c">
-  <source>LDAP (Lightweight Directory Access Protocol)</source>
-  <target>LDAP (Lightweight Directory Access Protocol)</target>
-</trans-unit>
-<trans-unit id="s7f5bb0c9923315ed">
-  <source>Forward Auth (Single Application)</source>
-  <target>Forward Auth (단일 애플리케이션)</target>
-</trans-unit>
-<trans-unit id="sf8008d2d6b064b95">
-  <source>Forward Auth (Domain Level)</source>
-  <target>Forward Auth (도메인 레벨)</target>
-</trans-unit>
-<trans-unit id="sfa8a1ffa9fee07d3">
-  <source>SAML (Security Assertion Markup Language)</source>
-  <target>SAML (Security Assertion Markup Language)</target>
-</trans-unit>
-<trans-unit id="s848a23972e388662">
-  <source>RADIUS (Remote Authentication Dial-In User Service)</source>
-  <target>RADIUS (Remote Authentication Dial-In User Service)</target>
-</trans-unit>
-<trans-unit id="s3e902999ddf7b50e">
-  <source>SCIM (System for Cross-domain Identity Management)</source>
-  <target>SCIM (System for Cross-domain Identity Management)</target>
-</trans-unit>
 <trans-unit id="sdc5690be4a342985">
  <source>The token has been copied to your clipboard</source>
  <target>토큰이 클립보드에 복사되었습니다.</target>
@ -7569,14 +7468,6 @@ Bindings to groups/users are checked against the user of the event.</source>
  <source>&lt;No name set&gt;</source>
  <target>&lt;설정된 이름 없음&gt;</target>
 </trans-unit>
-<trans-unit id="sdc9a6ad1af30572c">
-  <source>For nginx's auth_request or traefik's forwardAuth</source>
-  <target>Nginx의 auth_request 또는 Traefik의 forwardAuth의 경우</target>
-</trans-unit>
-<trans-unit id="sfc31264ef7ff86ef">
-  <source>For nginx's auth_request or traefik's forwardAuth per root domain</source>
-  <target>루트 도메인 당 Nginx의 auth_request 또는 Traefik의 forwardAuth 경우</target>
-</trans-unit>
 <trans-unit id="s32babfed740fd3c1">
  <source>User type used for newly created users.</source>
  <target>새로 생성된 사용자에 사용되는 사용자 유형입니다.</target>
@ -7669,10 +7560,6 @@ Bindings to groups/users are checked against the user of the event.</source>
  <source>Review the provider.</source>
  <target>공급자 검토하기.</target>
 </trans-unit>
-<trans-unit id="s9fd39a5cb20b4e61">
-  <source>There was an error</source>
-  <target>오류가 발생함</target>
-</trans-unit>
 <trans-unit id="s7a6b3453209e1066">
  <source>There was an error creating the application, but no error message was sent. Please review the server logs.</source>
  <target>애플리케이션을 만드는 동안 오류가 발생했지만, 오류 메시지는 전송되지 않았습니다. 서버 로그를 검토해 보세요.</target>
@ -7681,10 +7568,6 @@ Bindings to groups/users are checked against the user of the event.</source>
  <source>Configure LDAP Provider</source>
  <target>LDAP 공급자 구성</target>
 </trans-unit>
-<trans-unit id="s9368e965b5c292ab">
-  <source>Configure OAuth2/OpenId Provider</source>
-  <target>OAuth2/OpenId 공급자 구성</target>
-</trans-unit>
 <trans-unit id="sf5cbccdc6254c8dc">
  <source>Configure Proxy Provider</source>
  <target>프록시 공급자 구성</target>
@ -7697,18 +7580,10 @@ Bindings to groups/users are checked against the user of the event.</source>
  <source>Configure SAML Provider</source>
  <target>SAML 공급자 구성</target>
 </trans-unit>
-<trans-unit id="sb3defbacd01ad972">
-  <source>Property mappings used for user mapping.</source>
-  <target>사용자 매핑에 사용되는 속성 매핑입니다.</target>
-</trans-unit>
 <trans-unit id="s7ccce0ec8d228db6">
  <source>Configure SCIM Provider</source>
  <target>SCIM 공급자 구성</target>
 </trans-unit>
-<trans-unit id="sd7728d2b6e1d25e9">
-  <source>Property mappings used for group creation.</source>
-  <target>그룹을 만드는데 사용할 속성 매핑입니다.</target>
-</trans-unit>
 <trans-unit id="s7513372fe60f6387">
  <source>Event volume</source>
  <target>이력 규모</target>
@ -8039,15 +7914,6 @@ Bindings to groups/users are checked against the user of the event.</source>
 <trans-unit id="se16b4d412ad1aba9">
  <source>Brand name</source>
 </trans-unit>
-<trans-unit id="sb7e68dcad68a638c">
-  <source>Remote Access Provider</source>
-</trans-unit>
-<trans-unit id="sfb1980a471b7dfb6">
-  <source>Remotely access computers/servers via RDP/SSH/VNC</source>
-</trans-unit>
-<trans-unit id="s9ffdea131dddb3c5">
-  <source>Configure Remote Access Provider Provider</source>
-</trans-unit>
 <trans-unit id="s56bc67239b9255a2">
  <source>Delete authorization on disconnect</source>
 </trans-unit>
@ -8417,15 +8283,6 @@ Bindings to groups/users are checked against the user of the event.</source>
 <trans-unit id="s3dc14a4b8129f989">
  <source>Pagination</source>
 </trans-unit>
-<trans-unit id="s6d46b842e227be57">
-  <source>Application Details</source>
-</trans-unit>
-<trans-unit id="s76415a60e548cafe">
-  <source>Provider Configuration</source>
-</trans-unit>
-<trans-unit id="sde59c64619570b57">
-  <source>Submit Application</source>
-</trans-unit>
 <trans-unit id="sf2da0e95c78f2cb7">
  <source>Restore Application Wizard Hint</source>
 </trans-unit>
@ -8669,9 +8526,6 @@ Bindings to groups/users are checked against the user of the event.</source>
 <trans-unit id="s2d5f69929bb7221d">
  <source><x id="0" equiv-text="${p.name}"/> ("<x id="1" equiv-text="${p.fieldKey}"/>", of type <x id="2" equiv-text="${p.type}"/>)</source>
 </trans-unit>
-<trans-unit id="sa38c5a2731be3a46">
-  <source>authentik was unable to save this application:</source>
-</trans-unit>
 <trans-unit id="s25bacc19d98b444e">
  <source>Parent Group</source>
 </trans-unit>
@ -8858,9 +8712,6 @@ Bindings to groups/users are checked against the user of the event.</source>
 <trans-unit id="s4c49d27de60a532b">
  <source>To allow any redirect URI, set the mode to Regex and the value to ".*". Be aware of the possible security implications this can have.</source>
 </trans-unit>
-<trans-unit id="s43f899a86c6a3484">
-  <source>Redirect URIs/Origins</source>
-</trans-unit>
 <trans-unit id="sa52bf79fe1ccb13e">
  <source>Federated OIDC Sources</source>
 </trans-unit>
@ -8938,6 +8789,135 @@ Bindings to groups/users are checked against the user of the event.</source>
 </trans-unit>
 <trans-unit id="sbfaee8cfbf4e44e8">
  <source>Require Outpost (flow can only be executed from an outpost)</source>
+</trans-unit>
+<trans-unit id="sb80507bed88545a6">
+  <source>An application name is required</source>
+</trans-unit>
+<trans-unit id="s39c052006b2b141a">
+  <source>Not a valid URL</source>
+</trans-unit>
+<trans-unit id="s317f3ab0da3d068a">
+  <source>Not a valid slug</source>
+</trans-unit>
+<trans-unit id="s177577c23ed3ca7e">
+  <source>Configure The Application</source>
+</trans-unit>
+<trans-unit id="s030ed8a3f12c23ff">
+  <source>Configure Bindings</source>
+</trans-unit>
+<trans-unit id="sc387b20e6d629087">
+  <source>Configure Policy/User/Group Bindings</source>
+</trans-unit>
+<trans-unit id="s71c3ec95efe723ca">
+  <source>No bound policies.</source>
+</trans-unit>
+<trans-unit id="sab1786ef3c0383ba">
+  <source>Bind policy/group/user</source>
+</trans-unit>
+<trans-unit id="s082ea0f3c0a854ff">
+  <source>Configure Policy Bindings</source>
+</trans-unit>
+<trans-unit id="sac315d5bd28d4efa">
+  <source>Don't Pass</source>
+</trans-unit>
+<trans-unit id="s54a37223ce938349">
+  <source>Save Binding</source>
+</trans-unit>
+<trans-unit id="s931754aabd4a6a47">
+  <source>Create a Policy/User/Group Binding</source>
+</trans-unit>
+<trans-unit id="s10ba15343fe64890">
+  <source>Choose A Provider</source>
+</trans-unit>
+<trans-unit id="sb7be945aa799b8d7">
+  <source>Please choose a provider type before proceeding.</source>
+</trans-unit>
+<trans-unit id="s2289ff3b411251d8">
+  <source>Choose a Provider Type</source>
+</trans-unit>
+<trans-unit id="sde0ad51b14f77cf6">
+  <source>Redirect URIs/Origins (RegEx)</source>
+</trans-unit>
+<trans-unit id="s89ae85c3a9df8a6f">
+  <source>Configure OAuth2 Provider</source>
+</trans-unit>
+<trans-unit id="s881271a499c9db98">
+  <source>Configure Remote Access Provider</source>
+</trans-unit>
+<trans-unit id="s9b6bf63fddc7362f">
+  <source>List of CIDRs (comma-seperated) that clients can connect from. A more specific CIDR will match before a looser one. Clients connecting from a non-specified CIDR will be dropped.</source>
+</trans-unit>
+<trans-unit id="s19907c16eb319618">
+  <source>Configure Provider</source>
+</trans-unit>
+<trans-unit id="s7055edd8fab866f4">
+  <source>strict</source>
+</trans-unit>
+<trans-unit id="s5e57ca23b946c1b8">
+  <source>regexp</source>
+</trans-unit>
+<trans-unit id="sd226dc54c414585a">
+  <source>Review and Submit Application</source>
+</trans-unit>
+<trans-unit id="s828ded9ade500ffc">
+  <source>There was an error. Please go back and review the application.</source>
+</trans-unit>
+<trans-unit id="s9fdda682893624a1">
+  <source>There was an error:</source>
+</trans-unit>
+<trans-unit id="s201ee6bc6d9f97da">
+  <source>Please go back and review the application.</source>
+</trans-unit>
+<trans-unit id="s9c09ef16900241fa">
+  <source>Review the Application and Provider</source>
+</trans-unit>
+<trans-unit id="s0a0a21f7bcf9d865">
+  <source>Saving application...</source>
+</trans-unit>
+<trans-unit id="se669a4b939be0891">
+  <source>authentik was unable to complete this process.</source>
+</trans-unit>
+<trans-unit id="s8aac845c63f45ca2">
+  <source>Create with wizard</source>
+</trans-unit>
+<trans-unit id="s080af72866b69b3d">
+  <source>Bind existing <x id="0" equiv-text="${this.allowedTypesLabel}"/></source>
+</trans-unit>
+<trans-unit id="sa36117e97f49c86e">
+  <source>Successfully updated entitlement.</source>
+</trans-unit>
+<trans-unit id="s86bee999b735111f">
+  <source>Successfully created entitlement.</source>
+</trans-unit>
+<trans-unit id="s8a48455905fc14e6">
+  <source>Application entitlement(s)</source>
+</trans-unit>
+<trans-unit id="sae971cbff672090b">
+  <source>Update Entitlement</source>
+</trans-unit>
+<trans-unit id="s537a58ae0ff50f1c">
+  <source>These bindings control which users have access to this entitlement.</source>
+</trans-unit>
+<trans-unit id="s05849efeac672dc7">
+  <source>No app entitlements created.</source>
+</trans-unit>
+<trans-unit id="sdc8a8f29af6aa411">
+  <source>This application does currently not have any application entitlement defined.</source>
+</trans-unit>
+<trans-unit id="sf0bd204ce3fea1de">
+  <source>Create Entitlement</source>
+</trans-unit>
+<trans-unit id="s55d8e42d0a1c057e">
+  <source>Create entitlement</source>
+</trans-unit>
+<trans-unit id="sc6479479c936939f">
+  <source>Application entitlements</source>
+</trans-unit>
+<trans-unit id="sfafbd9bddb38d172">
+  <source>Application entitlements are in preview.</source>
+</trans-unit>
+<trans-unit id="s8e1c375a007d1839">
+  <source>These entitlements can be used to configure user access in this application.</source>
 </trans-unit>
    </body>
  </file>
--- a/web/xliff/nl.xlf
+++ b/web/xliff/nl.xlf
@ -1531,14 +1531,6 @@
        <target>Clientnetwerken</target>

      </trans-unit>
-      <trans-unit id="s7f2dcf01f7a8c0b7">
-        <source>List of CIDRs (comma-seperated) that clients can connect from. A more specific
-                            CIDR will match before a looser one. Clients connecting from a non-specified CIDR
-                            will be dropped.</source>
-        <target>Lijst van CIDR's (komma-gescheiden) waarvandaan clients kunnen verbinden. Een specifiekere
-                            CIDR komt overeen voordat een ruimere. Clients die verbinding maken vanaf een niet-gespecificeerde CIDR
-                            worden geweigerd.</target>
-      </trans-unit>
      <trans-unit id="s61eacb19db252f5e">
        <source>URL</source>
        <target>URL</target>
@ -2136,21 +2128,11 @@
        <source>Run sync again</source>
        <target>Voer synchronisatie opnieuw uit</target>

-      </trans-unit>
-      <trans-unit id="sc2cedfb22488ccb2">
-        <source>Modern applications, APIs and Single-page applications.</source>
-        <target>Moderne applicaties, API's en Single-page applicaties.</target>
-
      </trans-unit>
      <trans-unit id="sc3259eb55cf91e8c">
        <source>LDAP</source>
        <target>LDAP</target>

-      </trans-unit>
-      <trans-unit id="sffd5481034a1bd41">
-        <source>Provide an LDAP interface for applications and users to authenticate against.</source>
-        <target>Geef een LDAP-interface voor applicaties en gebruikers om tegen te verifiëren.</target>
-
      </trans-unit>
      <trans-unit id="s0c9670f429e74283">
        <source>New application</source>
@ -2618,24 +2600,19 @@ slaagt niet wanneer een of beide geselecteerde opties gelijk zijn aan of boven d
        <source>Path</source>
        <target>Pad</target>

-      </trans-unit>
-      <trans-unit id="s67560d7e37d984c3">
-        <source>Policy / User / Group</source>
-        <target>Beleid / Gebruiker / Groep</target>
-
      </trans-unit>
      <trans-unit id="s030ac0829bb50a49">
-        <source>Policy <x id="0" equiv-text="${item.policyObj?.name}"/></source>
+        <source>Policy <x id="0" equiv-text="${v.policyObj?.name}"/></source>
        <target>Beleid <x id="0" equiv-text="${item.policyObj?.name}"/></target>

      </trans-unit>
      <trans-unit id="s2a64d2dca3da9b0e">
-        <source>Group <x id="0" equiv-text="${item.groupObj?.name}"/></source>
+        <source>Group <x id="0" equiv-text="${v.groupObj?.name}"/></source>
        <target>Groep <x id="0" equiv-text="${item.groupObj?.name}"/></target>

      </trans-unit>
      <trans-unit id="se5dc026819a32ff8">
-        <source>User <x id="0" equiv-text="${item.userObj?.name}"/></source>
+        <source>User <x id="0" equiv-text="${v.userObj?.name}"/></source>
        <target>Gebruiker <x id="0" equiv-text="${item.userObj?.name}"/></target>

      </trans-unit>
@ -7202,51 +7179,6 @@ Bindingen naar groepen/gebruikers worden gecontroleerd tegen de gebruiker van de
 <trans-unit id="se2b29e6cfe59414c">
  <source>UI Settings</source>
 </trans-unit>
-<trans-unit id="s4498e890d47a8066">
-  <source>OAuth2/OIDC (Open Authorization/OpenID Connect)</source>
-</trans-unit>
-<trans-unit id="s4f2e195d09e2868c">
-  <source>LDAP (Lightweight Directory Access Protocol)</source>
-</trans-unit>
-<trans-unit id="s836148f721d8913b">
-  <source>Transparent Reverse Proxy</source>
-</trans-unit>
-<trans-unit id="s945a6b94361ee45b">
-  <source>For transparent reverse proxies with required authentication</source>
-</trans-unit>
-<trans-unit id="s7f5bb0c9923315ed">
-  <source>Forward Auth (Single Application)</source>
-</trans-unit>
-<trans-unit id="sdc9a6ad1af30572c">
-  <source>For nginx's auth_request or traefik's forwardAuth</source>
-</trans-unit>
-<trans-unit id="sf8008d2d6b064b95">
-  <source>Forward Auth (Domain Level)</source>
-</trans-unit>
-<trans-unit id="sfc31264ef7ff86ef">
-  <source>For nginx's auth_request or traefik's forwardAuth per root domain</source>
-</trans-unit>
-<trans-unit id="sfa8a1ffa9fee07d3">
-  <source>SAML (Security Assertion Markup Language)</source>
-</trans-unit>
-<trans-unit id="s40830ec037f34626">
-  <source>Configure SAML provider manually</source>
-</trans-unit>
-<trans-unit id="s848a23972e388662">
-  <source>RADIUS (Remote Authentication Dial-In User Service)</source>
-</trans-unit>
-<trans-unit id="sea9fc40dfd1d18b1">
-  <source>Configure RADIUS provider manually</source>
-</trans-unit>
-<trans-unit id="s3e902999ddf7b50e">
-  <source>SCIM (System for Cross-domain Identity Management)</source>
-</trans-unit>
-<trans-unit id="sa1b0052ae095b9b3">
-  <source>Configure SCIM provider manually</source>
-</trans-unit>
-<trans-unit id="s15831fa50a116545">
-  <source>Saving Application...</source>
-</trans-unit>
 <trans-unit id="s848288f8c2265aad">
  <source>Your application has been saved</source>
 </trans-unit>
@ -7262,9 +7194,6 @@ Bindingen naar groepen/gebruikers worden gecontroleerd tegen de gebruiker van de
 <trans-unit id="s21f95eaf151d4ce3">
  <source>Review the provider.</source>
 </trans-unit>
-<trans-unit id="s9fd39a5cb20b4e61">
-  <source>There was an error</source>
-</trans-unit>
 <trans-unit id="s7a6b3453209e1066">
  <source>There was an error creating the application, but no error message was sent. Please review the server logs.</source>
 </trans-unit>
@ -7274,36 +7203,18 @@ Bindingen naar groepen/gebruikers worden gecontroleerd tegen de gebruiker van de
 <trans-unit id="s67d858051b34c38b">
  <source>Method's display Name.</source>
 </trans-unit>
-<trans-unit id="s9368e965b5c292ab">
-  <source>Configure OAuth2/OpenId Provider</source>
-</trans-unit>
 <trans-unit id="sf5cbccdc6254c8dc">
  <source>Configure Proxy Provider</source>
 </trans-unit>
-<trans-unit id="h10ef80d434185070">
-  <source>Use this provider with nginx's <x id="0" equiv-text="&lt;code&gt;"/>auth_request<x id="1" equiv-text="&lt;/code&gt;"/> or traefik's
-                    <x id="2" equiv-text="&lt;code&gt;"/>forwardAuth<x id="3" equiv-text="&lt;/code&gt;"/>. Each application/domain needs its own provider.
-                    Additionally, on each domain, <x id="4" equiv-text="&lt;code&gt;"/>/outpost.goauthentik.io<x id="5" equiv-text="&lt;/code&gt;"/> must be
-                    routed to the outpost (when using a managed outpost, this is done for you).</source>
-</trans-unit>
 <trans-unit id="s2c8c6f89089b31d4">
  <source>Configure Radius Provider</source>
 </trans-unit>
 <trans-unit id="sfe906cde5dddc041">
  <source>Configure SAML Provider</source>
 </trans-unit>
-<trans-unit id="sb3defbacd01ad972">
-  <source>Property mappings used for user mapping.</source>
-</trans-unit>
 <trans-unit id="s7ccce0ec8d228db6">
  <source>Configure SCIM Provider</source>
 </trans-unit>
-<trans-unit id="sd7728d2b6e1d25e9">
-  <source>Property mappings used for group creation.</source>
-</trans-unit>
-<trans-unit id="s4bd386db7302bb22">
-  <source>Create With Wizard</source>
-</trans-unit>
 <trans-unit id="s71c5d51d5a357dbd">
  <source>Don't show this message again.</source>
 </trans-unit>
@ -7673,15 +7584,6 @@ Bindingen naar groepen/gebruikers worden gecontroleerd tegen de gebruiker van de
 <trans-unit id="se9e9e1d6799b86a5">
  <source>WebAuthn not supported by browser.</source>
 </trans-unit>
-<trans-unit id="s09f0c100d0ad2fec">
-  <source>Open Wizard</source>
-</trans-unit>
-<trans-unit id="sf2ef885f7d0a101d">
-  <source>Demo Wizard</source>
-</trans-unit>
-<trans-unit id="s77505ee5d2e45e53">
-  <source>Run the demo wizard</source>
-</trans-unit>
 <trans-unit id="s28b99b59541f54ca">
  <source>Connection failed after <x id="0" equiv-text="${this.connectionAttempt}"/> attempts.</source>
 </trans-unit>
@ -7888,15 +7790,6 @@ Bindingen naar groepen/gebruikers worden gecontroleerd tegen de gebruiker van de
 <trans-unit id="se16b4d412ad1aba9">
  <source>Brand name</source>
 </trans-unit>
-<trans-unit id="sb7e68dcad68a638c">
-  <source>Remote Access Provider</source>
-</trans-unit>
-<trans-unit id="sfb1980a471b7dfb6">
-  <source>Remotely access computers/servers via RDP/SSH/VNC</source>
-</trans-unit>
-<trans-unit id="s9ffdea131dddb3c5">
-  <source>Configure Remote Access Provider Provider</source>
-</trans-unit>
 <trans-unit id="s56bc67239b9255a2">
  <source>Delete authorization on disconnect</source>
 </trans-unit>
@ -8266,15 +8159,6 @@ Bindingen naar groepen/gebruikers worden gecontroleerd tegen de gebruiker van de
 <trans-unit id="s3dc14a4b8129f989">
  <source>Pagination</source>
 </trans-unit>
-<trans-unit id="s6d46b842e227be57">
-  <source>Application Details</source>
-</trans-unit>
-<trans-unit id="s76415a60e548cafe">
-  <source>Provider Configuration</source>
-</trans-unit>
-<trans-unit id="sde59c64619570b57">
-  <source>Submit Application</source>
-</trans-unit>
 <trans-unit id="sf2da0e95c78f2cb7">
  <source>Restore Application Wizard Hint</source>
 </trans-unit>
@ -8518,9 +8402,6 @@ Bindingen naar groepen/gebruikers worden gecontroleerd tegen de gebruiker van de
 <trans-unit id="s2d5f69929bb7221d">
  <source><x id="0" equiv-text="${p.name}"/> ("<x id="1" equiv-text="${p.fieldKey}"/>", of type <x id="2" equiv-text="${p.type}"/>)</source>
 </trans-unit>
-<trans-unit id="sa38c5a2731be3a46">
-  <source>authentik was unable to save this application:</source>
-</trans-unit>
 <trans-unit id="s25bacc19d98b444e">
  <source>Parent Group</source>
 </trans-unit>
@ -8707,9 +8588,6 @@ Bindingen naar groepen/gebruikers worden gecontroleerd tegen de gebruiker van de
 <trans-unit id="s4c49d27de60a532b">
  <source>To allow any redirect URI, set the mode to Regex and the value to ".*". Be aware of the possible security implications this can have.</source>
 </trans-unit>
-<trans-unit id="s43f899a86c6a3484">
-  <source>Redirect URIs/Origins</source>
-</trans-unit>
 <trans-unit id="sa52bf79fe1ccb13e">
  <source>Federated OIDC Sources</source>
 </trans-unit>
@ -8787,6 +8665,135 @@ Bindingen naar groepen/gebruikers worden gecontroleerd tegen de gebruiker van de
 </trans-unit>
 <trans-unit id="sbfaee8cfbf4e44e8">
  <source>Require Outpost (flow can only be executed from an outpost)</source>
+</trans-unit>
+<trans-unit id="sb80507bed88545a6">
+  <source>An application name is required</source>
+</trans-unit>
+<trans-unit id="s39c052006b2b141a">
+  <source>Not a valid URL</source>
+</trans-unit>
+<trans-unit id="s317f3ab0da3d068a">
+  <source>Not a valid slug</source>
+</trans-unit>
+<trans-unit id="s177577c23ed3ca7e">
+  <source>Configure The Application</source>
+</trans-unit>
+<trans-unit id="s030ed8a3f12c23ff">
+  <source>Configure Bindings</source>
+</trans-unit>
+<trans-unit id="sc387b20e6d629087">
+  <source>Configure Policy/User/Group Bindings</source>
+</trans-unit>
+<trans-unit id="s71c3ec95efe723ca">
+  <source>No bound policies.</source>
+</trans-unit>
+<trans-unit id="sab1786ef3c0383ba">
+  <source>Bind policy/group/user</source>
+</trans-unit>
+<trans-unit id="s082ea0f3c0a854ff">
+  <source>Configure Policy Bindings</source>
+</trans-unit>
+<trans-unit id="sac315d5bd28d4efa">
+  <source>Don't Pass</source>
+</trans-unit>
+<trans-unit id="s54a37223ce938349">
+  <source>Save Binding</source>
+</trans-unit>
+<trans-unit id="s931754aabd4a6a47">
+  <source>Create a Policy/User/Group Binding</source>
+</trans-unit>
+<trans-unit id="s10ba15343fe64890">
+  <source>Choose A Provider</source>
+</trans-unit>
+<trans-unit id="sb7be945aa799b8d7">
+  <source>Please choose a provider type before proceeding.</source>
+</trans-unit>
+<trans-unit id="s2289ff3b411251d8">
+  <source>Choose a Provider Type</source>
+</trans-unit>
+<trans-unit id="sde0ad51b14f77cf6">
+  <source>Redirect URIs/Origins (RegEx)</source>
+</trans-unit>
+<trans-unit id="s89ae85c3a9df8a6f">
+  <source>Configure OAuth2 Provider</source>
+</trans-unit>
+<trans-unit id="s881271a499c9db98">
+  <source>Configure Remote Access Provider</source>
+</trans-unit>
+<trans-unit id="s9b6bf63fddc7362f">
+  <source>List of CIDRs (comma-seperated) that clients can connect from. A more specific CIDR will match before a looser one. Clients connecting from a non-specified CIDR will be dropped.</source>
+</trans-unit>
+<trans-unit id="s19907c16eb319618">
+  <source>Configure Provider</source>
+</trans-unit>
+<trans-unit id="s7055edd8fab866f4">
+  <source>strict</source>
+</trans-unit>
+<trans-unit id="s5e57ca23b946c1b8">
+  <source>regexp</source>
+</trans-unit>
+<trans-unit id="sd226dc54c414585a">
+  <source>Review and Submit Application</source>
+</trans-unit>
+<trans-unit id="s828ded9ade500ffc">
+  <source>There was an error. Please go back and review the application.</source>
+</trans-unit>
+<trans-unit id="s9fdda682893624a1">
+  <source>There was an error:</source>
+</trans-unit>
+<trans-unit id="s201ee6bc6d9f97da">
+  <source>Please go back and review the application.</source>
+</trans-unit>
+<trans-unit id="s9c09ef16900241fa">
+  <source>Review the Application and Provider</source>
+</trans-unit>
+<trans-unit id="s0a0a21f7bcf9d865">
+  <source>Saving application...</source>
+</trans-unit>
+<trans-unit id="se669a4b939be0891">
+  <source>authentik was unable to complete this process.</source>
+</trans-unit>
+<trans-unit id="s8aac845c63f45ca2">
+  <source>Create with wizard</source>
+</trans-unit>
+<trans-unit id="s080af72866b69b3d">
+  <source>Bind existing <x id="0" equiv-text="${this.allowedTypesLabel}"/></source>
+</trans-unit>
+<trans-unit id="sa36117e97f49c86e">
+  <source>Successfully updated entitlement.</source>
+</trans-unit>
+<trans-unit id="s86bee999b735111f">
+  <source>Successfully created entitlement.</source>
+</trans-unit>
+<trans-unit id="s8a48455905fc14e6">
+  <source>Application entitlement(s)</source>
+</trans-unit>
+<trans-unit id="sae971cbff672090b">
+  <source>Update Entitlement</source>
+</trans-unit>
+<trans-unit id="s537a58ae0ff50f1c">
+  <source>These bindings control which users have access to this entitlement.</source>
+</trans-unit>
+<trans-unit id="s05849efeac672dc7">
+  <source>No app entitlements created.</source>
+</trans-unit>
+<trans-unit id="sdc8a8f29af6aa411">
+  <source>This application does currently not have any application entitlement defined.</source>
+</trans-unit>
+<trans-unit id="sf0bd204ce3fea1de">
+  <source>Create Entitlement</source>
+</trans-unit>
+<trans-unit id="s55d8e42d0a1c057e">
+  <source>Create entitlement</source>
+</trans-unit>
+<trans-unit id="sc6479479c936939f">
+  <source>Application entitlements</source>
+</trans-unit>
+<trans-unit id="sfafbd9bddb38d172">
+  <source>Application entitlements are in preview.</source>
+</trans-unit>
+<trans-unit id="s8e1c375a007d1839">
+  <source>These entitlements can be used to configure user access in this application.</source>
 </trans-unit>
    </body>
  </file>
--- a/web/xliff/pl.xlf
+++ b/web/xliff/pl.xlf
@ -1545,14 +1545,6 @@
        <target>Sieci klienckie</target>
        
      </trans-unit>
-      <trans-unit id="s7f2dcf01f7a8c0b7">
-        <source>List of CIDRs (comma-seperated) that clients can connect from. A more specific
-                            CIDR will match before a looser one. Clients connecting from a non-specified CIDR
-                            will be dropped.</source>
-        <target>Lista adresów CIDR (oddzielonych przecinkami), z których mogą łączyć się klienci. Bardziej szczegółowy
-                            CIDR będzie pasował przed luźniejszym. Klienci łączący się z nieokreślonego CIDR
-                            zostaną odrzuceni.</target>
-      </trans-unit>
      <trans-unit id="s61eacb19db252f5e">
        <source>URL</source>
        <target>URL</target>
@ -2156,21 +2148,11 @@
        <source>Run sync again</source>
        <target>Uruchom ponownie synchronizację</target>
        
-      </trans-unit>
-      <trans-unit id="sc2cedfb22488ccb2">
-        <source>Modern applications, APIs and Single-page applications.</source>
-        <target>Nowoczesne aplikacje, API i aplikacje jednostronicowe.</target>
-        
      </trans-unit>
      <trans-unit id="sc3259eb55cf91e8c">
        <source>LDAP</source>
        <target>LDAP</target>
        
-      </trans-unit>
-      <trans-unit id="sffd5481034a1bd41">
-        <source>Provide an LDAP interface for applications and users to authenticate against.</source>
-        <target>Zapewnienie interfejsu LDAP dla aplikacji i użytkowników do uwierzytelniania.</target>
-        
      </trans-unit>
      <trans-unit id="s0c9670f429e74283">
        <source>New application</source>
@ -2638,26 +2620,21 @@ nie przechodzi, gdy jedna lub obie wybrane opcje są równe lub wyższe od progu
        <source>Path</source>
        <target>Ścieżka</target>
        
-      </trans-unit>
-      <trans-unit id="s67560d7e37d984c3">
-        <source>Policy / User / Group</source>
-        <target>Zasada / Użytkownik / Grupa</target>
-        
      </trans-unit>
      <trans-unit id="s030ac0829bb50a49">
-        <source>Policy <x id="0" equiv-text="${item.policyObj?.name}"/></source>
+        <source>Policy <x id="0" equiv-text="${v.policyObj?.name}"/></source>
        <target>Zasada
        <x id="0" equiv-text="${item.policyObj?.name}"/></target>
        
      </trans-unit>
      <trans-unit id="s2a64d2dca3da9b0e">
-        <source>Group <x id="0" equiv-text="${item.groupObj?.name}"/></source>
+        <source>Group <x id="0" equiv-text="${v.groupObj?.name}"/></source>
        <target>Grupa 
        <x id="0" equiv-text="${item.groupObj?.name}"/></target>
        
      </trans-unit>
      <trans-unit id="se5dc026819a32ff8">
-        <source>User <x id="0" equiv-text="${item.userObj?.name}"/></source>
+        <source>User <x id="0" equiv-text="${v.userObj?.name}"/></source>
        <target>Użytkownik 
        <x id="0" equiv-text="${item.userObj?.name}"/></target>
        
@ -7317,30 +7294,6 @@ Powiązania z grupami/użytkownikami są sprawdzane względem użytkownika zdarz
  <source>UI Settings</source>
  <target>Ustawienia interfejsu użytkownika</target>
 </trans-unit>
-<trans-unit id="s836148f721d8913b">
-  <source>Transparent Reverse Proxy</source>
-  <target>Transparentne odwrotne proxy</target>
-</trans-unit>
-<trans-unit id="s945a6b94361ee45b">
-  <source>For transparent reverse proxies with required authentication</source>
-  <target>W przypadku transparentnych odwrotnych serwerów proxy z wymaganym uwierzytelnianiem</target>
-</trans-unit>
-<trans-unit id="s40830ec037f34626">
-  <source>Configure SAML provider manually</source>
-  <target>Ręczna konfiguracja dostawcy SAML</target>
-</trans-unit>
-<trans-unit id="sea9fc40dfd1d18b1">
-  <source>Configure RADIUS provider manually</source>
-  <target>Ręczna konfiguracja dostawcy usługi RADIUS</target>
-</trans-unit>
-<trans-unit id="sa1b0052ae095b9b3">
-  <source>Configure SCIM provider manually</source>
-  <target>Ręczna konfiguracja dostawcy SCIM</target>
-</trans-unit>
-<trans-unit id="s15831fa50a116545">
-  <source>Saving Application...</source>
-  <target>Zapisywanie aplikacji...</target>
-</trans-unit>
 <trans-unit id="s848288f8c2265aad">
  <source>Your application has been saved</source>
  <target>Aplikacja została zapisana</target>
@ -7349,16 +7302,6 @@ Powiązania z grupami/użytkownikami są sprawdzane względem użytkownika zdarz
  <source>Method's display Name.</source>
  <target>Nazwa wyświetlana metody.</target>
 </trans-unit>
-<trans-unit id="h10ef80d434185070">
-  <source>Use this provider with nginx's <x id="0" equiv-text="&lt;code&gt;"/>auth_request<x id="1" equiv-text="&lt;/code&gt;"/> or traefik's
-                    <x id="2" equiv-text="&lt;code&gt;"/>forwardAuth<x id="3" equiv-text="&lt;/code&gt;"/>. Each application/domain needs its own provider.
-                    Additionally, on each domain, <x id="4" equiv-text="&lt;code&gt;"/>/outpost.goauthentik.io<x id="5" equiv-text="&lt;/code&gt;"/> must be
-                    routed to the outpost (when using a managed outpost, this is done for you).</source>
-  <target>Użyj tego dostawcy z nginx's <x id="0" equiv-text="&lt;code&gt;"/>auth_request<x id="1" equiv-text="&lt;/code&gt;"/> lub traefik's
-                    <x id="2" equiv-text="&lt;code&gt;"/>forwardAuth<x id="3" equiv-text="&lt;/code&gt;"/>. Każda aplikacja/domena potrzebuje własnego dostawcy.
-                    Dodatkowo, w każdej domenie, <x id="4" equiv-text="&lt;code&gt;"/>/outpost.goauthentik.io<x id="5" equiv-text="&lt;/code&gt;"/> musi być
-                    przekierowane do placówki (w przypadku korzystania z zarządzanej placówki jest to wykonywane za Ciebie).</target>
-</trans-unit>
 <trans-unit id="sd18b18f91b804c3f">
  <source>Custom attributes</source>
  <target>Atrybuty niestandardowe</target>
@ -7503,10 +7446,6 @@ Powiązania z grupami/użytkownikami są sprawdzane względem użytkownika zdarz
  <source>Pseudolocale (for testing)</source>
  <target>Pseudo ustawienia regionalne (do testowania)</target>
 </trans-unit>
-<trans-unit id="s4bd386db7302bb22">
-  <source>Create With Wizard</source>
-  <target>Utwórz za pomocą kreatora</target>
-</trans-unit>
 <trans-unit id="s070fdfb03034ca9b">
  <source>One hint, 'New Application Wizard', is currently hidden</source>
  <target>Jedna podpowiedź, „Kreator nowej aplikacji”, jest obecnie ukryty</target>
@ -7519,46 +7458,6 @@ Powiązania z grupami/użytkownikami są sprawdzane względem użytkownika zdarz
  <source>Message shown when this stage is run.</source>
  <target>Komunikat wyświetlany po uruchomieniu tego etapu.</target>
 </trans-unit>
-<trans-unit id="s09f0c100d0ad2fec">
-  <source>Open Wizard</source>
-  <target>Otwórz kreatora</target>
-</trans-unit>
-<trans-unit id="sf2ef885f7d0a101d">
-  <source>Demo Wizard</source>
-  <target>Kreator demonstracyjny</target>
-</trans-unit>
-<trans-unit id="s77505ee5d2e45e53">
-  <source>Run the demo wizard</source>
-  <target>Uruchom kreatora demonstracyjnego</target>
-</trans-unit>
-<trans-unit id="s4498e890d47a8066">
-  <source>OAuth2/OIDC (Open Authorization/OpenID Connect)</source>
-  <target>OAuth2/OIDC (Open Authorization/OpenID Connect)</target>
-</trans-unit>
-<trans-unit id="s4f2e195d09e2868c">
-  <source>LDAP (Lightweight Directory Access Protocol)</source>
-  <target>LDAP (Lightweight Directory Access Protocol)</target>
-</trans-unit>
-<trans-unit id="s7f5bb0c9923315ed">
-  <source>Forward Auth (Single Application)</source>
-  <target>Forward auth (pojedyncza aplikacja)</target>
-</trans-unit>
-<trans-unit id="sf8008d2d6b064b95">
-  <source>Forward Auth (Domain Level)</source>
-  <target>Forward auth (na poziomie domeny)</target>
-</trans-unit>
-<trans-unit id="sfa8a1ffa9fee07d3">
-  <source>SAML (Security Assertion Markup Language)</source>
-  <target>SAML (Security Assertion Markup Language)</target>
-</trans-unit>
-<trans-unit id="s848a23972e388662">
-  <source>RADIUS (Remote Authentication Dial-In User Service)</source>
-  <target>RADIUS (Remote Authentication Dial-In User Service)</target>
-</trans-unit>
-<trans-unit id="s3e902999ddf7b50e">
-  <source>SCIM (System for Cross-domain Identity Management)</source>
-  <target>SCIM (System for Cross-domain Identity Management)</target>
-</trans-unit>
 <trans-unit id="sdc5690be4a342985">
  <source>The token has been copied to your clipboard</source>
  <target>Token został skopiowany do schowka</target>
@ -7603,14 +7502,6 @@ Powiązania z grupami/użytkownikami są sprawdzane względem użytkownika zdarz
  <source>&lt;No name set&gt;</source>
  <target>&lt;No name set&gt;</target>
 </trans-unit>
-<trans-unit id="sdc9a6ad1af30572c">
-  <source>For nginx's auth_request or traefik's forwardAuth</source>
-  <target>Dla nginx's auth_request lub traefik's forwardAuth</target>
-</trans-unit>
-<trans-unit id="sfc31264ef7ff86ef">
-  <source>For nginx's auth_request or traefik's forwardAuth per root domain</source>
-  <target>Dla nginx's auth_request lub traefik's forwardAuth dla domeny głównej</target>
-</trans-unit>
 <trans-unit id="s32babfed740fd3c1">
  <source>User type used for newly created users.</source>
  <target>Typ użytkownika używany dla nowo utworzonych użytkowników.</target>
@ -7703,10 +7594,6 @@ Powiązania z grupami/użytkownikami są sprawdzane względem użytkownika zdarz
  <source>Review the provider.</source>
  <target>Sprawdź dostawcę.</target>
 </trans-unit>
-<trans-unit id="s9fd39a5cb20b4e61">
-  <source>There was an error</source>
-  <target>Wystąpił błąd</target>
-</trans-unit>
 <trans-unit id="s7a6b3453209e1066">
  <source>There was an error creating the application, but no error message was sent. Please review the server logs.</source>
  <target>Wystąpił błąd podczas tworzenia aplikacji, ale nie został wysłany żaden komunikat o błędzie. Przejrzyj dzienniki serwera.</target>
@ -7715,10 +7602,6 @@ Powiązania z grupami/użytkownikami są sprawdzane względem użytkownika zdarz
  <source>Configure LDAP Provider</source>
  <target>Skonfiguruj dostawcę LDAP</target>
 </trans-unit>
-<trans-unit id="s9368e965b5c292ab">
-  <source>Configure OAuth2/OpenId Provider</source>
-  <target>Skonfiguruj dostawcę OAuth2/OpenId</target>
-</trans-unit>
 <trans-unit id="sf5cbccdc6254c8dc">
  <source>Configure Proxy Provider</source>
  <target>Skonfiguruj dostawcę proxy</target>
@ -7731,18 +7614,10 @@ Powiązania z grupami/użytkownikami są sprawdzane względem użytkownika zdarz
  <source>Configure SAML Provider</source>
  <target>Skonfiguruj dostawcę SAML</target>
 </trans-unit>
-<trans-unit id="sb3defbacd01ad972">
-  <source>Property mappings used for user mapping.</source>
-  <target>Mapowania właściwości używane do mapowania użytkowników.</target>
-</trans-unit>
 <trans-unit id="s7ccce0ec8d228db6">
  <source>Configure SCIM Provider</source>
  <target>Skonfiguruj dostawcę SCIM</target>
 </trans-unit>
-<trans-unit id="sd7728d2b6e1d25e9">
-  <source>Property mappings used for group creation.</source>
-  <target>Mapowania właściwości używane do tworzenia grup.</target>
-</trans-unit>
 <trans-unit id="s7513372fe60f6387">
  <source>Event volume</source>
  <target>Wolumen zdarzeń</target>
@ -8185,18 +8060,6 @@ Powiązania z grupami/użytkownikami są sprawdzane względem użytkownika zdarz
  <source>Brand name</source>
  <target>Nazwa marki</target>
 </trans-unit>
-<trans-unit id="sb7e68dcad68a638c">
-  <source>Remote Access Provider</source>
-  <target>Dostawca zdalnego dostępu</target>
-</trans-unit>
-<trans-unit id="sfb1980a471b7dfb6">
-  <source>Remotely access computers/servers via RDP/SSH/VNC</source>
-  <target>Zdalny dostęp do komputerów/serwerów poprzez RDP/SSH/VNC</target>
-</trans-unit>
-<trans-unit id="s9ffdea131dddb3c5">
-  <source>Configure Remote Access Provider Provider</source>
-  <target>Skonfiguruj dostawcę usług dostępu zdalnego</target>
-</trans-unit>
 <trans-unit id="s56bc67239b9255a2">
  <source>Delete authorization on disconnect</source>
  <target>Usuwanie autoryzacji przy rozłączeniu</target>
@ -8680,15 +8543,6 @@ Powiązania z grupami/użytkownikami są sprawdzane względem użytkownika zdarz
 <trans-unit id="s3dc14a4b8129f989">
  <source>Pagination</source>
 </trans-unit>
-<trans-unit id="s6d46b842e227be57">
-  <source>Application Details</source>
-</trans-unit>
-<trans-unit id="s76415a60e548cafe">
-  <source>Provider Configuration</source>
-</trans-unit>
-<trans-unit id="sde59c64619570b57">
-  <source>Submit Application</source>
-</trans-unit>
 <trans-unit id="sf2da0e95c78f2cb7">
  <source>Restore Application Wizard Hint</source>
 </trans-unit>
@ -8932,9 +8786,6 @@ Powiązania z grupami/użytkownikami są sprawdzane względem użytkownika zdarz
 <trans-unit id="s2d5f69929bb7221d">
  <source><x id="0" equiv-text="${p.name}"/> ("<x id="1" equiv-text="${p.fieldKey}"/>", of type <x id="2" equiv-text="${p.type}"/>)</source>
 </trans-unit>
-<trans-unit id="sa38c5a2731be3a46">
-  <source>authentik was unable to save this application:</source>
-</trans-unit>
 <trans-unit id="s25bacc19d98b444e">
  <source>Parent Group</source>
 </trans-unit>
@ -9121,9 +8972,6 @@ Powiązania z grupami/użytkownikami są sprawdzane względem użytkownika zdarz
 <trans-unit id="s4c49d27de60a532b">
  <source>To allow any redirect URI, set the mode to Regex and the value to ".*". Be aware of the possible security implications this can have.</source>
 </trans-unit>
-<trans-unit id="s43f899a86c6a3484">
-  <source>Redirect URIs/Origins</source>
-</trans-unit>
 <trans-unit id="sa52bf79fe1ccb13e">
  <source>Federated OIDC Sources</source>
 </trans-unit>
@ -9201,6 +9049,135 @@ Powiązania z grupami/użytkownikami są sprawdzane względem użytkownika zdarz
 </trans-unit>
 <trans-unit id="sbfaee8cfbf4e44e8">
  <source>Require Outpost (flow can only be executed from an outpost)</source>
+</trans-unit>
+<trans-unit id="sb80507bed88545a6">
+  <source>An application name is required</source>
+</trans-unit>
+<trans-unit id="s39c052006b2b141a">
+  <source>Not a valid URL</source>
+</trans-unit>
+<trans-unit id="s317f3ab0da3d068a">
+  <source>Not a valid slug</source>
+</trans-unit>
+<trans-unit id="s177577c23ed3ca7e">
+  <source>Configure The Application</source>
+</trans-unit>
+<trans-unit id="s030ed8a3f12c23ff">
+  <source>Configure Bindings</source>
+</trans-unit>
+<trans-unit id="sc387b20e6d629087">
+  <source>Configure Policy/User/Group Bindings</source>
+</trans-unit>
+<trans-unit id="s71c3ec95efe723ca">
+  <source>No bound policies.</source>
+</trans-unit>
+<trans-unit id="sab1786ef3c0383ba">
+  <source>Bind policy/group/user</source>
+</trans-unit>
+<trans-unit id="s082ea0f3c0a854ff">
+  <source>Configure Policy Bindings</source>
+</trans-unit>
+<trans-unit id="sac315d5bd28d4efa">
+  <source>Don't Pass</source>
+</trans-unit>
+<trans-unit id="s54a37223ce938349">
+  <source>Save Binding</source>
+</trans-unit>
+<trans-unit id="s931754aabd4a6a47">
+  <source>Create a Policy/User/Group Binding</source>
+</trans-unit>
+<trans-unit id="s10ba15343fe64890">
+  <source>Choose A Provider</source>
+</trans-unit>
+<trans-unit id="sb7be945aa799b8d7">
+  <source>Please choose a provider type before proceeding.</source>
+</trans-unit>
+<trans-unit id="s2289ff3b411251d8">
+  <source>Choose a Provider Type</source>
+</trans-unit>
+<trans-unit id="sde0ad51b14f77cf6">
+  <source>Redirect URIs/Origins (RegEx)</source>
+</trans-unit>
+<trans-unit id="s89ae85c3a9df8a6f">
+  <source>Configure OAuth2 Provider</source>
+</trans-unit>
+<trans-unit id="s881271a499c9db98">
+  <source>Configure Remote Access Provider</source>
+</trans-unit>
+<trans-unit id="s9b6bf63fddc7362f">
+  <source>List of CIDRs (comma-seperated) that clients can connect from. A more specific CIDR will match before a looser one. Clients connecting from a non-specified CIDR will be dropped.</source>
+</trans-unit>
+<trans-unit id="s19907c16eb319618">
+  <source>Configure Provider</source>
+</trans-unit>
+<trans-unit id="s7055edd8fab866f4">
+  <source>strict</source>
+</trans-unit>
+<trans-unit id="s5e57ca23b946c1b8">
+  <source>regexp</source>
+</trans-unit>
+<trans-unit id="sd226dc54c414585a">
+  <source>Review and Submit Application</source>
+</trans-unit>
+<trans-unit id="s828ded9ade500ffc">
+  <source>There was an error. Please go back and review the application.</source>
+</trans-unit>
+<trans-unit id="s9fdda682893624a1">
+  <source>There was an error:</source>
+</trans-unit>
+<trans-unit id="s201ee6bc6d9f97da">
+  <source>Please go back and review the application.</source>
+</trans-unit>
+<trans-unit id="s9c09ef16900241fa">
+  <source>Review the Application and Provider</source>
+</trans-unit>
+<trans-unit id="s0a0a21f7bcf9d865">
+  <source>Saving application...</source>
+</trans-unit>
+<trans-unit id="se669a4b939be0891">
+  <source>authentik was unable to complete this process.</source>
+</trans-unit>
+<trans-unit id="s8aac845c63f45ca2">
+  <source>Create with wizard</source>
+</trans-unit>
+<trans-unit id="s080af72866b69b3d">
+  <source>Bind existing <x id="0" equiv-text="${this.allowedTypesLabel}"/></source>
+</trans-unit>
+<trans-unit id="sa36117e97f49c86e">
+  <source>Successfully updated entitlement.</source>
+</trans-unit>
+<trans-unit id="s86bee999b735111f">
+  <source>Successfully created entitlement.</source>
+</trans-unit>
+<trans-unit id="s8a48455905fc14e6">
+  <source>Application entitlement(s)</source>
+</trans-unit>
+<trans-unit id="sae971cbff672090b">
+  <source>Update Entitlement</source>
+</trans-unit>
+<trans-unit id="s537a58ae0ff50f1c">
+  <source>These bindings control which users have access to this entitlement.</source>
+</trans-unit>
+<trans-unit id="s05849efeac672dc7">
+  <source>No app entitlements created.</source>
+</trans-unit>
+<trans-unit id="sdc8a8f29af6aa411">
+  <source>This application does currently not have any application entitlement defined.</source>
+</trans-unit>
+<trans-unit id="sf0bd204ce3fea1de">
+  <source>Create Entitlement</source>
+</trans-unit>
+<trans-unit id="s55d8e42d0a1c057e">
+  <source>Create entitlement</source>
+</trans-unit>
+<trans-unit id="sc6479479c936939f">
+  <source>Application entitlements</source>
+</trans-unit>
+<trans-unit id="sfafbd9bddb38d172">
+  <source>Application entitlements are in preview.</source>
+</trans-unit>
+<trans-unit id="s8e1c375a007d1839">
+  <source>These entitlements can be used to configure user access in this application.</source>
 </trans-unit>
    </body>
  </file>
--- a/web/xliff/pseudo-LOCALE.xlf
+++ b/web/xliff/pseudo-LOCALE.xlf
@ -1532,14 +1532,6 @@
  <target>Ćĺĩēńţ Ńēţŵōŕķś</target>

      </trans-unit>
-      <trans-unit id="s7f2dcf01f7a8c0b7">
-        <source>List of CIDRs (comma-seperated) that clients can connect from. A more specific
-                            CIDR will match before a looser one. Clients connecting from a non-specified CIDR
-                            will be dropped.</source>
-  <target>Ĺĩśţ ōƒ ĆĨĎŔś (ćōḿḿà-śēƥēŕàţēď) ţĥàţ ćĺĩēńţś ćàń ćōńńēćţ ƒŕōḿ. À ḿōŕē śƥēćĩƒĩć
-                            ĆĨĎŔ ŵĩĺĺ ḿàţćĥ ƀēƒōŕē à ĺōōśēŕ ōńē. Ćĺĩēńţś ćōńńēćţĩńĝ ƒŕōḿ à ńōń-śƥēćĩƒĩēď ĆĨĎŔ
-                            ŵĩĺĺ ƀē ďŕōƥƥēď.</target>
-      </trans-unit>
      <trans-unit id="s61eacb19db252f5e">
        <source>URL</source>
  <target>ŨŔĹ</target>
@ -2136,21 +2128,11 @@
        <source>Run sync again</source>
  <target>Ŕũń śŷńć àĝàĩń</target>

-      </trans-unit>
-      <trans-unit id="sc2cedfb22488ccb2">
-        <source>Modern applications, APIs and Single-page applications.</source>
-  <target>Ḿōďēŕń àƥƥĺĩćàţĩōńś, ÀƤĨś àńď Śĩńĝĺē-ƥàĝē àƥƥĺĩćàţĩōńś.</target>
-
      </trans-unit>
      <trans-unit id="sc3259eb55cf91e8c">
        <source>LDAP</source>
  <target>ĹĎÀƤ</target>

-      </trans-unit>
-      <trans-unit id="sffd5481034a1bd41">
-        <source>Provide an LDAP interface for applications and users to authenticate against.</source>
-  <target>Ƥŕōvĩďē àń ĹĎÀƤ ĩńţēŕƒàćē ƒōŕ àƥƥĺĩćàţĩōńś àńď ũśēŕś ţō àũţĥēńţĩćàţē àĝàĩńśţ.</target>
-
      </trans-unit>
      <trans-unit id="s0c9670f429e74283">
        <source>New application</source>
@ -2618,24 +2600,19 @@ doesn't pass when either or both of the selected options are equal or above the
        <source>Path</source>
  <target>Ƥàţĥ</target>

-      </trans-unit>
-      <trans-unit id="s67560d7e37d984c3">
-        <source>Policy / User / Group</source>
-  <target>Ƥōĺĩćŷ / Ũśēŕ / Ĝŕōũƥ</target>
-
      </trans-unit>
      <trans-unit id="s030ac0829bb50a49">
-        <source>Policy <x id="0" equiv-text="${item.policyObj?.name}"/></source>
+        <source>Policy <x id="0" equiv-text="${v.policyObj?.name}"/></source>
  <target>Ƥōĺĩćŷ <x id="0" equiv-text="${item.policyObj?.name}"/></target>

      </trans-unit>
      <trans-unit id="s2a64d2dca3da9b0e">
-        <source>Group <x id="0" equiv-text="${item.groupObj?.name}"/></source>
+        <source>Group <x id="0" equiv-text="${v.groupObj?.name}"/></source>
  <target>Ĝŕōũƥ <x id="0" equiv-text="${item.groupObj?.name}"/></target>

      </trans-unit>
      <trans-unit id="se5dc026819a32ff8">
-        <source>User <x id="0" equiv-text="${item.userObj?.name}"/></source>
+        <source>User <x id="0" equiv-text="${v.userObj?.name}"/></source>
  <target>Ũśēŕ <x id="0" equiv-text="${item.userObj?.name}"/></target>

      </trans-unit>
@ -7261,30 +7238,6 @@ Bindings to groups/users are checked against the user of the event.</source>
  <source>UI Settings</source>
  <target>ŨĨ Śēţţĩńĝś</target>
 </trans-unit>
-<trans-unit id="s836148f721d8913b">
-  <source>Transparent Reverse Proxy</source>
-  <target>Ţŕàńśƥàŕēńţ Ŕēvēŕśē Ƥŕōxŷ</target>
-</trans-unit>
-<trans-unit id="s945a6b94361ee45b">
-  <source>For transparent reverse proxies with required authentication</source>
-  <target>Ƒōŕ ţŕàńśƥàŕēńţ ŕēvēŕśē ƥŕōxĩēś ŵĩţĥ ŕēǫũĩŕēď àũţĥēńţĩćàţĩōń</target>
-</trans-unit>
-<trans-unit id="s40830ec037f34626">
-  <source>Configure SAML provider manually</source>
-  <target>Ćōńƒĩĝũŕē ŚÀḾĹ ƥŕōvĩďēŕ ḿàńũàĺĺŷ</target>
-</trans-unit>
-<trans-unit id="sea9fc40dfd1d18b1">
-  <source>Configure RADIUS provider manually</source>
-  <target>Ćōńƒĩĝũŕē ŔÀĎĨŨŚ ƥŕōvĩďēŕ ḿàńũàĺĺŷ</target>
-</trans-unit>
-<trans-unit id="sa1b0052ae095b9b3">
-  <source>Configure SCIM provider manually</source>
-  <target>Ćōńƒĩĝũŕē ŚĆĨḾ ƥŕōvĩďēŕ ḿàńũàĺĺŷ</target>
-</trans-unit>
-<trans-unit id="s15831fa50a116545">
-  <source>Saving Application...</source>
-  <target>Śàvĩńĝ Àƥƥĺĩćàţĩōń...</target>
-</trans-unit>
 <trans-unit id="s848288f8c2265aad">
  <source>Your application has been saved</source>
  <target>Ŷōũŕ àƥƥĺĩćàţĩōń ĥàś ƀēēń śàvēď</target>
@ -7293,16 +7246,6 @@ Bindings to groups/users are checked against the user of the event.</source>
  <source>Method's display Name.</source>
  <target>Ḿēţĥōď'ś ďĩśƥĺàŷ Ńàḿē.</target>
 </trans-unit>
-<trans-unit id="h10ef80d434185070">
-  <source>Use this provider with nginx's <x id="0" equiv-text="&lt;code&gt;"/>auth_request<x id="1" equiv-text="&lt;/code&gt;"/> or traefik's
-                    <x id="2" equiv-text="&lt;code&gt;"/>forwardAuth<x id="3" equiv-text="&lt;/code&gt;"/>. Each application/domain needs its own provider.
-                    Additionally, on each domain, <x id="4" equiv-text="&lt;code&gt;"/>/outpost.goauthentik.io<x id="5" equiv-text="&lt;/code&gt;"/> must be
-                    routed to the outpost (when using a managed outpost, this is done for you).</source>
-  <target>Ũśē ţĥĩś ƥŕōvĩďēŕ ŵĩţĥ ńĝĩńx'ś <x id="0" equiv-text="&lt;code&gt;"/>àũţĥ_ŕēǫũēśţ<x id="1" equiv-text="&lt;/code&gt;"/> ōŕ ţŕàēƒĩķ'ś
-                    <x id="2" equiv-text="&lt;code&gt;"/>ƒōŕŵàŕďÀũţĥ<x id="3" equiv-text="&lt;/code&gt;"/>. Ēàćĥ àƥƥĺĩćàţĩōń/ďōḿàĩń ńēēďś ĩţś ōŵń ƥŕōvĩďēŕ.
-                    Àďďĩţĩōńàĺĺŷ, ōń ēàćĥ ďōḿàĩń, <x id="4" equiv-text="&lt;code&gt;"/>/ōũţƥōśţ.ĝōàũţĥēńţĩķ.ĩō<x id="5" equiv-text="&lt;/code&gt;"/> ḿũśţ ƀē
-                    ŕōũţēď ţō ţĥē ōũţƥōśţ (ŵĥēń ũśĩńĝ à ḿàńàĝēď ōũţƥōśţ, ţĥĩś ĩś ďōńē ƒōŕ ŷōũ).</target>
-</trans-unit>
 <trans-unit id="sd18b18f91b804c3f">
  <source>Custom attributes</source>
  <target>Ćũśţōḿ àţţŕĩƀũţēś</target>
@ -7447,10 +7390,6 @@ Bindings to groups/users are checked against the user of the event.</source>
  <source>Role Info</source>
  <target>Ŕōĺē Ĩńƒō</target>
 </trans-unit>
-<trans-unit id="s4bd386db7302bb22">
-  <source>Create With Wizard</source>
-  <target>Ćŕēàţē Ŵĩţĥ Ŵĩźàŕď</target>
-</trans-unit>
 <trans-unit id="s070fdfb03034ca9b">
  <source>One hint, 'New Application Wizard', is currently hidden</source>
  <target>Ōńē ĥĩńţ, 'Ńēŵ Àƥƥĺĩćàţĩōń Ŵĩźàŕď', ĩś ćũŕŕēńţĺŷ ĥĩďďēń</target>
@ -7463,46 +7402,6 @@ Bindings to groups/users are checked against the user of the event.</source>
  <source>Message shown when this stage is run.</source>
  <target>Ḿēśśàĝē śĥōŵń ŵĥēń ţĥĩś śţàĝē ĩś ŕũń.</target>
 </trans-unit>
-<trans-unit id="s09f0c100d0ad2fec">
-  <source>Open Wizard</source>
-  <target>Ōƥēń Ŵĩźàŕď</target>
-</trans-unit>
-<trans-unit id="sf2ef885f7d0a101d">
-  <source>Demo Wizard</source>
-  <target>Ďēḿō Ŵĩźàŕď</target>
-</trans-unit>
-<trans-unit id="s77505ee5d2e45e53">
-  <source>Run the demo wizard</source>
-  <target>Ŕũń ţĥē ďēḿō ŵĩźàŕď</target>
-</trans-unit>
-<trans-unit id="s4498e890d47a8066">
-  <source>OAuth2/OIDC (Open Authorization/OpenID Connect)</source>
-  <target>ŌÀũţĥ2/ŌĨĎĆ (Ōƥēń Àũţĥōŕĩźàţĩōń/ŌƥēńĨĎ Ćōńńēćţ)</target>
-</trans-unit>
-<trans-unit id="s4f2e195d09e2868c">
-  <source>LDAP (Lightweight Directory Access Protocol)</source>
-  <target>ĹĎÀƤ (Ĺĩĝĥţŵēĩĝĥţ Ďĩŕēćţōŕŷ Àććēśś Ƥŕōţōćōĺ)</target>
-</trans-unit>
-<trans-unit id="s7f5bb0c9923315ed">
-  <source>Forward Auth (Single Application)</source>
-  <target>Ƒōŕŵàŕď Àũţĥ (Śĩńĝĺē Àƥƥĺĩćàţĩōń)</target>
-</trans-unit>
-<trans-unit id="sf8008d2d6b064b95">
-  <source>Forward Auth (Domain Level)</source>
-  <target>Ƒōŕŵàŕď Àũţĥ (Ďōḿàĩń Ĺēvēĺ)</target>
-</trans-unit>
-<trans-unit id="sfa8a1ffa9fee07d3">
-  <source>SAML (Security Assertion Markup Language)</source>
-  <target>ŚÀḾĹ (Śēćũŕĩţŷ Àśśēŕţĩōń Ḿàŕķũƥ Ĺàńĝũàĝē)</target>
-</trans-unit>
-<trans-unit id="s848a23972e388662">
-  <source>RADIUS (Remote Authentication Dial-In User Service)</source>
-  <target>ŔÀĎĨŨŚ (Ŕēḿōţē Àũţĥēńţĩćàţĩōń Ďĩàĺ-Ĩń Ũśēŕ Śēŕvĩćē)</target>
-</trans-unit>
-<trans-unit id="s3e902999ddf7b50e">
-  <source>SCIM (System for Cross-domain Identity Management)</source>
-  <target>ŚĆĨḾ (Śŷśţēḿ ƒōŕ Ćŕōśś-ďōḿàĩń Ĩďēńţĩţŷ Ḿàńàĝēḿēńţ)</target>
-</trans-unit>
 <trans-unit id="sdc5690be4a342985">
  <source>The token has been copied to your clipboard</source>
  <target>Ţĥē ţōķēń ĥàś ƀēēń ćōƥĩēď ţō ŷōũŕ ćĺĩƥƀōàŕď</target>
@ -7547,14 +7446,6 @@ Bindings to groups/users are checked against the user of the event.</source>
  <source>&lt;No name set&gt;</source>
  <target>&lt;Ńō ńàḿē śēţ&gt;</target>
 </trans-unit>
-<trans-unit id="sdc9a6ad1af30572c">
-  <source>For nginx's auth_request or traefik's forwardAuth</source>
-  <target>Ƒōŕ ńĝĩńx'ś àũţĥ_ŕēǫũēśţ ōŕ ţŕàēƒĩķ'ś ƒōŕŵàŕďÀũţĥ</target>
-</trans-unit>
-<trans-unit id="sfc31264ef7ff86ef">
-  <source>For nginx's auth_request or traefik's forwardAuth per root domain</source>
-  <target>Ƒōŕ ńĝĩńx'ś àũţĥ_ŕēǫũēśţ ōŕ ţŕàēƒĩķ'ś ƒōŕŵàŕďÀũţĥ ƥēŕ ŕōōţ ďōḿàĩń</target>
-</trans-unit>
 <trans-unit id="s32babfed740fd3c1">
  <source>User type used for newly created users.</source>
  <target>Ũśēŕ ţŷƥē ũśēď ƒōŕ ńēŵĺŷ ćŕēàţēď ũśēŕś.</target>
@ -7647,10 +7538,6 @@ Bindings to groups/users are checked against the user of the event.</source>
  <source>Review the provider.</source>
  <target>Ŕēvĩēŵ ţĥē ƥŕōvĩďēŕ.</target>
 </trans-unit>
-<trans-unit id="s9fd39a5cb20b4e61">
-  <source>There was an error</source>
-  <target>Ţĥēŕē ŵàś àń ēŕŕōŕ</target>
-</trans-unit>
 <trans-unit id="s7a6b3453209e1066">
  <source>There was an error creating the application, but no error message was sent. Please review the server logs.</source>
  <target>Ţĥēŕē ŵàś àń ēŕŕōŕ ćŕēàţĩńĝ ţĥē àƥƥĺĩćàţĩōń, ƀũţ ńō ēŕŕōŕ ḿēśśàĝē ŵàś śēńţ. Ƥĺēàśē ŕēvĩēŵ ţĥē śēŕvēŕ ĺōĝś.</target>
@ -7659,10 +7546,6 @@ Bindings to groups/users are checked against the user of the event.</source>
  <source>Configure LDAP Provider</source>
  <target>Ćōńƒĩĝũŕē ĹĎÀƤ Ƥŕōvĩďēŕ</target>
 </trans-unit>
-<trans-unit id="s9368e965b5c292ab">
-  <source>Configure OAuth2/OpenId Provider</source>
-  <target>Ćōńƒĩĝũŕē ŌÀũţĥ2/ŌƥēńĨď Ƥŕōvĩďēŕ</target>
-</trans-unit>
 <trans-unit id="sf5cbccdc6254c8dc">
  <source>Configure Proxy Provider</source>
  <target>Ćōńƒĩĝũŕē Ƥŕōxŷ Ƥŕōvĩďēŕ</target>
@ -7675,18 +7558,10 @@ Bindings to groups/users are checked against the user of the event.</source>
  <source>Configure SAML Provider</source>
  <target>Ćōńƒĩĝũŕē ŚÀḾĹ Ƥŕōvĩďēŕ</target>
 </trans-unit>
-<trans-unit id="sb3defbacd01ad972">
-  <source>Property mappings used for user mapping.</source>
-  <target>Ƥŕōƥēŕţŷ ḿàƥƥĩńĝś ũśēď ƒōŕ ũśēŕ ḿàƥƥĩńĝ.</target>
-</trans-unit>
 <trans-unit id="s7ccce0ec8d228db6">
  <source>Configure SCIM Provider</source>
  <target>Ćōńƒĩĝũŕē ŚĆĨḾ Ƥŕōvĩďēŕ</target>
 </trans-unit>
-<trans-unit id="sd7728d2b6e1d25e9">
-  <source>Property mappings used for group creation.</source>
-  <target>Ƥŕōƥēŕţŷ ḿàƥƥĩńĝś ũśēď ƒōŕ ĝŕōũƥ ćŕēàţĩōń.</target>
-</trans-unit>
 <trans-unit id="s7513372fe60f6387">
  <source>Event volume</source>
  <target>Ēvēńţ vōĺũḿē</target>
@ -8129,18 +8004,6 @@ Bindings to groups/users are checked against the user of the event.</source>
  <source>Brand name</source>
  <target>ßŕàńď ńàḿē</target>
 </trans-unit>
-<trans-unit id="sb7e68dcad68a638c">
-  <source>Remote Access Provider</source>
-  <target>Ŕēḿōţē Àććēśś Ƥŕōvĩďēŕ</target>
-</trans-unit>
-<trans-unit id="sfb1980a471b7dfb6">
-  <source>Remotely access computers/servers via RDP/SSH/VNC</source>
-  <target>Ŕēḿōţēĺŷ àććēśś ćōḿƥũţēŕś/śēŕvēŕś vĩà ŔĎƤ/ŚŚĤ/VŃĆ</target>
-</trans-unit>
-<trans-unit id="s9ffdea131dddb3c5">
-  <source>Configure Remote Access Provider Provider</source>
-  <target>Ćōńƒĩĝũŕē Ŕēḿōţē Àććēśś Ƥŕōvĩďēŕ Ƥŕōvĩďēŕ</target>
-</trans-unit>
 <trans-unit id="s56bc67239b9255a2">
  <source>Delete authorization on disconnect</source>
  <target>Ďēĺēţē àũţĥōŕĩźàţĩōń ōń ďĩśćōńńēćţ</target>
@ -8629,18 +8492,6 @@ Bindings to groups/users are checked against the user of the event.</source>
  <source>Pagination</source>
  <target>Ƥàĝĩńàţĩōń</target>
 </trans-unit>
-<trans-unit id="s6d46b842e227be57">
-  <source>Application Details</source>
-  <target>Àƥƥĺĩćàţĩōń Ďēţàĩĺś</target>
-</trans-unit>
-<trans-unit id="s76415a60e548cafe">
-  <source>Provider Configuration</source>
-  <target>Ƥŕōvĩďēŕ Ćōńƒĩĝũŕàţĩōń</target>
-</trans-unit>
-<trans-unit id="sde59c64619570b57">
-  <source>Submit Application</source>
-  <target>Śũƀḿĩţ Àƥƥĺĩćàţĩōń</target>
-</trans-unit>
 <trans-unit id="sf2da0e95c78f2cb7">
  <source>Restore Application Wizard Hint</source>
  <target>Ŕēśţōŕē Àƥƥĺĩćàţĩōń Ŵĩźàŕď Ĥĩńţ</target>
@ -8969,10 +8820,6 @@ Bindings to groups/users are checked against the user of the event.</source>
  <source><x id="0" equiv-text="${p.name}"/> ("<x id="1" equiv-text="${p.fieldKey}"/>", of type <x id="2" equiv-text="${p.type}"/>)</source>
  <target><x id="0" equiv-text="${prompt.name}"/> ("<x id="1" equiv-text="${prompt.fieldKey}"/>", ōƒ ţŷƥē <x id="2" equiv-text="${prompt.type}"/>)</target>
 </trans-unit>
-<trans-unit id="sa38c5a2731be3a46">
-  <source>authentik was unable to save this application:</source>
-  <target>àũţĥēńţĩķ ŵàś ũńàƀĺē ţō śàvē ţĥĩś àƥƥĺĩćàţĩōń:</target>
-</trans-unit>
 <trans-unit id="s25bacc19d98b444e">
  <source>Parent Group</source>
  <target>Ƥàŕēńţ Ĝŕōũƥ</target>
@ -9160,9 +9007,6 @@ Bindings to groups/users are checked against the user of the event.</source>
 <trans-unit id="s4c49d27de60a532b">
  <source>To allow any redirect URI, set the mode to Regex and the value to ".*". Be aware of the possible security implications this can have.</source>
 </trans-unit>
-<trans-unit id="s43f899a86c6a3484">
-  <source>Redirect URIs/Origins</source>
-</trans-unit>
 <trans-unit id="sa52bf79fe1ccb13e">
  <source>Federated OIDC Sources</source>
 </trans-unit>
@ -9241,4 +9085,133 @@ Bindings to groups/users are checked against the user of the event.</source>
 <trans-unit id="sbfaee8cfbf4e44e8">
  <source>Require Outpost (flow can only be executed from an outpost)</source>
 </trans-unit>
+<trans-unit id="sb80507bed88545a6">
+  <source>An application name is required</source>
+</trans-unit>
+<trans-unit id="s39c052006b2b141a">
+  <source>Not a valid URL</source>
+</trans-unit>
+<trans-unit id="s317f3ab0da3d068a">
+  <source>Not a valid slug</source>
+</trans-unit>
+<trans-unit id="s177577c23ed3ca7e">
+  <source>Configure The Application</source>
+</trans-unit>
+<trans-unit id="s030ed8a3f12c23ff">
+  <source>Configure Bindings</source>
+</trans-unit>
+<trans-unit id="sc387b20e6d629087">
+  <source>Configure Policy/User/Group Bindings</source>
+</trans-unit>
+<trans-unit id="s71c3ec95efe723ca">
+  <source>No bound policies.</source>
+</trans-unit>
+<trans-unit id="sab1786ef3c0383ba">
+  <source>Bind policy/group/user</source>
+</trans-unit>
+<trans-unit id="s082ea0f3c0a854ff">
+  <source>Configure Policy Bindings</source>
+</trans-unit>
+<trans-unit id="sac315d5bd28d4efa">
+  <source>Don't Pass</source>
+</trans-unit>
+<trans-unit id="s54a37223ce938349">
+  <source>Save Binding</source>
+</trans-unit>
+<trans-unit id="s931754aabd4a6a47">
+  <source>Create a Policy/User/Group Binding</source>
+</trans-unit>
+<trans-unit id="s10ba15343fe64890">
+  <source>Choose A Provider</source>
+</trans-unit>
+<trans-unit id="sb7be945aa799b8d7">
+  <source>Please choose a provider type before proceeding.</source>
+</trans-unit>
+<trans-unit id="s2289ff3b411251d8">
+  <source>Choose a Provider Type</source>
+</trans-unit>
+<trans-unit id="sde0ad51b14f77cf6">
+  <source>Redirect URIs/Origins (RegEx)</source>
+</trans-unit>
+<trans-unit id="s89ae85c3a9df8a6f">
+  <source>Configure OAuth2 Provider</source>
+</trans-unit>
+<trans-unit id="s881271a499c9db98">
+  <source>Configure Remote Access Provider</source>
+</trans-unit>
+<trans-unit id="s9b6bf63fddc7362f">
+  <source>List of CIDRs (comma-seperated) that clients can connect from. A more specific CIDR will match before a looser one. Clients connecting from a non-specified CIDR will be dropped.</source>
+</trans-unit>
+<trans-unit id="s19907c16eb319618">
+  <source>Configure Provider</source>
+</trans-unit>
+<trans-unit id="s7055edd8fab866f4">
+  <source>strict</source>
+</trans-unit>
+<trans-unit id="s5e57ca23b946c1b8">
+  <source>regexp</source>
+</trans-unit>
+<trans-unit id="sd226dc54c414585a">
+  <source>Review and Submit Application</source>
+</trans-unit>
+<trans-unit id="s828ded9ade500ffc">
+  <source>There was an error. Please go back and review the application.</source>
+</trans-unit>
+<trans-unit id="s9fdda682893624a1">
+  <source>There was an error:</source>
+</trans-unit>
+<trans-unit id="s201ee6bc6d9f97da">
+  <source>Please go back and review the application.</source>
+</trans-unit>
+<trans-unit id="s9c09ef16900241fa">
+  <source>Review the Application and Provider</source>
+</trans-unit>
+<trans-unit id="s0a0a21f7bcf9d865">
+  <source>Saving application...</source>
+</trans-unit>
+<trans-unit id="se669a4b939be0891">
+  <source>authentik was unable to complete this process.</source>
+</trans-unit>
+<trans-unit id="s8aac845c63f45ca2">
+  <source>Create with wizard</source>
+</trans-unit>
+<trans-unit id="s080af72866b69b3d">
+  <source>Bind existing <x id="0" equiv-text="${this.allowedTypesLabel}"/></source>
+</trans-unit>
+<trans-unit id="sa36117e97f49c86e">
+  <source>Successfully updated entitlement.</source>
+</trans-unit>
+<trans-unit id="s86bee999b735111f">
+  <source>Successfully created entitlement.</source>
+</trans-unit>
+<trans-unit id="s8a48455905fc14e6">
+  <source>Application entitlement(s)</source>
+</trans-unit>
+<trans-unit id="sae971cbff672090b">
+  <source>Update Entitlement</source>
+</trans-unit>
+<trans-unit id="s537a58ae0ff50f1c">
+  <source>These bindings control which users have access to this entitlement.</source>
+</trans-unit>
+<trans-unit id="s05849efeac672dc7">
+  <source>No app entitlements created.</source>
+</trans-unit>
+<trans-unit id="sdc8a8f29af6aa411">
+  <source>This application does currently not have any application entitlement defined.</source>
+</trans-unit>
+<trans-unit id="sf0bd204ce3fea1de">
+  <source>Create Entitlement</source>
+</trans-unit>
+<trans-unit id="s55d8e42d0a1c057e">
+  <source>Create entitlement</source>
+</trans-unit>
+<trans-unit id="sc6479479c936939f">
+  <source>Application entitlements</source>
+</trans-unit>
+<trans-unit id="sfafbd9bddb38d172">
+  <source>Application entitlements are in preview.</source>
+</trans-unit>
+<trans-unit id="s8e1c375a007d1839">
+  <source>These entitlements can be used to configure user access in this application.</source>
+</trans-unit>
 </body></file></xliff>
--- a/web/xliff/ru.xlf
+++ b/web/xliff/ru.xlf
@ -1545,14 +1545,6 @@
        <target>Клиентские сети</target>
        
      </trans-unit>
-      <trans-unit id="s7f2dcf01f7a8c0b7">
-        <source>List of CIDRs (comma-seperated) that clients can connect from. A more specific
-                            CIDR will match before a looser one. Clients connecting from a non-specified CIDR
-                            will be dropped.</source>
-        <target>Список CIDR (разделенных запятыми), с которых могут подключаться клиенты. Более конкретный
-                            CIDR будет соответствовать более слабому. Клиенты, подключающиеся с неуказанного CIDR,
-                            будут отброшены.</target>
-      </trans-unit>
      <trans-unit id="s61eacb19db252f5e">
        <source>URL</source>
        <target>URL</target>
@ -2156,21 +2148,11 @@
        <source>Run sync again</source>
        <target>Запустить синхронизацию снова</target>
        
-      </trans-unit>
-      <trans-unit id="sc2cedfb22488ccb2">
-        <source>Modern applications, APIs and Single-page applications.</source>
-        <target>Современные приложения, API и одностраничные приложения.</target>
-        
      </trans-unit>
      <trans-unit id="sc3259eb55cf91e8c">
        <source>LDAP</source>
        <target>LDAP</target>
        
-      </trans-unit>
-      <trans-unit id="sffd5481034a1bd41">
-        <source>Provide an LDAP interface for applications and users to authenticate against.</source>
-        <target>Предоставьте интерфейс LDAP для аутентификации приложений и пользователей.</target>
-        
      </trans-unit>
      <trans-unit id="s0c9670f429e74283">
        <source>New application</source>
@ -2637,26 +2619,21 @@ doesn't pass when either or both of the selected options are equal or above the
        <source>Path</source>
        <target>Путь</target>
        
-      </trans-unit>
-      <trans-unit id="s67560d7e37d984c3">
-        <source>Policy / User / Group</source>
-        <target>Политика / Пользователь / Группа</target>
-        
      </trans-unit>
      <trans-unit id="s030ac0829bb50a49">
-        <source>Policy <x id="0" equiv-text="${item.policyObj?.name}"/></source>
+        <source>Policy <x id="0" equiv-text="${v.policyObj?.name}"/></source>
        <target>Политика
        <x id="0" equiv-text="${item.policyObj?.name}"/></target>
        
      </trans-unit>
      <trans-unit id="s2a64d2dca3da9b0e">
-        <source>Group <x id="0" equiv-text="${item.groupObj?.name}"/></source>
+        <source>Group <x id="0" equiv-text="${v.groupObj?.name}"/></source>
        <target>Группа
        <x id="0" equiv-text="${item.groupObj?.name}"/></target>
        
      </trans-unit>
      <trans-unit id="se5dc026819a32ff8">
-        <source>User <x id="0" equiv-text="${item.userObj?.name}"/></source>
+        <source>User <x id="0" equiv-text="${v.userObj?.name}"/></source>
        <target>Пользователь
        <x id="0" equiv-text="${item.userObj?.name}"/></target>
        
@ -7316,30 +7293,6 @@ Bindings to groups/users are checked against the user of the event.</source>
  <source>UI Settings</source>
  <target>Настройки пользовательского интерфейса</target>
 </trans-unit>
-<trans-unit id="s836148f721d8913b">
-  <source>Transparent Reverse Proxy</source>
-  <target>Прозрачный обратный прокси</target>
-</trans-unit>
-<trans-unit id="s945a6b94361ee45b">
-  <source>For transparent reverse proxies with required authentication</source>
-  <target>Для прозрачных обратных прокси с необходимой аутентификацией</target>
-</trans-unit>
-<trans-unit id="s40830ec037f34626">
-  <source>Configure SAML provider manually</source>
-  <target>Настроить SAML провайдера вручную</target>
-</trans-unit>
-<trans-unit id="sea9fc40dfd1d18b1">
-  <source>Configure RADIUS provider manually</source>
-  <target>Настроить RADIUS провайдера вручную</target>
-</trans-unit>
-<trans-unit id="sa1b0052ae095b9b3">
-  <source>Configure SCIM provider manually</source>
-  <target>Настроить SCIM провайдера вручную</target>
-</trans-unit>
-<trans-unit id="s15831fa50a116545">
-  <source>Saving Application...</source>
-  <target>Сохранение приложения...</target>
-</trans-unit>
 <trans-unit id="s848288f8c2265aad">
  <source>Your application has been saved</source>
  <target>Ваше приложение было сохранено</target>
@ -7348,16 +7301,6 @@ Bindings to groups/users are checked against the user of the event.</source>
  <source>Method's display Name.</source>
  <target>Отображаемое имя метода.</target>
 </trans-unit>
-<trans-unit id="h10ef80d434185070">
-  <source>Use this provider with nginx's <x id="0" equiv-text="&lt;code&gt;"/>auth_request<x id="1" equiv-text="&lt;/code&gt;"/> or traefik's
-                    <x id="2" equiv-text="&lt;code&gt;"/>forwardAuth<x id="3" equiv-text="&lt;/code&gt;"/>. Each application/domain needs its own provider.
-                    Additionally, on each domain, <x id="4" equiv-text="&lt;code&gt;"/>/outpost.goauthentik.io<x id="5" equiv-text="&lt;/code&gt;"/> must be
-                    routed to the outpost (when using a managed outpost, this is done for you).</source>
-  <target>Используйте этого провайдера с параметром в nginx <x id="0" equiv-text="&lt;code&gt;"/>auth_request<x id="1" equiv-text="&lt;/code&gt;"/> или в traefik с параметром
-                    <x id="2" equiv-text="&lt;code&gt;"/>forwardAuth<x id="3" equiv-text="&lt;/code&gt;"/>. Каждое приложение или домен требуют собственного провайдера.
-                    Дополнительно, в каждом домене, <x id="4" equiv-text="&lt;code&gt;"/>/outpost.goauthentik.io<x id="5" equiv-text="&lt;/code&gt;"/> должен быть
-                    направлен на внешний компонент (когда используется управляемый внешний компонент, это будет сделано автоматически).</target>
-</trans-unit>
 <trans-unit id="sd18b18f91b804c3f">
  <source>Custom attributes</source>
  <target>Пользовательские атрибуты</target>
@ -7502,10 +7445,6 @@ Bindings to groups/users are checked against the user of the event.</source>
  <source>Pseudolocale (for testing)</source>
  <target>Псевдолокаль (для тестирования)</target>
 </trans-unit>
-<trans-unit id="s4bd386db7302bb22">
-  <source>Create With Wizard</source>
-  <target>Создать с помощью мастера</target>
-</trans-unit>
 <trans-unit id="s070fdfb03034ca9b">
  <source>One hint, 'New Application Wizard', is currently hidden</source>
  <target>Одна подсказка, "Мастер создания нового приложения", в настоящее время скрыта</target>
@ -7518,46 +7457,6 @@ Bindings to groups/users are checked against the user of the event.</source>
  <source>Message shown when this stage is run.</source>
  <target>Сообщение, отображаемое при выполнении этого этапа.</target>
 </trans-unit>
-<trans-unit id="s09f0c100d0ad2fec">
-  <source>Open Wizard</source>
-  <target>Открыть мастер</target>
-</trans-unit>
-<trans-unit id="sf2ef885f7d0a101d">
-  <source>Demo Wizard</source>
-  <target>Демо мастер</target>
-</trans-unit>
-<trans-unit id="s77505ee5d2e45e53">
-  <source>Run the demo wizard</source>
-  <target>Запустить демо мастер</target>
-</trans-unit>
-<trans-unit id="s4498e890d47a8066">
-  <source>OAuth2/OIDC (Open Authorization/OpenID Connect)</source>
-  <target>OAuth2/OIDC (Open Authorization/OpenID Connect)</target>
-</trans-unit>
-<trans-unit id="s4f2e195d09e2868c">
-  <source>LDAP (Lightweight Directory Access Protocol)</source>
-  <target>LDAP (Lightweight Directory Access Protocol)</target>
-</trans-unit>
-<trans-unit id="s7f5bb0c9923315ed">
-  <source>Forward Auth (Single Application)</source>
-  <target>Прямая аутентификации (одно приложение)</target>
-</trans-unit>
-<trans-unit id="sf8008d2d6b064b95">
-  <source>Forward Auth (Domain Level)</source>
-  <target>Прямая аутентификация (уровень домена)</target>
-</trans-unit>
-<trans-unit id="sfa8a1ffa9fee07d3">
-  <source>SAML (Security Assertion Markup Language)</source>
-  <target>SAML (Security Assertion Markup Language)</target>
-</trans-unit>
-<trans-unit id="s848a23972e388662">
-  <source>RADIUS (Remote Authentication Dial-In User Service)</source>
-  <target>RADIUS (Remote Authentication Dial-In User Service)</target>
-</trans-unit>
-<trans-unit id="s3e902999ddf7b50e">
-  <source>SCIM (System for Cross-domain Identity Management)</source>
-  <target>SCIM (System for Cross-domain Identity Management)</target>
-</trans-unit>
 <trans-unit id="sdc5690be4a342985">
  <source>The token has been copied to your clipboard</source>
  <target>Токен был скопирован в ваш буфер обмена</target>
@ -7602,14 +7501,6 @@ Bindings to groups/users are checked against the user of the event.</source>
  <source>&lt;No name set&gt;</source>
  <target>&lt;No name set&gt;</target>
 </trans-unit>
-<trans-unit id="sdc9a6ad1af30572c">
-  <source>For nginx's auth_request or traefik's forwardAuth</source>
-  <target>Для auth_request в nginx или forwardAuth в traefik</target>
-</trans-unit>
-<trans-unit id="sfc31264ef7ff86ef">
-  <source>For nginx's auth_request or traefik's forwardAuth per root domain</source>
-  <target>Для nginx's auth_request или traefik's forwardAuth для корневого домена</target>
-</trans-unit>
 <trans-unit id="s32babfed740fd3c1">
  <source>User type used for newly created users.</source>
  <target>Тип пользователя, используемый для вновь созданных пользователей.</target>
@ -7702,10 +7593,6 @@ Bindings to groups/users are checked against the user of the event.</source>
  <source>Review the provider.</source>
  <target>Проверить провайдера.</target>
 </trans-unit>
-<trans-unit id="s9fd39a5cb20b4e61">
-  <source>There was an error</source>
-  <target>Произошла ошибка</target>
-</trans-unit>
 <trans-unit id="s7a6b3453209e1066">
  <source>There was an error creating the application, but no error message was sent. Please review the server logs.</source>
  <target>При создании приложения произошла ошибка, но сообщение об ошибке не было отправлено. Пожалуйста, просмотрите логи сервера.</target>
@ -7714,10 +7601,6 @@ Bindings to groups/users are checked against the user of the event.</source>
  <source>Configure LDAP Provider</source>
  <target>Настроить LDAP Провайдера</target>
 </trans-unit>
-<trans-unit id="s9368e965b5c292ab">
-  <source>Configure OAuth2/OpenId Provider</source>
-  <target>Настроить OAuth2/OpenId Провайдера</target>
-</trans-unit>
 <trans-unit id="sf5cbccdc6254c8dc">
  <source>Configure Proxy Provider</source>
  <target>Настроить Прокси Провайдера</target>
@ -7730,18 +7613,10 @@ Bindings to groups/users are checked against the user of the event.</source>
  <source>Configure SAML Provider</source>
  <target>Настроить SAML Провайдера</target>
 </trans-unit>
-<trans-unit id="sb3defbacd01ad972">
-  <source>Property mappings used for user mapping.</source>
-  <target>Сопоставления свойств, используемые для сопоставления пользователя</target>
-</trans-unit>
 <trans-unit id="s7ccce0ec8d228db6">
  <source>Configure SCIM Provider</source>
  <target>Настроить SCIM Провайдера</target>
 </trans-unit>
-<trans-unit id="sd7728d2b6e1d25e9">
-  <source>Property mappings used for group creation.</source>
-  <target>Сопоставления свойств, используемые для создания групп.</target>
-</trans-unit>
 <trans-unit id="s7513372fe60f6387">
  <source>Event volume</source>
  <target>Объем событий</target>
@ -8184,18 +8059,6 @@ Bindings to groups/users are checked against the user of the event.</source>
  <source>Brand name</source>
  <target>Имя бренда</target>
 </trans-unit>
-<trans-unit id="sb7e68dcad68a638c">
-  <source>Remote Access Provider</source>
-  <target>Провайдер удаленного доступа</target>
-</trans-unit>
-<trans-unit id="sfb1980a471b7dfb6">
-  <source>Remotely access computers/servers via RDP/SSH/VNC</source>
-  <target>Удаленный доступ к компьютерам/серверам через RDP/SSH/VNC</target>
-</trans-unit>
-<trans-unit id="s9ffdea131dddb3c5">
-  <source>Configure Remote Access Provider Provider</source>
-  <target>Конфигурация провайдера удаленного доступа Remote Access</target>
-</trans-unit>
 <trans-unit id="s56bc67239b9255a2">
  <source>Delete authorization on disconnect</source>
  <target>Удалить авторизацию при отключении</target>
@ -8688,18 +8551,6 @@ Bindings to groups/users are checked against the user of the event.</source>
  <source>Pagination</source>
  <target>Нумерация</target>
 </trans-unit>
-<trans-unit id="s6d46b842e227be57">
-  <source>Application Details</source>
-  <target>Подробная информация о заявке</target>
-</trans-unit>
-<trans-unit id="s76415a60e548cafe">
-  <source>Provider Configuration</source>
-  <target>Конфигурация Провайдера</target>
-</trans-unit>
-<trans-unit id="sde59c64619570b57">
-  <source>Submit Application</source>
-  <target>Отправить заявку</target>
-</trans-unit>
 <trans-unit id="sf2da0e95c78f2cb7">
  <source>Restore Application Wizard Hint</source>
  <target>Восстановить подсказку Мастера создания Приложения</target>
@ -8995,9 +8846,6 @@ Bindings to groups/users are checked against the user of the event.</source>
 <trans-unit id="s2d5f69929bb7221d">
  <source><x id="0" equiv-text="${p.name}"/> ("<x id="1" equiv-text="${p.fieldKey}"/>", of type <x id="2" equiv-text="${p.type}"/>)</source>
 </trans-unit>
-<trans-unit id="sa38c5a2731be3a46">
-  <source>authentik was unable to save this application:</source>
-</trans-unit>
 <trans-unit id="s25bacc19d98b444e">
  <source>Parent Group</source>
 </trans-unit>
@ -9184,9 +9032,6 @@ Bindings to groups/users are checked against the user of the event.</source>
 <trans-unit id="s4c49d27de60a532b">
  <source>To allow any redirect URI, set the mode to Regex and the value to ".*". Be aware of the possible security implications this can have.</source>
 </trans-unit>
-<trans-unit id="s43f899a86c6a3484">
-  <source>Redirect URIs/Origins</source>
-</trans-unit>
 <trans-unit id="sa52bf79fe1ccb13e">
  <source>Federated OIDC Sources</source>
 </trans-unit>
@ -9264,6 +9109,135 @@ Bindings to groups/users are checked against the user of the event.</source>
 </trans-unit>
 <trans-unit id="sbfaee8cfbf4e44e8">
  <source>Require Outpost (flow can only be executed from an outpost)</source>
+</trans-unit>
+<trans-unit id="sb80507bed88545a6">
+  <source>An application name is required</source>
+</trans-unit>
+<trans-unit id="s39c052006b2b141a">
+  <source>Not a valid URL</source>
+</trans-unit>
+<trans-unit id="s317f3ab0da3d068a">
+  <source>Not a valid slug</source>
+</trans-unit>
+<trans-unit id="s177577c23ed3ca7e">
+  <source>Configure The Application</source>
+</trans-unit>
+<trans-unit id="s030ed8a3f12c23ff">
+  <source>Configure Bindings</source>
+</trans-unit>
+<trans-unit id="sc387b20e6d629087">
+  <source>Configure Policy/User/Group Bindings</source>
+</trans-unit>
+<trans-unit id="s71c3ec95efe723ca">
+  <source>No bound policies.</source>
+</trans-unit>
+<trans-unit id="sab1786ef3c0383ba">
+  <source>Bind policy/group/user</source>
+</trans-unit>
+<trans-unit id="s082ea0f3c0a854ff">
+  <source>Configure Policy Bindings</source>
+</trans-unit>
+<trans-unit id="sac315d5bd28d4efa">
+  <source>Don't Pass</source>
+</trans-unit>
+<trans-unit id="s54a37223ce938349">
+  <source>Save Binding</source>
+</trans-unit>
+<trans-unit id="s931754aabd4a6a47">
+  <source>Create a Policy/User/Group Binding</source>
+</trans-unit>
+<trans-unit id="s10ba15343fe64890">
+  <source>Choose A Provider</source>
+</trans-unit>
+<trans-unit id="sb7be945aa799b8d7">
+  <source>Please choose a provider type before proceeding.</source>
+</trans-unit>
+<trans-unit id="s2289ff3b411251d8">
+  <source>Choose a Provider Type</source>
+</trans-unit>
+<trans-unit id="sde0ad51b14f77cf6">
+  <source>Redirect URIs/Origins (RegEx)</source>
+</trans-unit>
+<trans-unit id="s89ae85c3a9df8a6f">
+  <source>Configure OAuth2 Provider</source>
+</trans-unit>
+<trans-unit id="s881271a499c9db98">
+  <source>Configure Remote Access Provider</source>
+</trans-unit>
+<trans-unit id="s9b6bf63fddc7362f">
+  <source>List of CIDRs (comma-seperated) that clients can connect from. A more specific CIDR will match before a looser one. Clients connecting from a non-specified CIDR will be dropped.</source>
+</trans-unit>
+<trans-unit id="s19907c16eb319618">
+  <source>Configure Provider</source>
+</trans-unit>
+<trans-unit id="s7055edd8fab866f4">
+  <source>strict</source>
+</trans-unit>
+<trans-unit id="s5e57ca23b946c1b8">
+  <source>regexp</source>
+</trans-unit>
+<trans-unit id="sd226dc54c414585a">
+  <source>Review and Submit Application</source>
+</trans-unit>
+<trans-unit id="s828ded9ade500ffc">
+  <source>There was an error. Please go back and review the application.</source>
+</trans-unit>
+<trans-unit id="s9fdda682893624a1">
+  <source>There was an error:</source>
+</trans-unit>
+<trans-unit id="s201ee6bc6d9f97da">
+  <source>Please go back and review the application.</source>
+</trans-unit>
+<trans-unit id="s9c09ef16900241fa">
+  <source>Review the Application and Provider</source>
+</trans-unit>
+<trans-unit id="s0a0a21f7bcf9d865">
+  <source>Saving application...</source>
+</trans-unit>
+<trans-unit id="se669a4b939be0891">
+  <source>authentik was unable to complete this process.</source>
+</trans-unit>
+<trans-unit id="s8aac845c63f45ca2">
+  <source>Create with wizard</source>
+</trans-unit>
+<trans-unit id="s080af72866b69b3d">
+  <source>Bind existing <x id="0" equiv-text="${this.allowedTypesLabel}"/></source>
+</trans-unit>
+<trans-unit id="sa36117e97f49c86e">
+  <source>Successfully updated entitlement.</source>
+</trans-unit>
+<trans-unit id="s86bee999b735111f">
+  <source>Successfully created entitlement.</source>
+</trans-unit>
+<trans-unit id="s8a48455905fc14e6">
+  <source>Application entitlement(s)</source>
+</trans-unit>
+<trans-unit id="sae971cbff672090b">
+  <source>Update Entitlement</source>
+</trans-unit>
+<trans-unit id="s537a58ae0ff50f1c">
+  <source>These bindings control which users have access to this entitlement.</source>
+</trans-unit>
+<trans-unit id="s05849efeac672dc7">
+  <source>No app entitlements created.</source>
+</trans-unit>
+<trans-unit id="sdc8a8f29af6aa411">
+  <source>This application does currently not have any application entitlement defined.</source>
+</trans-unit>
+<trans-unit id="sf0bd204ce3fea1de">
+  <source>Create Entitlement</source>
+</trans-unit>
+<trans-unit id="s55d8e42d0a1c057e">
+  <source>Create entitlement</source>
+</trans-unit>
+<trans-unit id="sc6479479c936939f">
+  <source>Application entitlements</source>
+</trans-unit>
+<trans-unit id="sfafbd9bddb38d172">
+  <source>Application entitlements are in preview.</source>
+</trans-unit>
+<trans-unit id="s8e1c375a007d1839">
+  <source>These entitlements can be used to configure user access in this application.</source>
 </trans-unit>
    </body>
  </file>
--- a/web/xliff/tr.xlf
+++ b/web/xliff/tr.xlf
@ -1531,14 +1531,6 @@
        <target>İstemci Ağları</target>
        
      </trans-unit>
-      <trans-unit id="s7f2dcf01f7a8c0b7">
-        <source>List of CIDRs (comma-seperated) that clients can connect from. A more specific
-                            CIDR will match before a looser one. Clients connecting from a non-specified CIDR
-                            will be dropped.</source>
-        <target>İstemcilerin bağlanabileceği CIDR'lerin (virgülle ayrılmış) listesi. Daha spesifik bir
-                            CIDR daha gevşek olandan önce eşleşecek. Belirtilmemiş bir CIDR'den bağlanan istemciler
-                            bırakılacaktır.</target>
-      </trans-unit>
      <trans-unit id="s61eacb19db252f5e">
        <source>URL</source>
        <target>URL</target>
@ -2136,21 +2128,11 @@
        <source>Run sync again</source>
        <target>Eşzamanlamayı tekrar çalıştır</target>
        
-      </trans-unit>
-      <trans-unit id="sc2cedfb22488ccb2">
-        <source>Modern applications, APIs and Single-page applications.</source>
-        <target>Modern uygulamalar, API'ler ve Tek sayfalı uygulamalar.</target>
-        
      </trans-unit>
      <trans-unit id="sc3259eb55cf91e8c">
        <source>LDAP</source>
        <target>LDAP</target>
        
-      </trans-unit>
-      <trans-unit id="sffd5481034a1bd41">
-        <source>Provide an LDAP interface for applications and users to authenticate against.</source>
-        <target>Uygulamaların ve kullanıcıların kimlik doğrulaması yapması için bir LDAP arabirimi sağlayın.</target>
-        
      </trans-unit>
      <trans-unit id="s0c9670f429e74283">
        <source>New application</source>
@ -2618,24 +2600,19 @@ Belirlenen seçeneklerden biri veya her ikisi de eşiğe eşit veya eşiğin üz
        <source>Path</source>
        <target>Yol</target>
        
-      </trans-unit>
-      <trans-unit id="s67560d7e37d984c3">
-        <source>Policy / User / Group</source>
-        <target>İlke / Kullanıcı / Grup</target>
-        
      </trans-unit>
      <trans-unit id="s030ac0829bb50a49">
-        <source>Policy <x id="0" equiv-text="${item.policyObj?.name}"/></source>
+        <source>Policy <x id="0" equiv-text="${v.policyObj?.name}"/></source>
        <target>İlke <x id="0" equiv-text="${item.policyObj?.name}"/></target>
        
      </trans-unit>
      <trans-unit id="s2a64d2dca3da9b0e">
-        <source>Group <x id="0" equiv-text="${item.groupObj?.name}"/></source>
+        <source>Group <x id="0" equiv-text="${v.groupObj?.name}"/></source>
        <target>Grup <x id="0" equiv-text="${item.groupObj?.name}"/></target>
        
      </trans-unit>
      <trans-unit id="se5dc026819a32ff8">
-        <source>User <x id="0" equiv-text="${item.userObj?.name}"/></source>
+        <source>User <x id="0" equiv-text="${v.userObj?.name}"/></source>
        <target>Kullanıcı <x id="0" equiv-text="${item.userObj?.name}"/></target>
        
      </trans-unit>
@ -7266,30 +7243,6 @@ Gruplara/kullanıcılara yapılan bağlamalar, etkinliğin kullanıcısına kar
  <source>UI Settings</source>
  <target>Kullanıcı Arayüzü Ayarları</target>
 </trans-unit>
-<trans-unit id="s836148f721d8913b">
-  <source>Transparent Reverse Proxy</source>
-  <target>Şeffaf Ters Proxy</target>
-</trans-unit>
-<trans-unit id="s945a6b94361ee45b">
-  <source>For transparent reverse proxies with required authentication</source>
-  <target>Gerekli kimlik doğrulamasına sahip şeffaf ters proxy'ler için</target>
-</trans-unit>
-<trans-unit id="s40830ec037f34626">
-  <source>Configure SAML provider manually</source>
-  <target>SAML sağlayıcısını manuel olarak yapılandırma</target>
-</trans-unit>
-<trans-unit id="sea9fc40dfd1d18b1">
-  <source>Configure RADIUS provider manually</source>
-  <target>RADIUS sağlayıcısını el ile yapılandırma</target>
-</trans-unit>
-<trans-unit id="sa1b0052ae095b9b3">
-  <source>Configure SCIM provider manually</source>
-  <target>SCIM sağlayıcısını el ile yapılandırma</target>
-</trans-unit>
-<trans-unit id="s15831fa50a116545">
-  <source>Saving Application...</source>
-  <target>Uygulama Kaydediliyor...</target>
-</trans-unit>
 <trans-unit id="s848288f8c2265aad">
  <source>Your application has been saved</source>
  <target>Uygulamanız kaydedildi</target>
@ -7298,16 +7251,6 @@ Gruplara/kullanıcılara yapılan bağlamalar, etkinliğin kullanıcısına kar
  <source>Method's display Name.</source>
  <target>Yöntemin görünen adı.</target>
 </trans-unit>
-<trans-unit id="h10ef80d434185070">
-  <source>Use this provider with nginx's <x id="0" equiv-text="&lt;code&gt;"/>auth_request<x id="1" equiv-text="&lt;/code&gt;"/> or traefik's
-                    <x id="2" equiv-text="&lt;code&gt;"/>forwardAuth<x id="3" equiv-text="&lt;/code&gt;"/>. Each application/domain needs its own provider.
-                    Additionally, on each domain, <x id="4" equiv-text="&lt;code&gt;"/>/outpost.goauthentik.io<x id="5" equiv-text="&lt;/code&gt;"/> must be
-                    routed to the outpost (when using a managed outpost, this is done for you).</source>
-  <target>Bu sağlayıcıyı nginx'in <x id="0" equiv-text="&lt;code&gt;"/>auth_request <x id="1" equiv-text="&lt;/code&gt;"/> veya traefik'in <x id="2" equiv-text="&lt;code&gt;"/> forwardAuth <x id="3" equiv-text="&lt;/code&gt;"/> ile kullanın.
-                    Her uygulama/etki alanı kendi sağlayıcısına ihtiyaç duyar.
-                    Ek olarak, her etki alanında <x id="4" equiv-text="&lt;code&gt;"/>/outpost.goauthentik.io<x id="5" equiv-text="&lt;/code&gt;"/> gözcüye yönlendirilmelidir
-                    (yönetilen bir gözcü kullanırken, bu sizin için yapılır).</target>
-</trans-unit>
 <trans-unit id="sd18b18f91b804c3f">
  <source>Custom attributes</source>
  <target>Özel özellikler</target>
@ -7452,10 +7395,6 @@ Gruplara/kullanıcılara yapılan bağlamalar, etkinliğin kullanıcısına kar
  <source>Pseudolocale (for testing)</source>
  <target>Pseudolocale (test için)</target>
 </trans-unit>
-<trans-unit id="s4bd386db7302bb22">
-  <source>Create With Wizard</source>
-  <target>Sihirbazla Oluştur</target>
-</trans-unit>
 <trans-unit id="s070fdfb03034ca9b">
  <source>One hint, 'New Application Wizard', is currently hidden</source>
  <target>Bir ipucu, 'Yeni Uygulama Sihirbazı' şu anda gizli</target>
@ -7468,46 +7407,6 @@ Gruplara/kullanıcılara yapılan bağlamalar, etkinliğin kullanıcısına kar
  <source>Message shown when this stage is run.</source>
  <target>Bu aşama çalıştırıldığında gösterilen mesaj.</target>
 </trans-unit>
-<trans-unit id="s09f0c100d0ad2fec">
-  <source>Open Wizard</source>
-  <target>Sihirbazı Aç</target>
-</trans-unit>
-<trans-unit id="sf2ef885f7d0a101d">
-  <source>Demo Wizard</source>
-  <target>Demo Sihirbazı</target>
-</trans-unit>
-<trans-unit id="s77505ee5d2e45e53">
-  <source>Run the demo wizard</source>
-  <target>Demo sihirbazını çalıştırın</target>
-</trans-unit>
-<trans-unit id="s4498e890d47a8066">
-  <source>OAuth2/OIDC (Open Authorization/OpenID Connect)</source>
-  <target>OAuth2/OIDC (Açık Yetkilendirme/OpenID Connect)</target>
-</trans-unit>
-<trans-unit id="s4f2e195d09e2868c">
-  <source>LDAP (Lightweight Directory Access Protocol)</source>
-  <target>LDAP (Basit Dizin Erişim Protokolü)</target>
-</trans-unit>
-<trans-unit id="s7f5bb0c9923315ed">
-  <source>Forward Auth (Single Application)</source>
-  <target>İleri Kimlik Doğrulama (Tek Uygulama)</target>
-</trans-unit>
-<trans-unit id="sf8008d2d6b064b95">
-  <source>Forward Auth (Domain Level)</source>
-  <target>İleri Kimlik Doğrulama (Etki Alanı Düzeyi)</target>
-</trans-unit>
-<trans-unit id="sfa8a1ffa9fee07d3">
-  <source>SAML (Security Assertion Markup Language)</source>
-  <target>SAML (Güvenlik Onayı Biçimlendirme Dili)</target>
-</trans-unit>
-<trans-unit id="s848a23972e388662">
-  <source>RADIUS (Remote Authentication Dial-In User Service)</source>
-  <target>RADIUS (Arayan Kullanıcının Uzaktan Kimlik Doğrulama Hizmeti)</target>
-</trans-unit>
-<trans-unit id="s3e902999ddf7b50e">
-  <source>SCIM (System for Cross-domain Identity Management)</source>
-  <target>SCIM (Etki Alanları Arası Kimlik Yönetimi Sistemi)</target>
-</trans-unit>
 <trans-unit id="sdc5690be4a342985">
  <source>The token has been copied to your clipboard</source>
  <target>Belirteç panonuza kopyalandı</target>
@ -7552,14 +7451,6 @@ Gruplara/kullanıcılara yapılan bağlamalar, etkinliğin kullanıcısına kar
  <source>&lt;No name set&gt;</source>
  <target>&lt;İsim belirlenmedi&gt;</target>
 </trans-unit>
-<trans-unit id="sdc9a6ad1af30572c">
-  <source>For nginx's auth_request or traefik's forwardAuth</source>
-  <target>nginx'in auth_request veya traefik'in forwardAuth'u için</target>
-</trans-unit>
-<trans-unit id="sfc31264ef7ff86ef">
-  <source>For nginx's auth_request or traefik's forwardAuth per root domain</source>
-  <target>Kök etki alanı başına nginx'in auth_request veya traefik'in forwardAuth'u için</target>
-</trans-unit>
 <trans-unit id="s32babfed740fd3c1">
  <source>User type used for newly created users.</source>
  <target>Yeni oluşturulan kullanıcılar için kullanılan kullanıcı türü.</target>
@ -7652,10 +7543,6 @@ Gruplara/kullanıcılara yapılan bağlamalar, etkinliğin kullanıcısına kar
  <source>Review the provider.</source>
  <target>Sağlayıcıyı gözden geçirin.</target>
 </trans-unit>
-<trans-unit id="s9fd39a5cb20b4e61">
-  <source>There was an error</source>
-  <target>Bir hata oluştu</target>
-</trans-unit>
 <trans-unit id="s7a6b3453209e1066">
  <source>There was an error creating the application, but no error message was sent. Please review the server logs.</source>
  <target>Uygulama oluşturulurken bir hata oluştu, ancak herhangi bir hata iletisi gönderilmedi. Lütfen sunucu günlüklerini gözden geçirin.</target>
@ -7664,10 +7551,6 @@ Gruplara/kullanıcılara yapılan bağlamalar, etkinliğin kullanıcısına kar
  <source>Configure LDAP Provider</source>
  <target>LDAP Sağlayıcısını Yapılandırma</target>
 </trans-unit>
-<trans-unit id="s9368e965b5c292ab">
-  <source>Configure OAuth2/OpenId Provider</source>
-  <target>OAuth2/OpenId Sağlayıcısını Yapılandırma</target>
-</trans-unit>
 <trans-unit id="sf5cbccdc6254c8dc">
  <source>Configure Proxy Provider</source>
  <target>Proxy sağlayıcısını yapılandırma</target>
@ -7680,18 +7563,10 @@ Gruplara/kullanıcılara yapılan bağlamalar, etkinliğin kullanıcısına kar
  <source>Configure SAML Provider</source>
  <target>SAML Sağlayıcısını Yapılandırma</target>
 </trans-unit>
-<trans-unit id="sb3defbacd01ad972">
-  <source>Property mappings used for user mapping.</source>
-  <target>Kullanıcı eşlemesi için kullanılan özellik eşlemeleri.</target>
-</trans-unit>
 <trans-unit id="s7ccce0ec8d228db6">
  <source>Configure SCIM Provider</source>
  <target>SCIM Sağlayıcısını Yapılandırma</target>
 </trans-unit>
-<trans-unit id="sd7728d2b6e1d25e9">
-  <source>Property mappings used for group creation.</source>
-  <target>Grup oluşturma için kullanılan özellik eşlemeleri.</target>
-</trans-unit>
 <trans-unit id="s7513372fe60f6387">
  <source>Event volume</source>
  <target>Olay hacmi</target>
@ -8134,18 +8009,6 @@ Gruplara/kullanıcılara yapılan bağlamalar, etkinliğin kullanıcısına kar
  <source>Brand name</source>
  <target>Markası</target>
 </trans-unit>
-<trans-unit id="sb7e68dcad68a638c">
-  <source>Remote Access Provider</source>
-  <target>Uzaktan Erişim Sağlayıcısı</target>
-</trans-unit>
-<trans-unit id="sfb1980a471b7dfb6">
-  <source>Remotely access computers/servers via RDP/SSH/VNC</source>
-  <target>RDP/SSH/VNC aracılığıyla bilgisayarlara/sunuculara uzaktan erişin</target>
-</trans-unit>
-<trans-unit id="s9ffdea131dddb3c5">
-  <source>Configure Remote Access Provider Provider</source>
-  <target>Uzaktan Erişim Sağlayıcı Sağlayıcısı'nı yapılandırma</target>
-</trans-unit>
 <trans-unit id="s56bc67239b9255a2">
  <source>Delete authorization on disconnect</source>
  <target>Bağlantı kesildiğinde yetkilendirmeyi sil</target>
@ -8638,18 +8501,6 @@ Gruplara/kullanıcılara yapılan bağlamalar, etkinliğin kullanıcısına kar
  <source>Pagination</source>
  <target>Sayfalandırma</target>
 </trans-unit>
-<trans-unit id="s6d46b842e227be57">
-  <source>Application Details</source>
-  <target>Uygulama Detayları</target>
-</trans-unit>
-<trans-unit id="s76415a60e548cafe">
-  <source>Provider Configuration</source>
-  <target>Sağlayıcı Yapılandırması</target>
-</trans-unit>
-<trans-unit id="sde59c64619570b57">
-  <source>Submit Application</source>
-  <target>Başvuru Gönder</target>
-</trans-unit>
 <trans-unit id="sf2da0e95c78f2cb7">
  <source>Restore Application Wizard Hint</source>
  <target>Uygulama Geri Yükleme Sihirbazı İpucu</target>
@ -8974,10 +8825,6 @@ Gruplara/kullanıcılara yapılan bağlamalar, etkinliğin kullanıcısına kar
  <source><x id="0" equiv-text="${p.name}"/> ("<x id="1" equiv-text="${p.fieldKey}"/>", of type <x id="2" equiv-text="${p.type}"/>)</source>
  <target><x id="0" equiv-text="${prompt.name}"/> ("<x id="1" equiv-text="${prompt.fieldKey}"/>", of type <x id="2" equiv-text="${prompt.type}"/>)</target>
 </trans-unit>
-<trans-unit id="sa38c5a2731be3a46">
-  <source>authentik was unable to save this application:</source>
-  <target>auhentik bu uygulamayı kaydedemedi:</target>
-</trans-unit>
 <trans-unit id="s25bacc19d98b444e">
  <source>Parent Group</source>
  <target>Ebeveyn Grubu</target>
@ -9214,9 +9061,6 @@ Gruplara/kullanıcılara yapılan bağlamalar, etkinliğin kullanıcısına kar
 <trans-unit id="s4c49d27de60a532b">
  <source>To allow any redirect URI, set the mode to Regex and the value to ".*". Be aware of the possible security implications this can have.</source>
 </trans-unit>
-<trans-unit id="s43f899a86c6a3484">
-  <source>Redirect URIs/Origins</source>
-</trans-unit>
 <trans-unit id="sa52bf79fe1ccb13e">
  <source>Federated OIDC Sources</source>
 </trans-unit>
@ -9294,6 +9138,135 @@ Gruplara/kullanıcılara yapılan bağlamalar, etkinliğin kullanıcısına kar
 </trans-unit>
 <trans-unit id="sbfaee8cfbf4e44e8">
  <source>Require Outpost (flow can only be executed from an outpost)</source>
+</trans-unit>
+<trans-unit id="sb80507bed88545a6">
+  <source>An application name is required</source>
+</trans-unit>
+<trans-unit id="s39c052006b2b141a">
+  <source>Not a valid URL</source>
+</trans-unit>
+<trans-unit id="s317f3ab0da3d068a">
+  <source>Not a valid slug</source>
+</trans-unit>
+<trans-unit id="s177577c23ed3ca7e">
+  <source>Configure The Application</source>
+</trans-unit>
+<trans-unit id="s030ed8a3f12c23ff">
+  <source>Configure Bindings</source>
+</trans-unit>
+<trans-unit id="sc387b20e6d629087">
+  <source>Configure Policy/User/Group Bindings</source>
+</trans-unit>
+<trans-unit id="s71c3ec95efe723ca">
+  <source>No bound policies.</source>
+</trans-unit>
+<trans-unit id="sab1786ef3c0383ba">
+  <source>Bind policy/group/user</source>
+</trans-unit>
+<trans-unit id="s082ea0f3c0a854ff">
+  <source>Configure Policy Bindings</source>
+</trans-unit>
+<trans-unit id="sac315d5bd28d4efa">
+  <source>Don't Pass</source>
+</trans-unit>
+<trans-unit id="s54a37223ce938349">
+  <source>Save Binding</source>
+</trans-unit>
+<trans-unit id="s931754aabd4a6a47">
+  <source>Create a Policy/User/Group Binding</source>
+</trans-unit>
+<trans-unit id="s10ba15343fe64890">
+  <source>Choose A Provider</source>
+</trans-unit>
+<trans-unit id="sb7be945aa799b8d7">
+  <source>Please choose a provider type before proceeding.</source>
+</trans-unit>
+<trans-unit id="s2289ff3b411251d8">
+  <source>Choose a Provider Type</source>
+</trans-unit>
+<trans-unit id="sde0ad51b14f77cf6">
+  <source>Redirect URIs/Origins (RegEx)</source>
+</trans-unit>
+<trans-unit id="s89ae85c3a9df8a6f">
+  <source>Configure OAuth2 Provider</source>
+</trans-unit>
+<trans-unit id="s881271a499c9db98">
+  <source>Configure Remote Access Provider</source>
+</trans-unit>
+<trans-unit id="s9b6bf63fddc7362f">
+  <source>List of CIDRs (comma-seperated) that clients can connect from. A more specific CIDR will match before a looser one. Clients connecting from a non-specified CIDR will be dropped.</source>
+</trans-unit>
+<trans-unit id="s19907c16eb319618">
+  <source>Configure Provider</source>
+</trans-unit>
+<trans-unit id="s7055edd8fab866f4">
+  <source>strict</source>
+</trans-unit>
+<trans-unit id="s5e57ca23b946c1b8">
+  <source>regexp</source>
+</trans-unit>
+<trans-unit id="sd226dc54c414585a">
+  <source>Review and Submit Application</source>
+</trans-unit>
+<trans-unit id="s828ded9ade500ffc">
+  <source>There was an error. Please go back and review the application.</source>
+</trans-unit>
+<trans-unit id="s9fdda682893624a1">
+  <source>There was an error:</source>
+</trans-unit>
+<trans-unit id="s201ee6bc6d9f97da">
+  <source>Please go back and review the application.</source>
+</trans-unit>
+<trans-unit id="s9c09ef16900241fa">
+  <source>Review the Application and Provider</source>
+</trans-unit>
+<trans-unit id="s0a0a21f7bcf9d865">
+  <source>Saving application...</source>
+</trans-unit>
+<trans-unit id="se669a4b939be0891">
+  <source>authentik was unable to complete this process.</source>
+</trans-unit>
+<trans-unit id="s8aac845c63f45ca2">
+  <source>Create with wizard</source>
+</trans-unit>
+<trans-unit id="s080af72866b69b3d">
+  <source>Bind existing <x id="0" equiv-text="${this.allowedTypesLabel}"/></source>
+</trans-unit>
+<trans-unit id="sa36117e97f49c86e">
+  <source>Successfully updated entitlement.</source>
+</trans-unit>
+<trans-unit id="s86bee999b735111f">
+  <source>Successfully created entitlement.</source>
+</trans-unit>
+<trans-unit id="s8a48455905fc14e6">
+  <source>Application entitlement(s)</source>
+</trans-unit>
+<trans-unit id="sae971cbff672090b">
+  <source>Update Entitlement</source>
+</trans-unit>
+<trans-unit id="s537a58ae0ff50f1c">
+  <source>These bindings control which users have access to this entitlement.</source>
+</trans-unit>
+<trans-unit id="s05849efeac672dc7">
+  <source>No app entitlements created.</source>
+</trans-unit>
+<trans-unit id="sdc8a8f29af6aa411">
+  <source>This application does currently not have any application entitlement defined.</source>
+</trans-unit>
+<trans-unit id="sf0bd204ce3fea1de">
+  <source>Create Entitlement</source>
+</trans-unit>
+<trans-unit id="s55d8e42d0a1c057e">
+  <source>Create entitlement</source>
+</trans-unit>
+<trans-unit id="sc6479479c936939f">
+  <source>Application entitlements</source>
+</trans-unit>
+<trans-unit id="sfafbd9bddb38d172">
+  <source>Application entitlements are in preview.</source>
+</trans-unit>
+<trans-unit id="s8e1c375a007d1839">
+  <source>These entitlements can be used to configure user access in this application.</source>
 </trans-unit>
    </body>
  </file>
--- a/web/xliff/zh-CN.xlf
+++ b/web/xliff/zh-CN.xlf
@ -611,57 +611,6 @@
 <trans-unit id="se2b29e6cfe59414c">
  <source>UI Settings</source>
 </trans-unit>
-<trans-unit id="s4498e890d47a8066">
-  <source>OAuth2/OIDC (Open Authorization/OpenID Connect)</source>
-</trans-unit>
-<trans-unit id="sc2cedfb22488ccb2">
-  <source>Modern applications, APIs and Single-page applications.</source>
-</trans-unit>
-<trans-unit id="s4f2e195d09e2868c">
-  <source>LDAP (Lightweight Directory Access Protocol)</source>
-</trans-unit>
-<trans-unit id="sffd5481034a1bd41">
-  <source>Provide an LDAP interface for applications and users to authenticate against.</source>
-</trans-unit>
-<trans-unit id="s836148f721d8913b">
-  <source>Transparent Reverse Proxy</source>
-</trans-unit>
-<trans-unit id="s945a6b94361ee45b">
-  <source>For transparent reverse proxies with required authentication</source>
-</trans-unit>
-<trans-unit id="s7f5bb0c9923315ed">
-  <source>Forward Auth (Single Application)</source>
-</trans-unit>
-<trans-unit id="sdc9a6ad1af30572c">
-  <source>For nginx's auth_request or traefik's forwardAuth</source>
-</trans-unit>
-<trans-unit id="sf8008d2d6b064b95">
-  <source>Forward Auth (Domain Level)</source>
-</trans-unit>
-<trans-unit id="sfc31264ef7ff86ef">
-  <source>For nginx's auth_request or traefik's forwardAuth per root domain</source>
-</trans-unit>
-<trans-unit id="sfa8a1ffa9fee07d3">
-  <source>SAML (Security Assertion Markup Language)</source>
-</trans-unit>
-<trans-unit id="s40830ec037f34626">
-  <source>Configure SAML provider manually</source>
-</trans-unit>
-<trans-unit id="s848a23972e388662">
-  <source>RADIUS (Remote Authentication Dial-In User Service)</source>
-</trans-unit>
-<trans-unit id="sea9fc40dfd1d18b1">
-  <source>Configure RADIUS provider manually</source>
-</trans-unit>
-<trans-unit id="s3e902999ddf7b50e">
-  <source>SCIM (System for Cross-domain Identity Management)</source>
-</trans-unit>
-<trans-unit id="sa1b0052ae095b9b3">
-  <source>Configure SCIM provider manually</source>
-</trans-unit>
-<trans-unit id="s15831fa50a116545">
-  <source>Saving Application...</source>
-</trans-unit>
 <trans-unit id="s848288f8c2265aad">
  <source>Your application has been saved</source>
 </trans-unit>
@ -677,9 +626,6 @@
 <trans-unit id="s21f95eaf151d4ce3">
  <source>Review the provider.</source>
 </trans-unit>
-<trans-unit id="s9fd39a5cb20b4e61">
-  <source>There was an error</source>
-</trans-unit>
 <trans-unit id="s7a6b3453209e1066">
  <source>There was an error creating the application, but no error message was sent. Please review the server logs.</source>
 </trans-unit>
@ -950,9 +896,6 @@
 <trans-unit id="s22e566052f7bec81">
  <source>JWTs signed by certificates configured in the selected sources can be used to authenticate to this provider.</source>
 </trans-unit>
-<trans-unit id="s9368e965b5c292ab">
-  <source>Configure OAuth2/OpenId Provider</source>
-</trans-unit>
 <trans-unit id="s072c6d12d3d37501">
  <source>HTTP-Basic Username Key</source>
 </trans-unit>
@ -1049,12 +992,6 @@
 <trans-unit id="s4a26798e1c3c37dd">
  <source>Validate SSL Certificates of upstream servers.</source>
 </trans-unit>
-<trans-unit id="h10ef80d434185070">
-  <source>Use this provider with nginx's <x id="0" equiv-text="&lt;code&gt;"/>auth_request<x id="1" equiv-text="&lt;/code&gt;"/> or traefik's
-                    <x id="2" equiv-text="&lt;code&gt;"/>forwardAuth<x id="3" equiv-text="&lt;/code&gt;"/>. Each application/domain needs its own provider.
-                    Additionally, on each domain, <x id="4" equiv-text="&lt;code&gt;"/>/outpost.goauthentik.io<x id="5" equiv-text="&lt;/code&gt;"/> must be
-                    routed to the outpost (when using a managed outpost, this is done for you).</source>
-</trans-unit>
 <trans-unit id="s2c8c6f89089b31d4">
  <source>Configure Radius Provider</source>
 </trans-unit>
@ -1064,11 +1001,6 @@
 <trans-unit id="s9e9316a6b0c16231">
  <source>Client Networks</source>
 </trans-unit>
-<trans-unit id="s7f2dcf01f7a8c0b7">
-  <source>List of CIDRs (comma-seperated) that clients can connect from. A more specific
-                            CIDR will match before a looser one. Clients connecting from a non-specified CIDR
-                            will be dropped.</source>
-</trans-unit>
 <trans-unit id="sd8f220c999726151">
  <source>Redirect</source>
 </trans-unit>
@ -1111,9 +1043,6 @@
 <trans-unit id="sce106606ae84d46f">
  <source>Property Mappings</source>
 </trans-unit>
-<trans-unit id="sb3defbacd01ad972">
-  <source>Property mappings used for user mapping.</source>
-</trans-unit>
 <trans-unit id="s1a2797874b7fe852">
  <source>NameID Property Mapping</source>
 </trans-unit>
@ -1177,12 +1106,6 @@
 <trans-unit id="s7cb9aa9ee1783f00">
  <source>Group Property Mappings</source>
 </trans-unit>
-<trans-unit id="sd7728d2b6e1d25e9">
-  <source>Property mappings used for group creation.</source>
-</trans-unit>
-<trans-unit id="s4bd386db7302bb22">
-  <source>Create With Wizard</source>
-</trans-unit>
 <trans-unit id="s0c9670f429e74283">
  <source>New application</source>
 </trans-unit>
@ -1842,17 +1765,14 @@ doesn't pass when either or both of the selected options are equal or above the
 <trans-unit id="s2e532e19ed477a56">
  <source>Path</source>
 </trans-unit>
-<trans-unit id="s67560d7e37d984c3">
-  <source>Policy / User / Group</source>
-</trans-unit>
 <trans-unit id="s030ac0829bb50a49">
-  <source>Policy <x id="0" equiv-text="${item.policyObj?.name}"/></source>
+  <source>Policy <x id="0" equiv-text="${v.policyObj?.name}"/></source>
 </trans-unit>
 <trans-unit id="s2a64d2dca3da9b0e">
-  <source>Group <x id="0" equiv-text="${item.groupObj?.name}"/></source>
+  <source>Group <x id="0" equiv-text="${v.groupObj?.name}"/></source>
 </trans-unit>
 <trans-unit id="se5dc026819a32ff8">
-  <source>User <x id="0" equiv-text="${item.userObj?.name}"/></source>
+  <source>User <x id="0" equiv-text="${v.userObj?.name}"/></source>
 </trans-unit>
 <trans-unit id="s50c312bea93b6925">
  <source>Edit Policy</source>
@ -4526,15 +4446,6 @@ Bindings to groups/users are checked against the user of the event.</source>
 <trans-unit id="se9e9e1d6799b86a5">
  <source>WebAuthn not supported by browser.</source>
 </trans-unit>
-<trans-unit id="s09f0c100d0ad2fec">
-  <source>Open Wizard</source>
-</trans-unit>
-<trans-unit id="sf2ef885f7d0a101d">
-  <source>Demo Wizard</source>
-</trans-unit>
-<trans-unit id="s77505ee5d2e45e53">
-  <source>Run the demo wizard</source>
-</trans-unit>
 <trans-unit id="sab85321d3b0840b7">
  <source>API request failed</source>
 </trans-unit>
@ -5071,15 +4982,6 @@ Bindings to groups/users are checked against the user of the event.</source>
 <trans-unit id="se16b4d412ad1aba9">
  <source>Brand name</source>
 </trans-unit>
-<trans-unit id="sb7e68dcad68a638c">
-  <source>Remote Access Provider</source>
-</trans-unit>
-<trans-unit id="sfb1980a471b7dfb6">
-  <source>Remotely access computers/servers via RDP/SSH/VNC</source>
-</trans-unit>
-<trans-unit id="s9ffdea131dddb3c5">
-  <source>Configure Remote Access Provider Provider</source>
-</trans-unit>
 <trans-unit id="s56bc67239b9255a2">
  <source>Delete authorization on disconnect</source>
 </trans-unit>
@ -5449,15 +5351,6 @@ Bindings to groups/users are checked against the user of the event.</source>
 <trans-unit id="s3dc14a4b8129f989">
  <source>Pagination</source>
 </trans-unit>
-<trans-unit id="s6d46b842e227be57">
-  <source>Application Details</source>
-</trans-unit>
-<trans-unit id="s76415a60e548cafe">
-  <source>Provider Configuration</source>
-</trans-unit>
-<trans-unit id="sde59c64619570b57">
-  <source>Submit Application</source>
-</trans-unit>
 <trans-unit id="sf2da0e95c78f2cb7">
  <source>Restore Application Wizard Hint</source>
 </trans-unit>
@ -5701,9 +5594,6 @@ Bindings to groups/users are checked against the user of the event.</source>
 <trans-unit id="s2d5f69929bb7221d">
  <source><x id="0" equiv-text="${p.name}"/> ("<x id="1" equiv-text="${p.fieldKey}"/>", of type <x id="2" equiv-text="${p.type}"/>)</source>
 </trans-unit>
-<trans-unit id="sa38c5a2731be3a46">
-  <source>authentik was unable to save this application:</source>
-</trans-unit>
 <trans-unit id="s25bacc19d98b444e">
  <source>Parent Group</source>
 </trans-unit>
@ -5890,9 +5780,6 @@ Bindings to groups/users are checked against the user of the event.</source>
 <trans-unit id="s4c49d27de60a532b">
  <source>To allow any redirect URI, set the mode to Regex and the value to ".*". Be aware of the possible security implications this can have.</source>
 </trans-unit>
-<trans-unit id="s43f899a86c6a3484">
-  <source>Redirect URIs/Origins</source>
-</trans-unit>
 <trans-unit id="sa52bf79fe1ccb13e">
  <source>Federated OIDC Sources</source>
 </trans-unit>
@ -5971,6 +5858,135 @@ Bindings to groups/users are checked against the user of the event.</source>
 <trans-unit id="sbfaee8cfbf4e44e8">
  <source>Require Outpost (flow can only be executed from an outpost)</source>
 </trans-unit>
+<trans-unit id="sb80507bed88545a6">
+  <source>An application name is required</source>
+</trans-unit>
+<trans-unit id="s39c052006b2b141a">
+  <source>Not a valid URL</source>
+</trans-unit>
+<trans-unit id="s317f3ab0da3d068a">
+  <source>Not a valid slug</source>
+</trans-unit>
+<trans-unit id="s177577c23ed3ca7e">
+  <source>Configure The Application</source>
+</trans-unit>
+<trans-unit id="s030ed8a3f12c23ff">
+  <source>Configure Bindings</source>
+</trans-unit>
+<trans-unit id="sc387b20e6d629087">
+  <source>Configure Policy/User/Group Bindings</source>
+</trans-unit>
+<trans-unit id="s71c3ec95efe723ca">
+  <source>No bound policies.</source>
+</trans-unit>
+<trans-unit id="sab1786ef3c0383ba">
+  <source>Bind policy/group/user</source>
+</trans-unit>
+<trans-unit id="s082ea0f3c0a854ff">
+  <source>Configure Policy Bindings</source>
+</trans-unit>
+<trans-unit id="sac315d5bd28d4efa">
+  <source>Don't Pass</source>
+</trans-unit>
+<trans-unit id="s54a37223ce938349">
+  <source>Save Binding</source>
+</trans-unit>
+<trans-unit id="s931754aabd4a6a47">
+  <source>Create a Policy/User/Group Binding</source>
+</trans-unit>
+<trans-unit id="s10ba15343fe64890">
+  <source>Choose A Provider</source>
+</trans-unit>
+<trans-unit id="sb7be945aa799b8d7">
+  <source>Please choose a provider type before proceeding.</source>
+</trans-unit>
+<trans-unit id="s2289ff3b411251d8">
+  <source>Choose a Provider Type</source>
+</trans-unit>
+<trans-unit id="sde0ad51b14f77cf6">
+  <source>Redirect URIs/Origins (RegEx)</source>
+</trans-unit>
+<trans-unit id="s89ae85c3a9df8a6f">
+  <source>Configure OAuth2 Provider</source>
+</trans-unit>
+<trans-unit id="s881271a499c9db98">
+  <source>Configure Remote Access Provider</source>
+</trans-unit>
+<trans-unit id="s9b6bf63fddc7362f">
+  <source>List of CIDRs (comma-seperated) that clients can connect from. A more specific CIDR will match before a looser one. Clients connecting from a non-specified CIDR will be dropped.</source>
+</trans-unit>
+<trans-unit id="s19907c16eb319618">
+  <source>Configure Provider</source>
+</trans-unit>
+<trans-unit id="s7055edd8fab866f4">
+  <source>strict</source>
+</trans-unit>
+<trans-unit id="s5e57ca23b946c1b8">
+  <source>regexp</source>
+</trans-unit>
+<trans-unit id="sd226dc54c414585a">
+  <source>Review and Submit Application</source>
+</trans-unit>
+<trans-unit id="s828ded9ade500ffc">
+  <source>There was an error. Please go back and review the application.</source>
+</trans-unit>
+<trans-unit id="s9fdda682893624a1">
+  <source>There was an error:</source>
+</trans-unit>
+<trans-unit id="s201ee6bc6d9f97da">
+  <source>Please go back and review the application.</source>
+</trans-unit>
+<trans-unit id="s9c09ef16900241fa">
+  <source>Review the Application and Provider</source>
+</trans-unit>
+<trans-unit id="s0a0a21f7bcf9d865">
+  <source>Saving application...</source>
+</trans-unit>
+<trans-unit id="se669a4b939be0891">
+  <source>authentik was unable to complete this process.</source>
+</trans-unit>
+<trans-unit id="s8aac845c63f45ca2">
+  <source>Create with wizard</source>
+</trans-unit>
+<trans-unit id="s080af72866b69b3d">
+  <source>Bind existing <x id="0" equiv-text="${this.allowedTypesLabel}"/></source>
+</trans-unit>
+<trans-unit id="sa36117e97f49c86e">
+  <source>Successfully updated entitlement.</source>
+</trans-unit>
+<trans-unit id="s86bee999b735111f">
+  <source>Successfully created entitlement.</source>
+</trans-unit>
+<trans-unit id="s8a48455905fc14e6">
+  <source>Application entitlement(s)</source>
+</trans-unit>
+<trans-unit id="sae971cbff672090b">
+  <source>Update Entitlement</source>
+</trans-unit>
+<trans-unit id="s537a58ae0ff50f1c">
+  <source>These bindings control which users have access to this entitlement.</source>
+</trans-unit>
+<trans-unit id="s05849efeac672dc7">
+  <source>No app entitlements created.</source>
+</trans-unit>
+<trans-unit id="sdc8a8f29af6aa411">
+  <source>This application does currently not have any application entitlement defined.</source>
+</trans-unit>
+<trans-unit id="sf0bd204ce3fea1de">
+  <source>Create Entitlement</source>
+</trans-unit>
+<trans-unit id="s55d8e42d0a1c057e">
+  <source>Create entitlement</source>
+</trans-unit>
+<trans-unit id="sc6479479c936939f">
+  <source>Application entitlements</source>
+</trans-unit>
+<trans-unit id="sfafbd9bddb38d172">
+  <source>Application entitlements are in preview.</source>
+</trans-unit>
+<trans-unit id="s8e1c375a007d1839">
+  <source>These entitlements can be used to configure user access in this application.</source>
+</trans-unit>
 </body>
 </file>
 </xliff>
--- a/web/xliff/zh-Hans.xlf
+++ b/web/xliff/zh-Hans.xlf
@ -1,4 +1,4 @@
-<?xml version="1.0" ?><xliff xmlns="urn:oasis:names:tc:xliff:document:1.2" version="1.2">
+<?xml version="1.0"?><xliff xmlns="urn:oasis:names:tc:xliff:document:1.2" version="1.2">
  <file target-language="zh-Hans" source-language="en" original="lit-localize-inputs" datatype="plaintext">
    <body>
      <trans-unit id="s4caed5b7a7e5d89b">
@ -596,9 +596,9 @@
        
      </trans-unit>
      <trans-unit id="saa0e2675da69651b">
-        <source>The URL &quot;<x id="0" equiv-text="${this.url}"/>&quot; was not found.</source>
-        <target>未找到 URL &quot;
-        <x id="0" equiv-text="${this.url}"/>&quot;。</target>
+        <source>The URL "<x id="0" equiv-text="${this.url}"/>" was not found.</source>
+        <target>未找到 URL "
+        <x id="0" equiv-text="${this.url}"/>"。</target>
        
      </trans-unit>
      <trans-unit id="s58cd9c2fe836d9c6">
@ -1544,13 +1544,6 @@
        <source>Client Networks</source>
        <target>客户端网络</target>
        
-      </trans-unit>
-      <trans-unit id="s7f2dcf01f7a8c0b7">
-        <source>List of CIDRs (comma-seperated) that clients can connect from. A more specific
-                            CIDR will match before a looser one. Clients connecting from a non-specified CIDR
-                            will be dropped.</source>
-        <target>允许客户端连接的 CIDR 列表（逗号分隔）。严格的 CIDR 会在宽松的之前匹配。
-来自 CIDR 范围外的客户端连接将会被丢弃。</target>
      </trans-unit>
      <trans-unit id="s61eacb19db252f5e">
        <source>URL</source>
@ -1737,8 +1730,8 @@
        
      </trans-unit>
      <trans-unit id="sa90b7809586c35ce">
-        <source>Either input a full URL, a relative path, or use 'fa://fa-test' to use the Font Awesome icon &quot;fa-test&quot;.</source>
-        <target>输入完整 URL、相对路径，或者使用 'fa://fa-test' 来使用 Font Awesome 图标 &quot;fa-test&quot;。</target>
+        <source>Either input a full URL, a relative path, or use 'fa://fa-test' to use the Font Awesome icon "fa-test".</source>
+        <target>输入完整 URL、相对路径，或者使用 'fa://fa-test' 来使用 Font Awesome 图标 "fa-test"。</target>
        
      </trans-unit>
      <trans-unit id="s0410779cb47de312">
@ -2155,21 +2148,11 @@
        <source>Run sync again</source>
        <target>再次运行同步</target>
        
-      </trans-unit>
-      <trans-unit id="sc2cedfb22488ccb2">
-        <source>Modern applications, APIs and Single-page applications.</source>
-        <target>现代应用程序、API 与单页应用程序。</target>
-        
      </trans-unit>
      <trans-unit id="sc3259eb55cf91e8c">
        <source>LDAP</source>
        <target>LDAP</target>
        
-      </trans-unit>
-      <trans-unit id="sffd5481034a1bd41">
-        <source>Provide an LDAP interface for applications and users to authenticate against.</source>
-        <target>为应用程序和用户提供 LDAP 接口以进行身份验证。</target>
-        
      </trans-unit>
      <trans-unit id="s0c9670f429e74283">
        <source>New application</source>
@ -2636,26 +2619,21 @@ doesn't pass when either or both of the selected options are equal or above the
        <source>Path</source>
        <target>路径</target>
        
-      </trans-unit>
-      <trans-unit id="s67560d7e37d984c3">
-        <source>Policy / User / Group</source>
-        <target>策略 / 用户 / 组</target>
-        
      </trans-unit>
      <trans-unit id="s030ac0829bb50a49">
-        <source>Policy <x id="0" equiv-text="${item.policyObj?.name}"/></source>
+        <source>Policy <x id="0" equiv-text="${v.policyObj?.name}"/></source>
        <target>策略
        <x id="0" equiv-text="${item.policyObj?.name}"/></target>
        
      </trans-unit>
      <trans-unit id="s2a64d2dca3da9b0e">
-        <source>Group <x id="0" equiv-text="${item.groupObj?.name}"/></source>
+        <source>Group <x id="0" equiv-text="${v.groupObj?.name}"/></source>
        <target>组
        <x id="0" equiv-text="${item.groupObj?.name}"/></target>
        
      </trans-unit>
      <trans-unit id="se5dc026819a32ff8">
-        <source>User <x id="0" equiv-text="${item.userObj?.name}"/></source>
+        <source>User <x id="0" equiv-text="${v.userObj?.name}"/></source>
        <target>用户
        <x id="0" equiv-text="${item.userObj?.name}"/></target>
        
@ -2901,8 +2879,8 @@ doesn't pass when either or both of the selected options are equal or above the
        
      </trans-unit>
      <trans-unit id="s76768bebabb7d543">
-        <source>Field which contains members of a group. Note that if using the &quot;memberUid&quot; field, the value is assumed to contain a relative distinguished name. e.g. 'memberUid=some-user' instead of 'memberUid=cn=some-user,ou=groups,...'</source>
-        <target>包含组成员的字段。请注意，如果使用 &quot;memberUid&quot; 字段，则假定该值包含相对可分辨名称。例如，'memberUid=some-user' 而不是 'memberUid=cn=some-user,ou=groups,...'</target>
+        <source>Field which contains members of a group. Note that if using the "memberUid" field, the value is assumed to contain a relative distinguished name. e.g. 'memberUid=some-user' instead of 'memberUid=cn=some-user,ou=groups,...'</source>
+        <target>包含组成员的字段。请注意，如果使用 "memberUid" 字段，则假定该值包含相对可分辨名称。例如，'memberUid=some-user' 而不是 'memberUid=cn=some-user,ou=groups,...'</target>
        
      </trans-unit>
      <trans-unit id="s026555347e589f0e">
@ -3648,8 +3626,8 @@ doesn't pass when either or both of the selected options are equal or above the
        
      </trans-unit>
      <trans-unit id="s7b1fba26d245cb1c">
-        <source>When using an external logging solution for archiving, this can be set to &quot;minutes=5&quot;.</source>
-        <target>使用外部日志记录解决方案进行存档时，可以将其设置为 &quot;minutes=5&quot;。</target>
+        <source>When using an external logging solution for archiving, this can be set to "minutes=5".</source>
+        <target>使用外部日志记录解决方案进行存档时，可以将其设置为 "minutes=5"。</target>
        
      </trans-unit>
      <trans-unit id="s44536d20bb5c8257">
@ -3825,10 +3803,10 @@ doesn't pass when either or both of the selected options are equal or above the
        
      </trans-unit>
      <trans-unit id="sa95a538bfbb86111">
-        <source>Are you sure you want to update <x id="0" equiv-text="${this.objectLabel}"/> &quot;<x id="1" equiv-text="${this.obj?.name}"/>&quot;?</source>
+        <source>Are you sure you want to update <x id="0" equiv-text="${this.objectLabel}"/> "<x id="1" equiv-text="${this.obj?.name}"/>"?</source>
        <target>您确定要更新
-        <x id="0" equiv-text="${this.objectLabel}"/>&quot;
-        <x id="1" equiv-text="${this.obj?.name}"/>&quot; 吗？</target>
+        <x id="0" equiv-text="${this.objectLabel}"/>"
+        <x id="1" equiv-text="${this.obj?.name}"/>" 吗？</target>
        
      </trans-unit>
      <trans-unit id="sc92d7cfb6ee1fec6">
@ -4904,7 +4882,7 @@ doesn't pass when either or both of the selected options are equal or above the
        
      </trans-unit>
      <trans-unit id="sdf1d8edef27236f0">
-        <source>A &quot;roaming&quot; authenticator, like a YubiKey</source>
+        <source>A "roaming" authenticator, like a YubiKey</source>
        <target>像 YubiKey 这样的“漫游”身份验证器</target>
        
      </trans-unit>
@ -5273,7 +5251,7 @@ doesn't pass when either or both of the selected options are equal or above the
        
      </trans-unit>
      <trans-unit id="s1608b2f94fa0dbd4">
-        <source>If set to a duration above 0, the user will have the option to choose to &quot;stay signed in&quot;, which will extend their session by the time specified here.</source>
+        <source>If set to a duration above 0, the user will have the option to choose to "stay signed in", which will extend their session by the time specified here.</source>
        <target>如果设置时长大于 0，用户可以选择“保持登录”选项，这将使用户的会话延长此处设置的时间。</target>
        
      </trans-unit>
@ -7315,30 +7293,6 @@ Bindings to groups/users are checked against the user of the event.</source>
  <source>UI Settings</source>
  <target>用户界面设置</target>
 </trans-unit>
-<trans-unit id="s836148f721d8913b">
-  <source>Transparent Reverse Proxy</source>
-  <target>透明反向代理</target>
-</trans-unit>
-<trans-unit id="s945a6b94361ee45b">
-  <source>For transparent reverse proxies with required authentication</source>
-  <target>适用于需要验证身份的透明反向代理</target>
-</trans-unit>
-<trans-unit id="s40830ec037f34626">
-  <source>Configure SAML provider manually</source>
-  <target>手动配置 SAML 提供程序</target>
-</trans-unit>
-<trans-unit id="sea9fc40dfd1d18b1">
-  <source>Configure RADIUS provider manually</source>
-  <target>手动配置 RADIUS 提供程序</target>
-</trans-unit>
-<trans-unit id="sa1b0052ae095b9b3">
-  <source>Configure SCIM provider manually</source>
-  <target>手动配置 SCIM 提供程序</target>
-</trans-unit>
-<trans-unit id="s15831fa50a116545">
-  <source>Saving Application...</source>
-  <target>正在保存应用程序…</target>
-</trans-unit>
 <trans-unit id="s848288f8c2265aad">
  <source>Your application has been saved</source>
  <target>您的应用程序已保存</target>
@ -7347,16 +7301,6 @@ Bindings to groups/users are checked against the user of the event.</source>
  <source>Method's display Name.</source>
  <target>方法的显示名称。</target>
 </trans-unit>
-<trans-unit id="h10ef80d434185070">
-  <source>Use this provider with nginx's <x id="0" equiv-text="&lt;code&gt;"/>auth_request<x id="1" equiv-text="&lt;/code&gt;"/> or traefik's
-                    <x id="2" equiv-text="&lt;code&gt;"/>forwardAuth<x id="3" equiv-text="&lt;/code&gt;"/>. Each application/domain needs its own provider.
-                    Additionally, on each domain, <x id="4" equiv-text="&lt;code&gt;"/>/outpost.goauthentik.io<x id="5" equiv-text="&lt;/code&gt;"/> must be
-                    routed to the outpost (when using a managed outpost, this is done for you).</source>
-  <target>此提供程序需要与 nginx 的 <x id="0" equiv-text="&lt;code&gt;"/>auth_request<x id="1" equiv-text="&lt;/code&gt;"/> 或 traefik 的 <x id="2" equiv-text="&lt;code&gt;"/>forwardAuth<x id="3" equiv-text="&lt;/code&gt;"/>
-                    一起使用。每个应用/域名需要独立的提供程序。
-                    此外，在每个域名上，<x id="4" equiv-text="&lt;code&gt;"/>/outpost.goauthentik.io<x id="5" equiv-text="&lt;/code&gt;"/> 必须被路由到
-                    前哨（如果使用托管前哨，则已自动帮您完成）。</target>
-</trans-unit>
 <trans-unit id="sd18b18f91b804c3f">
  <source>Custom attributes</source>
  <target>自定义属性</target>
@ -7501,10 +7445,6 @@ Bindings to groups/users are checked against the user of the event.</source>
  <source>Pseudolocale (for testing)</source>
  <target>伪区域（测试用）</target>
 </trans-unit>
-<trans-unit id="s4bd386db7302bb22">
-  <source>Create With Wizard</source>
-  <target>通过向导创建</target>
-</trans-unit>
 <trans-unit id="s070fdfb03034ca9b">
  <source>One hint, 'New Application Wizard', is currently hidden</source>
  <target>“新应用程序向导”提示目前已隐藏</target>
@ -7517,46 +7457,6 @@ Bindings to groups/users are checked against the user of the event.</source>
  <source>Message shown when this stage is run.</source>
  <target>此阶段运行时显示的消息。</target>
 </trans-unit>
-<trans-unit id="s09f0c100d0ad2fec">
-  <source>Open Wizard</source>
-  <target>打开向导</target>
-</trans-unit>
-<trans-unit id="sf2ef885f7d0a101d">
-  <source>Demo Wizard</source>
-  <target>演示向导</target>
-</trans-unit>
-<trans-unit id="s77505ee5d2e45e53">
-  <source>Run the demo wizard</source>
-  <target>运行演示向导</target>
-</trans-unit>
-<trans-unit id="s4498e890d47a8066">
-  <source>OAuth2/OIDC (Open Authorization/OpenID Connect)</source>
-  <target>OAuth2/OIDC（Open Authorization/OpenID Connect）</target>
-</trans-unit>
-<trans-unit id="s4f2e195d09e2868c">
-  <source>LDAP (Lightweight Directory Access Protocol)</source>
-  <target>LDAP（轻型目录访问协议）</target>
-</trans-unit>
-<trans-unit id="s7f5bb0c9923315ed">
-  <source>Forward Auth (Single Application)</source>
-  <target>Forward Auth（单应用）</target>
-</trans-unit>
-<trans-unit id="sf8008d2d6b064b95">
-  <source>Forward Auth (Domain Level)</source>
-  <target>Forward Auth（域名级）</target>
-</trans-unit>
-<trans-unit id="sfa8a1ffa9fee07d3">
-  <source>SAML (Security Assertion Markup Language)</source>
-  <target>SAML（安全断言标记语言）</target>
-</trans-unit>
-<trans-unit id="s848a23972e388662">
-  <source>RADIUS (Remote Authentication Dial-In User Service)</source>
-  <target>RADIUS（远程身份验证拨入用户服务）</target>
-</trans-unit>
-<trans-unit id="s3e902999ddf7b50e">
-  <source>SCIM (System for Cross-domain Identity Management)</source>
-  <target>SCIM（跨域标识管理系统）</target>
-</trans-unit>
 <trans-unit id="sdc5690be4a342985">
  <source>The token has been copied to your clipboard</source>
  <target>令牌已被复制到剪贴板</target>
@ -7601,14 +7501,6 @@ Bindings to groups/users are checked against the user of the event.</source>
  <source>&lt;No name set&gt;</source>
  <target>&lt;未设置名称&gt;</target>
 </trans-unit>
-<trans-unit id="sdc9a6ad1af30572c">
-  <source>For nginx's auth_request or traefik's forwardAuth</source>
-  <target>适用于 nginx 的 auth_request 或 traefik 的 forwardAuth</target>
-</trans-unit>
-<trans-unit id="sfc31264ef7ff86ef">
-  <source>For nginx's auth_request or traefik's forwardAuth per root domain</source>
-  <target>适用于按根域名配置的 nginx 的 auth_request 或 traefik 的 forwardAuth</target>
-</trans-unit>
 <trans-unit id="s32babfed740fd3c1">
  <source>User type used for newly created users.</source>
  <target>新创建用户使用的用户类型。</target>
@ -7674,7 +7566,7 @@ Bindings to groups/users are checked against the user of the event.</source>
  <target>成功创建用户并添加到组 <x id="0" equiv-text="${this.group.name}"/></target>
 </trans-unit>
 <trans-unit id="s824e0943a7104668">
-  <source>This user will be added to the group &quot;<x id="0" equiv-text="${this.targetGroup.name}"/>&quot;.</source>
+  <source>This user will be added to the group "<x id="0" equiv-text="${this.targetGroup.name}"/>".</source>
  <target>此用户将会被添加到组 &amp;quot;<x id="0" equiv-text="${this.targetGroup.name}"/>&amp;quot;。</target>
 </trans-unit>
 <trans-unit id="s62e7f6ed7d9cb3ca">
@ -7701,10 +7593,6 @@ Bindings to groups/users are checked against the user of the event.</source>
  <source>Review the provider.</source>
  <target>检查此提供程序。</target>
 </trans-unit>
-<trans-unit id="s9fd39a5cb20b4e61">
-  <source>There was an error</source>
-  <target>存在一个错误</target>
-</trans-unit>
 <trans-unit id="s7a6b3453209e1066">
  <source>There was an error creating the application, but no error message was sent. Please review the server logs.</source>
  <target>创建应用程序时存在一个错误，但未发送错误消息。请检查服务器日志。</target>
@ -7713,10 +7601,6 @@ Bindings to groups/users are checked against the user of the event.</source>
  <source>Configure LDAP Provider</source>
  <target>配置 LDAP 提供程序</target>
 </trans-unit>
-<trans-unit id="s9368e965b5c292ab">
-  <source>Configure OAuth2/OpenId Provider</source>
-  <target>配置 OAuth2/OpenID 提供程序</target>
-</trans-unit>
 <trans-unit id="sf5cbccdc6254c8dc">
  <source>Configure Proxy Provider</source>
  <target>配置代理提供程序</target>
@ -7729,18 +7613,10 @@ Bindings to groups/users are checked against the user of the event.</source>
  <source>Configure SAML Provider</source>
  <target>配置 SAML 提供程序</target>
 </trans-unit>
-<trans-unit id="sb3defbacd01ad972">
-  <source>Property mappings used for user mapping.</source>
-  <target>用于用户映射的属性映射。</target>
-</trans-unit>
 <trans-unit id="s7ccce0ec8d228db6">
  <source>Configure SCIM Provider</source>
  <target>配置 SCIM 提供程序</target>
 </trans-unit>
-<trans-unit id="sd7728d2b6e1d25e9">
-  <source>Property mappings used for group creation.</source>
-  <target>用于创建组的属性映射。</target>
-</trans-unit>
 <trans-unit id="s7513372fe60f6387">
  <source>Event volume</source>
  <target>事件容量</target>
@ -8183,18 +8059,6 @@ Bindings to groups/users are checked against the user of the event.</source>
  <source>Brand name</source>
  <target>品牌名称</target>
 </trans-unit>
-<trans-unit id="sb7e68dcad68a638c">
-  <source>Remote Access Provider</source>
-  <target>远程访问提供程序</target>
-</trans-unit>
-<trans-unit id="sfb1980a471b7dfb6">
-  <source>Remotely access computers/servers via RDP/SSH/VNC</source>
-  <target>通过 RDP/SSH/VNC 远程访问计算机/服务器</target>
-</trans-unit>
-<trans-unit id="s9ffdea131dddb3c5">
-  <source>Configure Remote Access Provider Provider</source>
-  <target>配置远程访问提供程序</target>
-</trans-unit>
 <trans-unit id="s56bc67239b9255a2">
  <source>Delete authorization on disconnect</source>
  <target>断开连接时删除授权</target>
@ -8687,18 +8551,6 @@ Bindings to groups/users are checked against the user of the event.</source>
  <source>Pagination</source>
  <target>分页</target>
 </trans-unit>
-<trans-unit id="s6d46b842e227be57">
-  <source>Application Details</source>
-  <target>应用程序详情</target>
-</trans-unit>
-<trans-unit id="s76415a60e548cafe">
-  <source>Provider Configuration</source>
-  <target>提供程序配置</target>
-</trans-unit>
-<trans-unit id="sde59c64619570b57">
-  <source>Submit Application</source>
-  <target>提交应用程序</target>
-</trans-unit>
 <trans-unit id="sf2da0e95c78f2cb7">
  <source>Restore Application Wizard Hint</source>
  <target>恢复应用程序向导提示</target>
@ -9020,13 +8872,9 @@ Bindings to groups/users are checked against the user of the event.</source>
  <target>同步组</target>
 </trans-unit>
 <trans-unit id="s2d5f69929bb7221d">
-  <source><x id="0" equiv-text="${p.name}"/> (&quot;<x id="1" equiv-text="${p.fieldKey}"/>&quot;, of type <x id="2" equiv-text="${p.type}"/>)</source>
+  <source><x id="0" equiv-text="${p.name}"/> ("<x id="1" equiv-text="${p.fieldKey}"/>", of type <x id="2" equiv-text="${p.type}"/>)</source>
  <target><x id="0" equiv-text="${p.name}"/>（&amp;quot;<x id="1" equiv-text="${p.fieldKey}"/>&amp;quot;，类型为 <x id="2" equiv-text="${p.type}"/>）</target>
 </trans-unit>
-<trans-unit id="sa38c5a2731be3a46">
-  <source>authentik was unable to save this application:</source>
-  <target>authentik 无法保存此应用程序：</target>
-</trans-unit>
 <trans-unit id="s25bacc19d98b444e">
  <source>Parent Group</source>
  <target>父组</target>
@ -9272,12 +9120,8 @@ Bindings to groups/users are checked against the user of the event.</source>
  <target>授权流程成功后有效的重定向 URI。还可以在此处为隐式流程指定任何来源。</target>
 </trans-unit>
 <trans-unit id="s4c49d27de60a532b">
-  <source>To allow any redirect URI, set the mode to Regex and the value to &quot;.*&quot;. Be aware of the possible security implications this can have.</source>
-  <target>要允许任何重定向 URI，请设置模式为正则表达式，并将此值设置为 &quot;.*&quot;。请注意这可能带来的安全影响。</target>
-</trans-unit>
-<trans-unit id="s43f899a86c6a3484">
-  <source>Redirect URIs/Origins</source>
-  <target>重定向 URI/Origin</target>
+  <source>To allow any redirect URI, set the mode to Regex and the value to ".*". Be aware of the possible security implications this can have.</source>
+  <target>要允许任何重定向 URI，请设置模式为正则表达式，并将此值设置为 ".*"。请注意这可能带来的安全影响。</target>
 </trans-unit>
 <trans-unit id="sa52bf79fe1ccb13e">
  <source>Federated OIDC Sources</source>
@ -9382,7 +9226,136 @@ Bindings to groups/users are checked against the user of the event.</source>
 <trans-unit id="sbfaee8cfbf4e44e8">
  <source>Require Outpost (flow can only be executed from an outpost)</source>
  <target>需要前哨（流程只能从前哨执行）</target>
+</trans-unit>
+<trans-unit id="sb80507bed88545a6">
+  <source>An application name is required</source>
+</trans-unit>
+<trans-unit id="s39c052006b2b141a">
+  <source>Not a valid URL</source>
+</trans-unit>
+<trans-unit id="s317f3ab0da3d068a">
+  <source>Not a valid slug</source>
+</trans-unit>
+<trans-unit id="s177577c23ed3ca7e">
+  <source>Configure The Application</source>
+</trans-unit>
+<trans-unit id="s030ed8a3f12c23ff">
+  <source>Configure Bindings</source>
+</trans-unit>
+<trans-unit id="sc387b20e6d629087">
+  <source>Configure Policy/User/Group Bindings</source>
+</trans-unit>
+<trans-unit id="s71c3ec95efe723ca">
+  <source>No bound policies.</source>
+</trans-unit>
+<trans-unit id="sab1786ef3c0383ba">
+  <source>Bind policy/group/user</source>
+</trans-unit>
+<trans-unit id="s082ea0f3c0a854ff">
+  <source>Configure Policy Bindings</source>
+</trans-unit>
+<trans-unit id="sac315d5bd28d4efa">
+  <source>Don't Pass</source>
+</trans-unit>
+<trans-unit id="s54a37223ce938349">
+  <source>Save Binding</source>
+</trans-unit>
+<trans-unit id="s931754aabd4a6a47">
+  <source>Create a Policy/User/Group Binding</source>
+</trans-unit>
+<trans-unit id="s10ba15343fe64890">
+  <source>Choose A Provider</source>
+</trans-unit>
+<trans-unit id="sb7be945aa799b8d7">
+  <source>Please choose a provider type before proceeding.</source>
+</trans-unit>
+<trans-unit id="s2289ff3b411251d8">
+  <source>Choose a Provider Type</source>
+</trans-unit>
+<trans-unit id="sde0ad51b14f77cf6">
+  <source>Redirect URIs/Origins (RegEx)</source>
+</trans-unit>
+<trans-unit id="s89ae85c3a9df8a6f">
+  <source>Configure OAuth2 Provider</source>
+</trans-unit>
+<trans-unit id="s881271a499c9db98">
+  <source>Configure Remote Access Provider</source>
+</trans-unit>
+<trans-unit id="s9b6bf63fddc7362f">
+  <source>List of CIDRs (comma-seperated) that clients can connect from. A more specific CIDR will match before a looser one. Clients connecting from a non-specified CIDR will be dropped.</source>
+</trans-unit>
+<trans-unit id="s19907c16eb319618">
+  <source>Configure Provider</source>
+</trans-unit>
+<trans-unit id="s7055edd8fab866f4">
+  <source>strict</source>
+</trans-unit>
+<trans-unit id="s5e57ca23b946c1b8">
+  <source>regexp</source>
+</trans-unit>
+<trans-unit id="sd226dc54c414585a">
+  <source>Review and Submit Application</source>
+</trans-unit>
+<trans-unit id="s828ded9ade500ffc">
+  <source>There was an error. Please go back and review the application.</source>
+</trans-unit>
+<trans-unit id="s9fdda682893624a1">
+  <source>There was an error:</source>
+</trans-unit>
+<trans-unit id="s201ee6bc6d9f97da">
+  <source>Please go back and review the application.</source>
+</trans-unit>
+<trans-unit id="s9c09ef16900241fa">
+  <source>Review the Application and Provider</source>
+</trans-unit>
+<trans-unit id="s0a0a21f7bcf9d865">
+  <source>Saving application...</source>
+</trans-unit>
+<trans-unit id="se669a4b939be0891">
+  <source>authentik was unable to complete this process.</source>
+</trans-unit>
+<trans-unit id="s8aac845c63f45ca2">
+  <source>Create with wizard</source>
+</trans-unit>
+<trans-unit id="s080af72866b69b3d">
+  <source>Bind existing <x id="0" equiv-text="${this.allowedTypesLabel}"/></source>
+</trans-unit>
+<trans-unit id="sa36117e97f49c86e">
+  <source>Successfully updated entitlement.</source>
+</trans-unit>
+<trans-unit id="s86bee999b735111f">
+  <source>Successfully created entitlement.</source>
+</trans-unit>
+<trans-unit id="s8a48455905fc14e6">
+  <source>Application entitlement(s)</source>
+</trans-unit>
+<trans-unit id="sae971cbff672090b">
+  <source>Update Entitlement</source>
+</trans-unit>
+<trans-unit id="s537a58ae0ff50f1c">
+  <source>These bindings control which users have access to this entitlement.</source>
+</trans-unit>
+<trans-unit id="s05849efeac672dc7">
+  <source>No app entitlements created.</source>
+</trans-unit>
+<trans-unit id="sdc8a8f29af6aa411">
+  <source>This application does currently not have any application entitlement defined.</source>
+</trans-unit>
+<trans-unit id="sf0bd204ce3fea1de">
+  <source>Create Entitlement</source>
+</trans-unit>
+<trans-unit id="s55d8e42d0a1c057e">
+  <source>Create entitlement</source>
+</trans-unit>
+<trans-unit id="sc6479479c936939f">
+  <source>Application entitlements</source>
+</trans-unit>
+<trans-unit id="sfafbd9bddb38d172">
+  <source>Application entitlements are in preview.</source>
+</trans-unit>
+<trans-unit id="s8e1c375a007d1839">
+  <source>These entitlements can be used to configure user access in this application.</source>
 </trans-unit>
    </body>
  </file>
-</xliff>
+</xliff>
--- a/web/xliff/zh-Hant.xlf
+++ b/web/xliff/zh-Hant.xlf
@ -1176,11 +1176,6 @@
      <trans-unit id="s9e9316a6b0c16231">
        <source>Client Networks</source>
      </trans-unit>
-      <trans-unit id="s7f2dcf01f7a8c0b7">
-        <source>List of CIDRs (comma-seperated) that clients can connect from. A more specific
-                            CIDR will match before a looser one. Clients connecting from a non-specified CIDR
-                            will be dropped.</source>
-      </trans-unit>
      <trans-unit id="s61eacb19db252f5e">
        <source>URL</source>
      </trans-unit>
@ -1633,16 +1628,10 @@
        <source>Run sync again</source>
        <target>再次运行同步</target>
      </trans-unit>
-      <trans-unit id="sc2cedfb22488ccb2">
-        <source>Modern applications, APIs and Single-page applications.</source>
-      </trans-unit>
      <trans-unit id="sc3259eb55cf91e8c">
        <source>LDAP</source>
        <target>LDAP</target>
      </trans-unit>
-      <trans-unit id="sffd5481034a1bd41">
-        <source>Provide an LDAP interface for applications and users to authenticate against.</source>
-      </trans-unit>
      <trans-unit id="s0c9670f429e74283">
        <source>New application</source>
      </trans-unit>
@ -2000,22 +1989,18 @@ doesn't pass when either or both of the selected options are equal or above the
      <trans-unit id="s2e532e19ed477a56">
        <source>Path</source>
      </trans-unit>
-      <trans-unit id="s67560d7e37d984c3">
-        <source>Policy / User / Group</source>
-        <target>策略/用户/组</target>
-      </trans-unit>
      <trans-unit id="s030ac0829bb50a49">
-        <source>Policy <x id="0" equiv-text="${item.policyObj?.name}"/></source>
+        <source>Policy <x id="0" equiv-text="${v.policyObj?.name}"/></source>
        <target>策略
        <x id="0" equiv-text="${item.policyObj?.name}"/></target>
      </trans-unit>
      <trans-unit id="s2a64d2dca3da9b0e">
-        <source>Group <x id="0" equiv-text="${item.groupObj?.name}"/></source>
+        <source>Group <x id="0" equiv-text="${v.groupObj?.name}"/></source>
        <target>组
        <x id="0" equiv-text="${item.groupObj?.name}"/></target>
      </trans-unit>
      <trans-unit id="se5dc026819a32ff8">
-        <source>User <x id="0" equiv-text="${item.userObj?.name}"/></source>
+        <source>User <x id="0" equiv-text="${v.userObj?.name}"/></source>
        <target>用户
        <x id="0" equiv-text="${item.userObj?.name}"/></target>
      </trans-unit>
@ -5531,36 +5516,12 @@ Bindings to groups/users are checked against the user of the event.</source>
 <trans-unit id="se2b29e6cfe59414c">
  <source>UI Settings</source>
 </trans-unit>
-<trans-unit id="s836148f721d8913b">
-  <source>Transparent Reverse Proxy</source>
-</trans-unit>
-<trans-unit id="s945a6b94361ee45b">
-  <source>For transparent reverse proxies with required authentication</source>
-</trans-unit>
-<trans-unit id="s40830ec037f34626">
-  <source>Configure SAML provider manually</source>
-</trans-unit>
-<trans-unit id="sea9fc40dfd1d18b1">
-  <source>Configure RADIUS provider manually</source>
-</trans-unit>
-<trans-unit id="sa1b0052ae095b9b3">
-  <source>Configure SCIM provider manually</source>
-</trans-unit>
-<trans-unit id="s15831fa50a116545">
-  <source>Saving Application...</source>
-</trans-unit>
 <trans-unit id="s848288f8c2265aad">
  <source>Your application has been saved</source>
 </trans-unit>
 <trans-unit id="s67d858051b34c38b">
  <source>Method's display Name.</source>
 </trans-unit>
-<trans-unit id="h10ef80d434185070">
-  <source>Use this provider with nginx's <x id="0" equiv-text="&lt;code&gt;"/>auth_request<x id="1" equiv-text="&lt;/code&gt;"/> or traefik's
-                    <x id="2" equiv-text="&lt;code&gt;"/>forwardAuth<x id="3" equiv-text="&lt;/code&gt;"/>. Each application/domain needs its own provider.
-                    Additionally, on each domain, <x id="4" equiv-text="&lt;code&gt;"/>/outpost.goauthentik.io<x id="5" equiv-text="&lt;/code&gt;"/> must be
-                    routed to the outpost (when using a managed outpost, this is done for you).</source>
-</trans-unit>
 <trans-unit id="sd18b18f91b804c3f">
  <source>Custom attributes</source>
 </trans-unit>
@ -5669,9 +5630,6 @@ Bindings to groups/users are checked against the user of the event.</source>
 <trans-unit id="s2da4aa7a9abeb653">
  <source>Pseudolocale (for testing)</source>
 </trans-unit>
-<trans-unit id="s4bd386db7302bb22">
-  <source>Create With Wizard</source>
-</trans-unit>
 <trans-unit id="s070fdfb03034ca9b">
  <source>One hint, 'New Application Wizard', is currently hidden</source>
 </trans-unit>
@ -5681,36 +5639,6 @@ Bindings to groups/users are checked against the user of the event.</source>
 <trans-unit id="s6985c401e1100122">
  <source>Message shown when this stage is run.</source>
 </trans-unit>
-<trans-unit id="s09f0c100d0ad2fec">
-  <source>Open Wizard</source>
-</trans-unit>
-<trans-unit id="sf2ef885f7d0a101d">
-  <source>Demo Wizard</source>
-</trans-unit>
-<trans-unit id="s77505ee5d2e45e53">
-  <source>Run the demo wizard</source>
-</trans-unit>
-<trans-unit id="s4498e890d47a8066">
-  <source>OAuth2/OIDC (Open Authorization/OpenID Connect)</source>
-</trans-unit>
-<trans-unit id="s4f2e195d09e2868c">
-  <source>LDAP (Lightweight Directory Access Protocol)</source>
-</trans-unit>
-<trans-unit id="s7f5bb0c9923315ed">
-  <source>Forward Auth (Single Application)</source>
-</trans-unit>
-<trans-unit id="sf8008d2d6b064b95">
-  <source>Forward Auth (Domain Level)</source>
-</trans-unit>
-<trans-unit id="sfa8a1ffa9fee07d3">
-  <source>SAML (Security Assertion Markup Language)</source>
-</trans-unit>
-<trans-unit id="s848a23972e388662">
-  <source>RADIUS (Remote Authentication Dial-In User Service)</source>
-</trans-unit>
-<trans-unit id="s3e902999ddf7b50e">
-  <source>SCIM (System for Cross-domain Identity Management)</source>
-</trans-unit>
 <trans-unit id="sdc5690be4a342985">
  <source>The token has been copied to your clipboard</source>
 </trans-unit>
@ -5744,12 +5672,6 @@ Bindings to groups/users are checked against the user of the event.</source>
 <trans-unit id="s0924f51b028233a3">
  <source>&lt;No name set&gt;</source>
 </trans-unit>
-<trans-unit id="sdc9a6ad1af30572c">
-  <source>For nginx's auth_request or traefik's forwardAuth</source>
-</trans-unit>
-<trans-unit id="sfc31264ef7ff86ef">
-  <source>For nginx's auth_request or traefik's forwardAuth per root domain</source>
-</trans-unit>
 <trans-unit id="s32babfed740fd3c1">
  <source>User type used for newly created users.</source>
 </trans-unit>
@ -5819,18 +5741,12 @@ Bindings to groups/users are checked against the user of the event.</source>
 <trans-unit id="s21f95eaf151d4ce3">
  <source>Review the provider.</source>
 </trans-unit>
-<trans-unit id="s9fd39a5cb20b4e61">
-  <source>There was an error</source>
-</trans-unit>
 <trans-unit id="s7a6b3453209e1066">
  <source>There was an error creating the application, but no error message was sent. Please review the server logs.</source>
 </trans-unit>
 <trans-unit id="s1a711c19cda48375">
  <source>Configure LDAP Provider</source>
 </trans-unit>
-<trans-unit id="s9368e965b5c292ab">
-  <source>Configure OAuth2/OpenId Provider</source>
-</trans-unit>
 <trans-unit id="sf5cbccdc6254c8dc">
  <source>Configure Proxy Provider</source>
 </trans-unit>
@ -5840,15 +5756,9 @@ Bindings to groups/users are checked against the user of the event.</source>
 <trans-unit id="sfe906cde5dddc041">
  <source>Configure SAML Provider</source>
 </trans-unit>
-<trans-unit id="sb3defbacd01ad972">
-  <source>Property mappings used for user mapping.</source>
-</trans-unit>
 <trans-unit id="s7ccce0ec8d228db6">
  <source>Configure SCIM Provider</source>
 </trans-unit>
-<trans-unit id="sd7728d2b6e1d25e9">
-  <source>Property mappings used for group creation.</source>
-</trans-unit>
 <trans-unit id="s7513372fe60f6387">
  <source>Event volume</source>
 </trans-unit>
@ -6178,15 +6088,6 @@ Bindings to groups/users are checked against the user of the event.</source>
 <trans-unit id="se16b4d412ad1aba9">
  <source>Brand name</source>
 </trans-unit>
-<trans-unit id="sb7e68dcad68a638c">
-  <source>Remote Access Provider</source>
-</trans-unit>
-<trans-unit id="sfb1980a471b7dfb6">
-  <source>Remotely access computers/servers via RDP/SSH/VNC</source>
-</trans-unit>
-<trans-unit id="s9ffdea131dddb3c5">
-  <source>Configure Remote Access Provider Provider</source>
-</trans-unit>
 <trans-unit id="s56bc67239b9255a2">
  <source>Delete authorization on disconnect</source>
 </trans-unit>
@ -6556,15 +6457,6 @@ Bindings to groups/users are checked against the user of the event.</source>
 <trans-unit id="s3dc14a4b8129f989">
  <source>Pagination</source>
 </trans-unit>
-<trans-unit id="s6d46b842e227be57">
-  <source>Application Details</source>
-</trans-unit>
-<trans-unit id="s76415a60e548cafe">
-  <source>Provider Configuration</source>
-</trans-unit>
-<trans-unit id="sde59c64619570b57">
-  <source>Submit Application</source>
-</trans-unit>
 <trans-unit id="sf2da0e95c78f2cb7">
  <source>Restore Application Wizard Hint</source>
 </trans-unit>
@ -6808,9 +6700,6 @@ Bindings to groups/users are checked against the user of the event.</source>
 <trans-unit id="s2d5f69929bb7221d">
  <source><x id="0" equiv-text="${p.name}"/> ("<x id="1" equiv-text="${p.fieldKey}"/>", of type <x id="2" equiv-text="${p.type}"/>)</source>
 </trans-unit>
-<trans-unit id="sa38c5a2731be3a46">
-  <source>authentik was unable to save this application:</source>
-</trans-unit>
 <trans-unit id="s25bacc19d98b444e">
  <source>Parent Group</source>
 </trans-unit>
@ -6997,9 +6886,6 @@ Bindings to groups/users are checked against the user of the event.</source>
 <trans-unit id="s4c49d27de60a532b">
  <source>To allow any redirect URI, set the mode to Regex and the value to ".*". Be aware of the possible security implications this can have.</source>
 </trans-unit>
-<trans-unit id="s43f899a86c6a3484">
-  <source>Redirect URIs/Origins</source>
-</trans-unit>
 <trans-unit id="sa52bf79fe1ccb13e">
  <source>Federated OIDC Sources</source>
 </trans-unit>
@ -7077,6 +6963,135 @@ Bindings to groups/users are checked against the user of the event.</source>
 </trans-unit>
 <trans-unit id="sbfaee8cfbf4e44e8">
  <source>Require Outpost (flow can only be executed from an outpost)</source>
+</trans-unit>
+<trans-unit id="sb80507bed88545a6">
+  <source>An application name is required</source>
+</trans-unit>
+<trans-unit id="s39c052006b2b141a">
+  <source>Not a valid URL</source>
+</trans-unit>
+<trans-unit id="s317f3ab0da3d068a">
+  <source>Not a valid slug</source>
+</trans-unit>
+<trans-unit id="s177577c23ed3ca7e">
+  <source>Configure The Application</source>
+</trans-unit>
+<trans-unit id="s030ed8a3f12c23ff">
+  <source>Configure Bindings</source>
+</trans-unit>
+<trans-unit id="sc387b20e6d629087">
+  <source>Configure Policy/User/Group Bindings</source>
+</trans-unit>
+<trans-unit id="s71c3ec95efe723ca">
+  <source>No bound policies.</source>
+</trans-unit>
+<trans-unit id="sab1786ef3c0383ba">
+  <source>Bind policy/group/user</source>
+</trans-unit>
+<trans-unit id="s082ea0f3c0a854ff">
+  <source>Configure Policy Bindings</source>
+</trans-unit>
+<trans-unit id="sac315d5bd28d4efa">
+  <source>Don't Pass</source>
+</trans-unit>
+<trans-unit id="s54a37223ce938349">
+  <source>Save Binding</source>
+</trans-unit>
+<trans-unit id="s931754aabd4a6a47">
+  <source>Create a Policy/User/Group Binding</source>
+</trans-unit>
+<trans-unit id="s10ba15343fe64890">
+  <source>Choose A Provider</source>
+</trans-unit>
+<trans-unit id="sb7be945aa799b8d7">
+  <source>Please choose a provider type before proceeding.</source>
+</trans-unit>
+<trans-unit id="s2289ff3b411251d8">
+  <source>Choose a Provider Type</source>
+</trans-unit>
+<trans-unit id="sde0ad51b14f77cf6">
+  <source>Redirect URIs/Origins (RegEx)</source>
+</trans-unit>
+<trans-unit id="s89ae85c3a9df8a6f">
+  <source>Configure OAuth2 Provider</source>
+</trans-unit>
+<trans-unit id="s881271a499c9db98">
+  <source>Configure Remote Access Provider</source>
+</trans-unit>
+<trans-unit id="s9b6bf63fddc7362f">
+  <source>List of CIDRs (comma-seperated) that clients can connect from. A more specific CIDR will match before a looser one. Clients connecting from a non-specified CIDR will be dropped.</source>
+</trans-unit>
+<trans-unit id="s19907c16eb319618">
+  <source>Configure Provider</source>
+</trans-unit>
+<trans-unit id="s7055edd8fab866f4">
+  <source>strict</source>
+</trans-unit>
+<trans-unit id="s5e57ca23b946c1b8">
+  <source>regexp</source>
+</trans-unit>
+<trans-unit id="sd226dc54c414585a">
+  <source>Review and Submit Application</source>
+</trans-unit>
+<trans-unit id="s828ded9ade500ffc">
+  <source>There was an error. Please go back and review the application.</source>
+</trans-unit>
+<trans-unit id="s9fdda682893624a1">
+  <source>There was an error:</source>
+</trans-unit>
+<trans-unit id="s201ee6bc6d9f97da">
+  <source>Please go back and review the application.</source>
+</trans-unit>
+<trans-unit id="s9c09ef16900241fa">
+  <source>Review the Application and Provider</source>
+</trans-unit>
+<trans-unit id="s0a0a21f7bcf9d865">
+  <source>Saving application...</source>
+</trans-unit>
+<trans-unit id="se669a4b939be0891">
+  <source>authentik was unable to complete this process.</source>
+</trans-unit>
+<trans-unit id="s8aac845c63f45ca2">
+  <source>Create with wizard</source>
+</trans-unit>
+<trans-unit id="s080af72866b69b3d">
+  <source>Bind existing <x id="0" equiv-text="${this.allowedTypesLabel}"/></source>
+</trans-unit>
+<trans-unit id="sa36117e97f49c86e">
+  <source>Successfully updated entitlement.</source>
+</trans-unit>
+<trans-unit id="s86bee999b735111f">
+  <source>Successfully created entitlement.</source>
+</trans-unit>
+<trans-unit id="s8a48455905fc14e6">
+  <source>Application entitlement(s)</source>
+</trans-unit>
+<trans-unit id="sae971cbff672090b">
+  <source>Update Entitlement</source>
+</trans-unit>
+<trans-unit id="s537a58ae0ff50f1c">
+  <source>These bindings control which users have access to this entitlement.</source>
+</trans-unit>
+<trans-unit id="s05849efeac672dc7">
+  <source>No app entitlements created.</source>
+</trans-unit>
+<trans-unit id="sdc8a8f29af6aa411">
+  <source>This application does currently not have any application entitlement defined.</source>
+</trans-unit>
+<trans-unit id="sf0bd204ce3fea1de">
+  <source>Create Entitlement</source>
+</trans-unit>
+<trans-unit id="s55d8e42d0a1c057e">
+  <source>Create entitlement</source>
+</trans-unit>
+<trans-unit id="sc6479479c936939f">
+  <source>Application entitlements</source>
+</trans-unit>
+<trans-unit id="sfafbd9bddb38d172">
+  <source>Application entitlements are in preview.</source>
+</trans-unit>
+<trans-unit id="s8e1c375a007d1839">
+  <source>These entitlements can be used to configure user access in this application.</source>
 </trans-unit>
    </body>
  </file>
--- a/web/xliff/zh_TW.xlf
+++ b/web/xliff/zh_TW.xlf
@ -1533,14 +1533,6 @@
        <target>用戶端網路</target>

      </trans-unit>
-      <trans-unit id="s7f2dcf01f7a8c0b7">
-        <source>List of CIDRs (comma-seperated) that clients can connect from. A more specific
-                            CIDR will match before a looser one. Clients connecting from a non-specified CIDR
-                            will be dropped.</source>
-        <target>用戶端可以連線的 CIDR 列表（以逗號分隔）。
-		                    更具體的 CIDR 會在較寬鬆的 CIDR 之前優先套用。
-		                    來自未指定 CIDR 的用戶端連線將被拒絕。</target>
-      </trans-unit>
      <trans-unit id="s61eacb19db252f5e">
        <source>URL</source>
        <target>網址</target>
@ -2138,21 +2130,11 @@
        <source>Run sync again</source>
        <target>再次執行同步</target>

-      </trans-unit>
-      <trans-unit id="sc2cedfb22488ccb2">
-        <source>Modern applications, APIs and Single-page applications.</source>
-        <target>新一代的應用程式，API 和單頁式應用程式</target>
-
      </trans-unit>
      <trans-unit id="sc3259eb55cf91e8c">
        <source>LDAP</source>
        <target>LDAP</target>

-      </trans-unit>
-      <trans-unit id="sffd5481034a1bd41">
-        <source>Provide an LDAP interface for applications and users to authenticate against.</source>
-        <target>提供一個 LDAP 介面，供應用程式和用戶進行身份認證。</target>
-
      </trans-unit>
      <trans-unit id="s0c9670f429e74283">
        <source>New application</source>
@ -2618,24 +2600,19 @@ doesn't pass when either or both of the selected options are equal or above the
        <source>Path</source>
        <target>路徑</target>

-      </trans-unit>
-      <trans-unit id="s67560d7e37d984c3">
-        <source>Policy / User / Group</source>
-        <target>政策 / 使用者 / 群組</target>
-
      </trans-unit>
      <trans-unit id="s030ac0829bb50a49">
-        <source>Policy <x id="0" equiv-text="${item.policyObj?.name}"/></source>
+        <source>Policy <x id="0" equiv-text="${v.policyObj?.name}"/></source>
        <target>政策 <x id="0" equiv-text="${item.policyObj?.name}"/></target>

      </trans-unit>
      <trans-unit id="s2a64d2dca3da9b0e">
-        <source>Group <x id="0" equiv-text="${item.groupObj?.name}"/></source>
+        <source>Group <x id="0" equiv-text="${v.groupObj?.name}"/></source>
        <target>群組 <x id="0" equiv-text="${item.groupObj?.name}"/></target>

      </trans-unit>
      <trans-unit id="se5dc026819a32ff8">
-        <source>User <x id="0" equiv-text="${item.userObj?.name}"/></source>
+        <source>User <x id="0" equiv-text="${v.userObj?.name}"/></source>
        <target>使用者 <x id="0" equiv-text="${item.userObj?.name}"/></target>

      </trans-unit>
@ -7259,30 +7236,6 @@ Bindings to groups/users are checked against the user of the event.</source>
  <source>UI Settings</source>
  <target>使用者介面設定</target>
 </trans-unit>
-<trans-unit id="s836148f721d8913b">
-  <source>Transparent Reverse Proxy</source>
-  <target>透明反向代理</target>
-</trans-unit>
-<trans-unit id="s945a6b94361ee45b">
-  <source>For transparent reverse proxies with required authentication</source>
-  <target>用於需要身份認證的透明反向代理</target>
-</trans-unit>
-<trans-unit id="s40830ec037f34626">
-  <source>Configure SAML provider manually</source>
-  <target>手動設定 SAML 供應商</target>
-</trans-unit>
-<trans-unit id="sea9fc40dfd1d18b1">
-  <source>Configure RADIUS provider manually</source>
-  <target>手動設定 RADIUS 供應商</target>
-</trans-unit>
-<trans-unit id="sa1b0052ae095b9b3">
-  <source>Configure SCIM provider manually</source>
-  <target>手動設定 SCIM 供應商</target>
-</trans-unit>
-<trans-unit id="s15831fa50a116545">
-  <source>Saving Application...</source>
-  <target>儲存應用程式中……</target>
-</trans-unit>
 <trans-unit id="s848288f8c2265aad">
  <source>Your application has been saved</source>
  <target>已經儲存您的應用程式</target>
@ -7291,14 +7244,6 @@ Bindings to groups/users are checked against the user of the event.</source>
  <source>Method's display Name.</source>
  <target>方法的顯示名稱。</target>
 </trans-unit>
-<trans-unit id="h10ef80d434185070">
-  <source>Use this provider with nginx's <x id="0" equiv-text="&lt;code&gt;"/>auth_request<x id="1" equiv-text="&lt;/code&gt;"/> or traefik's
-                    <x id="2" equiv-text="&lt;code&gt;"/>forwardAuth<x id="3" equiv-text="&lt;/code&gt;"/>. Each application/domain needs its own provider.
-                    Additionally, on each domain, <x id="4" equiv-text="&lt;code&gt;"/>/outpost.goauthentik.io<x id="5" equiv-text="&lt;/code&gt;"/> must be
-                    routed to the outpost (when using a managed outpost, this is done for you).</source>
-  <target>將此供應商與 nginx 的<x id="0" equiv-text="&lt;code&gt;"/>auth_request<x id="1" equiv-text="&lt;/code&gt;"/>或 traefik 的<x id="2" equiv-text="&lt;code&gt;"/>forwardAuth<x id="3" equiv-text="&lt;/code&gt;"/>一起使用。
-                    每個應用程式或網域需要其自己的供應商。此外，在每個網域上，<x id="4" equiv-text="&lt;code&gt;"/>/outpost.goauthentik.io<x id="5" equiv-text="&lt;/code&gt;"/>必須路由到 Outpost（當使用代管的 Outpost 時，這將會自動完成）。</target>
-</trans-unit>
 <trans-unit id="sd18b18f91b804c3f">
  <source>Custom attributes</source>
  <target>客製化特徵項</target>
@ -7443,10 +7388,6 @@ Bindings to groups/users are checked against the user of the event.</source>
  <source>Pseudolocale (for testing)</source>
  <target>虛擬翻譯語言（用於測試）</target>
 </trans-unit>
-<trans-unit id="s4bd386db7302bb22">
-  <source>Create With Wizard</source>
-  <target>使用設定精靈建立</target>
-</trans-unit>
 <trans-unit id="s070fdfb03034ca9b">
  <source>One hint, 'New Application Wizard', is currently hidden</source>
  <target>提示：「新增應用程式設定精靈」目前處於隱藏中</target>
@ -7459,46 +7400,6 @@ Bindings to groups/users are checked against the user of the event.</source>
  <source>Message shown when this stage is run.</source>
  <target>當這個階段執行時會顯示的訊息。</target>
 </trans-unit>
-<trans-unit id="s09f0c100d0ad2fec">
-  <source>Open Wizard</source>
-  <target>開啟設定精靈</target>
-</trans-unit>
-<trans-unit id="sf2ef885f7d0a101d">
-  <source>Demo Wizard</source>
-  <target>設定精靈示範</target>
-</trans-unit>
-<trans-unit id="s77505ee5d2e45e53">
-  <source>Run the demo wizard</source>
-  <target>執行設定精靈示範</target>
-</trans-unit>
-<trans-unit id="s4498e890d47a8066">
-  <source>OAuth2/OIDC (Open Authorization/OpenID Connect)</source>
-  <target>OAuth2/OIDC (Open Authorization/OpenID Connect)</target>
-</trans-unit>
-<trans-unit id="s4f2e195d09e2868c">
-  <source>LDAP (Lightweight Directory Access Protocol)</source>
-  <target>LDAP (Lightweight Directory Access Protocol)</target>
-</trans-unit>
-<trans-unit id="s7f5bb0c9923315ed">
-  <source>Forward Auth (Single Application)</source>
-  <target>轉發認證（單一應用程式）</target>
-</trans-unit>
-<trans-unit id="sf8008d2d6b064b95">
-  <source>Forward Auth (Domain Level)</source>
-  <target>轉發認證（網域層級）</target>
-</trans-unit>
-<trans-unit id="sfa8a1ffa9fee07d3">
-  <source>SAML (Security Assertion Markup Language)</source>
-  <target>SAML (Security Assertion Markup Language)</target>
-</trans-unit>
-<trans-unit id="s848a23972e388662">
-  <source>RADIUS (Remote Authentication Dial-In User Service)</source>
-  <target>RADIUS (Remote Authentication Dial-In User Service)</target>
-</trans-unit>
-<trans-unit id="s3e902999ddf7b50e">
-  <source>SCIM (System for Cross-domain Identity Management)</source>
-  <target>SCIM (System for Cross-domain Identity Management)</target>
-</trans-unit>
 <trans-unit id="sdc5690be4a342985">
  <source>The token has been copied to your clipboard</source>
  <target>權杖已經複製到您的剪貼簿</target>
@ -7543,14 +7444,6 @@ Bindings to groups/users are checked against the user of the event.</source>
  <source>&lt;No name set&gt;</source>
  <target>&lt;No name set&gt;</target>
 </trans-unit>
-<trans-unit id="sdc9a6ad1af30572c">
-  <source>For nginx's auth_request or traefik's forwardAuth</source>
-  <target>適用於 nginx 的「auth_request」或 traefik 的「forwardAuth」</target>
-</trans-unit>
-<trans-unit id="sfc31264ef7ff86ef">
-  <source>For nginx's auth_request or traefik's forwardAuth per root domain</source>
-  <target>適用於每個主網域的 nginx 的「auth_request」或 traefik 的「forwardAuth」</target>
-</trans-unit>
 <trans-unit id="s32babfed740fd3c1">
  <source>User type used for newly created users.</source>
  <target>用於建立使用者的使用者類型。</target>
@ -7642,18 +7535,12 @@ Bindings to groups/users are checked against the user of the event.</source>
 <trans-unit id="s21f95eaf151d4ce3">
  <source>Review the provider.</source>
 </trans-unit>
-<trans-unit id="s9fd39a5cb20b4e61">
-  <source>There was an error</source>
-</trans-unit>
 <trans-unit id="s7a6b3453209e1066">
  <source>There was an error creating the application, but no error message was sent. Please review the server logs.</source>
 </trans-unit>
 <trans-unit id="s1a711c19cda48375">
  <source>Configure LDAP Provider</source>
 </trans-unit>
-<trans-unit id="s9368e965b5c292ab">
-  <source>Configure OAuth2/OpenId Provider</source>
-</trans-unit>
 <trans-unit id="sf5cbccdc6254c8dc">
  <source>Configure Proxy Provider</source>
 </trans-unit>
@ -7663,15 +7550,9 @@ Bindings to groups/users are checked against the user of the event.</source>
 <trans-unit id="sfe906cde5dddc041">
  <source>Configure SAML Provider</source>
 </trans-unit>
-<trans-unit id="sb3defbacd01ad972">
-  <source>Property mappings used for user mapping.</source>
-</trans-unit>
 <trans-unit id="s7ccce0ec8d228db6">
  <source>Configure SCIM Provider</source>
 </trans-unit>
-<trans-unit id="sd7728d2b6e1d25e9">
-  <source>Property mappings used for group creation.</source>
-</trans-unit>
 <trans-unit id="s7513372fe60f6387">
  <source>Event volume</source>
 </trans-unit>
@ -8001,15 +7882,6 @@ Bindings to groups/users are checked against the user of the event.</source>
 <trans-unit id="se16b4d412ad1aba9">
  <source>Brand name</source>
 </trans-unit>
-<trans-unit id="sb7e68dcad68a638c">
-  <source>Remote Access Provider</source>
-</trans-unit>
-<trans-unit id="sfb1980a471b7dfb6">
-  <source>Remotely access computers/servers via RDP/SSH/VNC</source>
-</trans-unit>
-<trans-unit id="s9ffdea131dddb3c5">
-  <source>Configure Remote Access Provider Provider</source>
-</trans-unit>
 <trans-unit id="s56bc67239b9255a2">
  <source>Delete authorization on disconnect</source>
 </trans-unit>
@ -8379,15 +8251,6 @@ Bindings to groups/users are checked against the user of the event.</source>
 <trans-unit id="s3dc14a4b8129f989">
  <source>Pagination</source>
 </trans-unit>
-<trans-unit id="s6d46b842e227be57">
-  <source>Application Details</source>
-</trans-unit>
-<trans-unit id="s76415a60e548cafe">
-  <source>Provider Configuration</source>
-</trans-unit>
-<trans-unit id="sde59c64619570b57">
-  <source>Submit Application</source>
-</trans-unit>
 <trans-unit id="sf2da0e95c78f2cb7">
  <source>Restore Application Wizard Hint</source>
 </trans-unit>
@ -8631,9 +8494,6 @@ Bindings to groups/users are checked against the user of the event.</source>
 <trans-unit id="s2d5f69929bb7221d">
  <source><x id="0" equiv-text="${p.name}"/> ("<x id="1" equiv-text="${p.fieldKey}"/>", of type <x id="2" equiv-text="${p.type}"/>)</source>
 </trans-unit>
-<trans-unit id="sa38c5a2731be3a46">
-  <source>authentik was unable to save this application:</source>
-</trans-unit>
 <trans-unit id="s25bacc19d98b444e">
  <source>Parent Group</source>
 </trans-unit>
@ -8820,9 +8680,6 @@ Bindings to groups/users are checked against the user of the event.</source>
 <trans-unit id="s4c49d27de60a532b">
  <source>To allow any redirect URI, set the mode to Regex and the value to ".*". Be aware of the possible security implications this can have.</source>
 </trans-unit>
-<trans-unit id="s43f899a86c6a3484">
-  <source>Redirect URIs/Origins</source>
-</trans-unit>
 <trans-unit id="sa52bf79fe1ccb13e">
  <source>Federated OIDC Sources</source>
 </trans-unit>
@ -8900,6 +8757,135 @@ Bindings to groups/users are checked against the user of the event.</source>
 </trans-unit>
 <trans-unit id="sbfaee8cfbf4e44e8">
  <source>Require Outpost (flow can only be executed from an outpost)</source>
+</trans-unit>
+<trans-unit id="sb80507bed88545a6">
+  <source>An application name is required</source>
+</trans-unit>
+<trans-unit id="s39c052006b2b141a">
+  <source>Not a valid URL</source>
+</trans-unit>
+<trans-unit id="s317f3ab0da3d068a">
+  <source>Not a valid slug</source>
+</trans-unit>
+<trans-unit id="s177577c23ed3ca7e">
+  <source>Configure The Application</source>
+</trans-unit>
+<trans-unit id="s030ed8a3f12c23ff">
+  <source>Configure Bindings</source>
+</trans-unit>
+<trans-unit id="sc387b20e6d629087">
+  <source>Configure Policy/User/Group Bindings</source>
+</trans-unit>
+<trans-unit id="s71c3ec95efe723ca">
+  <source>No bound policies.</source>
+</trans-unit>
+<trans-unit id="sab1786ef3c0383ba">
+  <source>Bind policy/group/user</source>
+</trans-unit>
+<trans-unit id="s082ea0f3c0a854ff">
+  <source>Configure Policy Bindings</source>
+</trans-unit>
+<trans-unit id="sac315d5bd28d4efa">
+  <source>Don't Pass</source>
+</trans-unit>
+<trans-unit id="s54a37223ce938349">
+  <source>Save Binding</source>
+</trans-unit>
+<trans-unit id="s931754aabd4a6a47">
+  <source>Create a Policy/User/Group Binding</source>
+</trans-unit>
+<trans-unit id="s10ba15343fe64890">
+  <source>Choose A Provider</source>
+</trans-unit>
+<trans-unit id="sb7be945aa799b8d7">
+  <source>Please choose a provider type before proceeding.</source>
+</trans-unit>
+<trans-unit id="s2289ff3b411251d8">
+  <source>Choose a Provider Type</source>
+</trans-unit>
+<trans-unit id="sde0ad51b14f77cf6">
+  <source>Redirect URIs/Origins (RegEx)</source>
+</trans-unit>
+<trans-unit id="s89ae85c3a9df8a6f">
+  <source>Configure OAuth2 Provider</source>
+</trans-unit>
+<trans-unit id="s881271a499c9db98">
+  <source>Configure Remote Access Provider</source>
+</trans-unit>
+<trans-unit id="s9b6bf63fddc7362f">
+  <source>List of CIDRs (comma-seperated) that clients can connect from. A more specific CIDR will match before a looser one. Clients connecting from a non-specified CIDR will be dropped.</source>
+</trans-unit>
+<trans-unit id="s19907c16eb319618">
+  <source>Configure Provider</source>
+</trans-unit>
+<trans-unit id="s7055edd8fab866f4">
+  <source>strict</source>
+</trans-unit>
+<trans-unit id="s5e57ca23b946c1b8">
+  <source>regexp</source>
+</trans-unit>
+<trans-unit id="sd226dc54c414585a">
+  <source>Review and Submit Application</source>
+</trans-unit>
+<trans-unit id="s828ded9ade500ffc">
+  <source>There was an error. Please go back and review the application.</source>
+</trans-unit>
+<trans-unit id="s9fdda682893624a1">
+  <source>There was an error:</source>
+</trans-unit>
+<trans-unit id="s201ee6bc6d9f97da">
+  <source>Please go back and review the application.</source>
+</trans-unit>
+<trans-unit id="s9c09ef16900241fa">
+  <source>Review the Application and Provider</source>
+</trans-unit>
+<trans-unit id="s0a0a21f7bcf9d865">
+  <source>Saving application...</source>
+</trans-unit>
+<trans-unit id="se669a4b939be0891">
+  <source>authentik was unable to complete this process.</source>
+</trans-unit>
+<trans-unit id="s8aac845c63f45ca2">
+  <source>Create with wizard</source>
+</trans-unit>
+<trans-unit id="s080af72866b69b3d">
+  <source>Bind existing <x id="0" equiv-text="${this.allowedTypesLabel}"/></source>
+</trans-unit>
+<trans-unit id="sa36117e97f49c86e">
+  <source>Successfully updated entitlement.</source>
+</trans-unit>
+<trans-unit id="s86bee999b735111f">
+  <source>Successfully created entitlement.</source>
+</trans-unit>
+<trans-unit id="s8a48455905fc14e6">
+  <source>Application entitlement(s)</source>
+</trans-unit>
+<trans-unit id="sae971cbff672090b">
+  <source>Update Entitlement</source>
+</trans-unit>
+<trans-unit id="s537a58ae0ff50f1c">
+  <source>These bindings control which users have access to this entitlement.</source>
+</trans-unit>
+<trans-unit id="s05849efeac672dc7">
+  <source>No app entitlements created.</source>
+</trans-unit>
+<trans-unit id="sdc8a8f29af6aa411">
+  <source>This application does currently not have any application entitlement defined.</source>
+</trans-unit>
+<trans-unit id="sf0bd204ce3fea1de">
+  <source>Create Entitlement</source>
+</trans-unit>
+<trans-unit id="s55d8e42d0a1c057e">
+  <source>Create entitlement</source>
+</trans-unit>
+<trans-unit id="sc6479479c936939f">
+  <source>Application entitlements</source>
+</trans-unit>
+<trans-unit id="sfafbd9bddb38d172">
+  <source>Application entitlements are in preview.</source>
+</trans-unit>
+<trans-unit id="s8e1c375a007d1839">
+  <source>These entitlements can be used to configure user access in this application.</source>
 </trans-unit>
    </body>
  </file>
--- a/website/docs/install-config/beta.mdx
+++ b/website/docs/install-config/beta.mdx
@ -27,6 +27,8 @@ AUTHENTIK_TAG=gh-next
 AUTHENTIK_OUTPOSTS__CONTAINER_IMAGE_BASE=ghcr.io/goauthentik/dev-%(type)s:gh-%(build_hash)s
 ```

+The Beta image is amd64 only. For arm64 platforms, append `-arm64` to the tag name (no spaces).
+
 Next, run the upgrade commands below.

  </TabItem>
@ -45,6 +47,8 @@ image:
    pullPolicy: Always
 ```

+The Beta image is amd64 only. For arm64 platforms, append `-arm64` to the tag name (no spaces).
+
 Next, run the upgrade commands below.

  </TabItem>
--- a/website/docs/install-config/install/aws/template.yaml
+++ b/website/docs/install-config/install/aws/template.yaml
@ -24,7 +24,7 @@ Parameters:
    Description: authentik server memory in MiB
    Type: Number
  AuthentikVersion:
-    Default: 2024.12.4
+    Default: 2024.12.0
    Description: authentik Docker image tag
    Type: String
  AuthentikWorkerCPU:
--- a/website/docs/security/cves/CVE-2025-29928.md
+++ b/website/docs/security/cves/CVE-2025-29928.md
@ -1,23 +0,0 @@
-# CVE-2025-29928
-
-## Deletion of sessions did not revoke sessions when using database session storage
-
-### Summary
-
-When authentik was configured to use the database for session storage (which is a non-default setting), deleting sessions via the Web Interface or the API would not revoke the session and the session holder would continue to have access to authentik.
-
-This also affects automatic session deletion when a user is set to inactive or a user is deleted.
-
-### Patches
-
-authentik 2025.2.3 and 2024.12.4 fix this issue.
-
-### Workarounds
-
-Switching to the cache-based session storage until the authentik instance can be upgraded is recommended.
-
-### For more information
-
-If you have any questions or comments about this advisory:
-
- Email us at [security@goauthentik.io](mailto:security@goauthentik.io).
--- a/website/sidebars.js
+++ b/website/sidebars.js
@ -674,11 +674,6 @@ export default {
                    type: "category",
                    label: "CVEs",
                    items: [
-                        {
-                            type: "category",
-                            label: "2024",
-                            items: ["security/cves/CVE-2025-29928"],
-                        },
                        {
                            type: "category",
                            label: "2024",
Author	SHA1	Message	Date
Marc 'risson' Schmitt	7d0abbf072	core, events: reduce memory usage when batch deleting objects Signed-off-by: Marc 'risson' Schmitt <marc.schmitt@risson.space>	2024-12-20 11:57:53 +01:00
authentik-automation[bot]	640d0a4a95	core, web: update translations (#12432 ) Signed-off-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> Co-authored-by: rissson <18313093+rissson@users.noreply.github.com>	2024-12-20 10:42:51 +01:00
Jens L.	6b8782556c	blueprints: fix schema for meta models (#12421 ) Signed-off-by: Jens Langhammer <jens@goauthentik.io>	2024-12-20 03:27:28 +01:00
authentik-automation[bot]	7f6f3b6602	web: bump API Client version (#12431 ) Signed-off-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> Co-authored-by: authentik-automation[bot] <135050075+authentik-automation[bot]@users.noreply.github.com>	2024-12-19 20:52:20 +00:00
Marc 'risson' Schmitt	3367ac0e08	root: backport version bump (#12426 )	2024-12-19 21:27:13 +01:00
Tana M Berry	d5ea0ffdc6	website/docs: add content about bindings (#11787 ) Co-authored-by: Tana M Berry <tana@goauthentik.com> Co-authored-by: authentik-automation[bot] <135050075+authentik-automation[bot]@users.noreply.github.com>	2024-12-19 20:35:20 +01:00
Marc 'risson' Schmitt	93f1638b39	release: 2024.12.0 (#12423 )	2024-12-19 19:15:34 +00:00
Marc 'risson' Schmitt	37525175fa	providers/saml: provide generic metadata url when possible (#12413 )	2024-12-19 20:00:44 +01:00
Tana M Berry	0db1e52f90	website/docs: add new section about impersonation (#12328 ) Co-authored-by: Tana M Berry <tana@goauthentik.com> Co-authored-by: Marc 'risson' Schmitt <marc.schmitt@risson.space>	2024-12-19 19:58:58 +01:00
Marc 'risson' Schmitt	3e8620b686	website/docs: prepare for 2024.12.0 (#12420 )	2024-12-19 18:17:14 +00:00
Tomás Farías Santana	6687ffc6d2	root: expose CONN_MAX_AGE, CONN_HEALTH_CHECKS and DISABLE_SERVER_SIDE_CURSORS for PostgreSQL config (#10159 ) Co-authored-by: Marc 'risson' Schmitt <marc.schmitt@risson.space> Co-authored-by: Tana M Berry <tana@goauthentik.com>	2024-12-19 17:44:18 +00:00
Marc 'risson' Schmitt	e265ee253b	events: notification_cleanup: avoid unnecessary loop (#12417 )	2024-12-19 17:20:04 +00:00
dependabot[bot]	7763a3673c	core: bump msgraph-sdk from 1.14.0 to 1.15.0 (#12403 ) Bumps [msgraph-sdk](https://github.com/microsoftgraph/msgraph-sdk-python) from 1.14.0 to 1.15.0. - [Release notes](https://github.com/microsoftgraph/msgraph-sdk-python/releases) - [Changelog](https://github.com/microsoftgraph/msgraph-sdk-python/blob/main/CHANGELOG.md) - [Commits](https://github.com/microsoftgraph/msgraph-sdk-python/compare/v1.14.0...v1.15.0) --- updated-dependencies: - dependency-name: msgraph-sdk dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>	2024-12-19 12:02:42 +01:00
dependabot[bot]	d99005e130	core: bump pydantic from 2.10.3 to 2.10.4 (#12404 ) Bumps [pydantic](https://github.com/pydantic/pydantic) from 2.10.3 to 2.10.4. - [Release notes](https://github.com/pydantic/pydantic/releases) - [Changelog](https://github.com/pydantic/pydantic/blob/main/HISTORY.md) - [Commits](https://github.com/pydantic/pydantic/compare/v2.10.3...v2.10.4) --- updated-dependencies: - dependency-name: pydantic dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>	2024-12-19 12:02:30 +01:00
dependabot[bot]	c61f96e770	core: bump google-api-python-client from 2.155.0 to 2.156.0 (#12405 ) Bumps [google-api-python-client](https://github.com/googleapis/google-api-python-client) from 2.155.0 to 2.156.0. - [Release notes](https://github.com/googleapis/google-api-python-client/releases) - [Commits](https://github.com/googleapis/google-api-python-client/compare/v2.155.0...v2.156.0) --- updated-dependencies: - dependency-name: google-api-python-client dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>	2024-12-19 12:02:19 +01:00
dependabot[bot]	83622dd934	core: bump goauthentik.io/api/v3 from 3.2024105.3 to 3.2024105.5 (#12406 ) Bumps [goauthentik.io/api/v3](https://github.com/goauthentik/client-go) from 3.2024105.3 to 3.2024105.5. - [Release notes](https://github.com/goauthentik/client-go/releases) - [Changelog](https://github.com/goauthentik/client-go/blob/main/model_version_history.go) - [Commits](https://github.com/goauthentik/client-go/compare/v3.2024105.3...v3.2024105.5) --- updated-dependencies: - dependency-name: goauthentik.io/api/v3 dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>	2024-12-19 12:02:09 +01:00
transifex-integration[bot]	2eebd0eaa1	translate: Updates for file web/xliff/en.xlf in zh_CN (#12402 ) Translate web/xliff/en.xlf in zh_CN 100% translated source file: 'web/xliff/en.xlf' on 'zh_CN'. Co-authored-by: transifex-integration[bot] <43880903+transifex-integration[bot]@users.noreply.github.com>	2024-12-19 09:30:54 +01:00
transifex-integration[bot]	b61d918c5c	translate: Updates for file web/xliff/en.xlf in zh-Hans (#12401 ) Translate web/xliff/en.xlf in zh-Hans 100% translated source file: 'web/xliff/en.xlf' on 'zh-Hans'. Co-authored-by: transifex-integration[bot] <43880903+transifex-integration[bot]@users.noreply.github.com>	2024-12-19 09:30:48 +01:00
transifex-integration[bot]	076a4f4772	translate: Updates for file locale/en/LC_MESSAGES/django.po in zh-Hans (#12400 ) Translate django.po in zh-Hans 100% translated source file: 'django.po' on 'zh-Hans'. Co-authored-by: transifex-integration[bot] <43880903+transifex-integration[bot]@users.noreply.github.com>	2024-12-19 09:30:35 +01:00
transifex-integration[bot]	b3872b35f8	translate: Updates for file locale/en/LC_MESSAGES/django.po in zh_CN (#12399 ) Translate locale/en/LC_MESSAGES/django.po in zh_CN 100% translated source file: 'locale/en/LC_MESSAGES/django.po' on 'zh_CN'. Co-authored-by: transifex-integration[bot] <43880903+transifex-integration[bot]@users.noreply.github.com>	2024-12-19 09:29:53 +01:00