release: 2024.10.5

flows: better test stage's challenge responses (cherry-pick #12316 ) (#12317 )
flows: better test stage's challenge responses (#12316) Signed-off-by: Jens Langhammer <jens@goauthentik.io> Co-authored-by: Jens L. <jens@goauthentik.io>
2024-12-10 17:48:12 +01:00 · 2024-12-10 17:47:19 +01:00 · 2024-12-10 17:45:48 +01:00 · 2024-12-10 17:12:52 +01:00 · 2024-12-10 15:22:47 +01:00 · 2024-12-10 15:22:38 +01:00
146 changed files with 10247 additions and 25784 deletions
--- a/.bumpversion.cfg
+++ b/.bumpversion.cfg
@ -1,5 +1,5 @@
 [bumpversion]
-current_version = 2024.10.4
+current_version = 2024.10.5
 tag = True
 commit = True
 parse = (?P<major>\d+)\.(?P<minor>\d+)\.(?P<patch>\d+)(?:-(?P<rc_t>[a-zA-Z-]+)(?P<rc_n>[1-9]\\d*))?
--- a/.github/workflows/ci-main.yml
+++ b/.github/workflows/ci-main.yml
@ -116,7 +116,7 @@ jobs:
          poetry run make test
          poetry run coverage xml
      - if: ${{ always() }}
-        uses: codecov/codecov-action@v5
+        uses: codecov/codecov-action@v4
        with:
          flags: unit
          token: ${{ secrets.CODECOV_TOKEN }}
@ -140,7 +140,7 @@ jobs:
          poetry run coverage run manage.py test tests/integration
          poetry run coverage xml
      - if: ${{ always() }}
-        uses: codecov/codecov-action@v5
+        uses: codecov/codecov-action@v4
        with:
          flags: integration
          token: ${{ secrets.CODECOV_TOKEN }}
@ -198,7 +198,7 @@ jobs:
          poetry run coverage run manage.py test ${{ matrix.job.glob }}
          poetry run coverage xml
      - if: ${{ always() }}
-        uses: codecov/codecov-action@v5
+        uses: codecov/codecov-action@v4
        with:
          flags: e2e
          token: ${{ secrets.CODECOV_TOKEN }}
--- a/.github/workflows/release-tag.yml
+++ b/.github/workflows/release-tag.yml
@ -18,7 +18,7 @@ jobs:
          echo "AUTHENTIK_SECRET_KEY=$(openssl rand 32 | base64 -w 0)" >> .env
          docker buildx install
          mkdir -p ./gen-ts-api
-          docker build -t testing:latest .
+          docker build --no-cache -t testing:latest .
          echo "AUTHENTIK_IMAGE=testing" >> .env
          echo "AUTHENTIK_TAG=latest" >> .env
          docker compose up --no-start
--- a/2
+++ b/2
@ -80,7 +80,7 @@ RUN --mount=type=cache,sharing=locked,target=/go/pkg/mod \
    go build -o /go/authentik ./cmd/server

 # Stage 4: MaxMind GeoIP
-FROM --platform=${BUILDPLATFORM} ghcr.io/maxmind/geoipupdate:v7.1.0 AS geoip
+FROM --platform=${BUILDPLATFORM} ghcr.io/maxmind/geoipupdate:v7.0.1 AS geoip

 ENV GEOIPUPDATE_EDITION_IDS="GeoLite2-City GeoLite2-ASN"
 ENV GEOIPUPDATE_VERBOSE="1"
--- a/authentik/init.py
+++ b/authentik/init.py
@ -2,7 +2,7 @@

 from os import environ

-__version__ = "2024.10.4"
+__version__ = "2024.10.5"
 ENV_GIT_HASH_KEY = "GIT_BUILD_HASH"


--- a/authentik/blueprints/v1/importer.py
+++ b/authentik/blueprints/v1/importer.py
@ -293,11 +293,7 @@ class Importer:

        serializer_kwargs = {}
        model_instance = existing_models.first()
-        if (
-            not isinstance(model(), BaseMetaModel)
-            and model_instance
-            and entry.state != BlueprintEntryDesiredState.MUST_CREATED
-        ):
+        if not isinstance(model(), BaseMetaModel) and model_instance:
            self.logger.debug(
                "Initialise serializer with instance",
                model=model,
@ -307,12 +303,11 @@ class Importer:
            serializer_kwargs["instance"] = model_instance
            serializer_kwargs["partial"] = True
        elif model_instance and entry.state == BlueprintEntryDesiredState.MUST_CREATED:
-            msg = (
-                f"State is set to {BlueprintEntryDesiredState.MUST_CREATED.value} "
-                "and object exists already",
-            )
            raise EntryInvalidError.from_entry(
-                ValidationError({k: msg for k in entry.identifiers.keys()}, "unique"),
+                (
+                    f"State is set to {BlueprintEntryDesiredState.MUST_CREATED} "
+                    "and object exists already",
+                ),
                entry,
            )
        else:
--- a/authentik/core/api/transactional_applications.py
+++ b/authentik/core/api/transactional_applications.py
@ -1,12 +1,10 @@
 """transactional application and provider creation"""

 from django.apps import apps
-from django.db.models import Model
-from django.utils.translation import gettext as _
 from drf_spectacular.utils import PolymorphicProxySerializer, extend_schema, extend_schema_field
-from rest_framework.exceptions import PermissionDenied, ValidationError
+from rest_framework.exceptions import ValidationError
 from rest_framework.fields import BooleanField, CharField, ChoiceField, DictField, ListField
-from rest_framework.permissions import IsAuthenticated
+from rest_framework.permissions import IsAdminUser
 from rest_framework.request import Request
 from rest_framework.response import Response
 from rest_framework.views import APIView
@ -24,7 +22,6 @@ from authentik.core.api.applications import ApplicationSerializer
 from authentik.core.api.utils import PassiveSerializer
 from authentik.core.models import Provider
 from authentik.lib.utils.reflection import all_subclasses
-from authentik.policies.api.bindings import PolicyBindingSerializer


 def get_provider_serializer_mapping():
@ -48,13 +45,6 @@ class TransactionProviderField(DictField):
    """Dictionary field which can hold provider creation data"""


-class TransactionPolicyBindingSerializer(PolicyBindingSerializer):
-    """PolicyBindingSerializer which does not require target as target is set implicitly"""
-
-    class Meta(PolicyBindingSerializer.Meta):
-        fields = [x for x in PolicyBindingSerializer.Meta.fields if x != "target"]
-
-
 class TransactionApplicationSerializer(PassiveSerializer):
    """Serializer for creating a provider and an application in one transaction"""

@ -62,8 +52,6 @@ class TransactionApplicationSerializer(PassiveSerializer):
    provider_model = ChoiceField(choices=list(get_provider_serializer_mapping().keys()))
    provider = TransactionProviderField()

-    policy_bindings = TransactionPolicyBindingSerializer(many=True, required=False)
-
    _provider_model: type[Provider] = None

    def validate_provider_model(self, fq_model_name: str) -> str:
@ -108,19 +96,6 @@ class TransactionApplicationSerializer(PassiveSerializer):
                id="app",
            )
        )
-        for binding in attrs.get("policy_bindings", []):
-            binding["target"] = KeyOf(None, ScalarNode(tag="", value="app"))
-            for key, value in binding.items():
-                if not isinstance(value, Model):
-                    continue
-                binding[key] = value.pk
-            blueprint.entries.append(
-                BlueprintEntry(
-                    model="authentik_policies.policybinding",
-                    state=BlueprintEntryDesiredState.MUST_CREATED,
-                    identifiers=binding,
-                )
-            )
        importer = Importer(blueprint, {})
        try:
            valid, _ = importer.validate(raise_validation_errors=True)
@ -145,7 +120,8 @@ class TransactionApplicationResponseSerializer(PassiveSerializer):
 class TransactionalApplicationView(APIView):
    """Create provider and application and attach them in a single transaction"""

-    permission_classes = [IsAuthenticated]
+    # TODO: Migrate to a more specific permission
+    permission_classes = [IsAdminUser]

    @extend_schema(
        request=TransactionApplicationSerializer(),
@ -157,23 +133,8 @@ class TransactionalApplicationView(APIView):
        """Convert data into a blueprint, validate it and apply it"""
        data = TransactionApplicationSerializer(data=request.data)
        data.is_valid(raise_exception=True)
-        blueprint: Blueprint = data.validated_data
-        for entry in blueprint.entries:
-            full_model = entry.get_model(blueprint)
-            app, __, model = full_model.partition(".")
-            if not request.user.has_perm(f"{app}.add_{model}"):
-                raise PermissionDenied(
-                    {
-                        entry.id: _(
-                            "User lacks permission to create {model}".format_map(
-                                {
-                                    "model": full_model,
-                                }
-                            )
-                        )
-                    }
-                )
-        importer = Importer(blueprint, {})
+
+        importer = Importer(data.validated_data, {})
        applied = importer.apply()
        response = {"applied": False, "logs": []}
        response["applied"] = applied
--- a/authentik/core/api/users.py
+++ b/authentik/core/api/users.py
@ -666,12 +666,7 @@ class UserViewSet(UsedByMixin, ModelViewSet):

    @permission_required("authentik_core.impersonate")
    @extend_schema(
-        request=inline_serializer(
-            "ImpersonationSerializer",
-            {
-                "reason": CharField(required=True),
-            },
-        ),
+        request=OpenApiTypes.NONE,
        responses={
            "204": OpenApiResponse(description="Successfully started impersonation"),
            "401": OpenApiResponse(description="Access denied"),
@ -684,7 +679,6 @@ class UserViewSet(UsedByMixin, ModelViewSet):
            LOGGER.debug("User attempted to impersonate", user=request.user)
            return Response(status=401)
        user_to_be = self.get_object()
-        reason = request.data.get("reason", "")
        # Check both object-level perms and global perms
        if not request.user.has_perm(
            "authentik_core.impersonate", user_to_be
@ -694,16 +688,11 @@ class UserViewSet(UsedByMixin, ModelViewSet):
        if user_to_be.pk == self.request.user.pk:
            LOGGER.debug("User attempted to impersonate themselves", user=request.user)
            return Response(status=401)
-        if not reason and request.tenant.impersonation_require_reason:
-            LOGGER.debug(
-                "User attempted to impersonate without providing a reason", user=request.user
-            )
-            return Response(status=401)

        request.session[SESSION_KEY_IMPERSONATE_ORIGINAL_USER] = request.user
        request.session[SESSION_KEY_IMPERSONATE_USER] = user_to_be

-        Event.new(EventAction.IMPERSONATION_STARTED, reason=reason).from_http(request, user_to_be)
+        Event.new(EventAction.IMPERSONATION_STARTED).from_http(request, user_to_be)

        return Response(status=201)

--- a/authentik/core/tests/test_impersonation.py
+++ b/authentik/core/tests/test_impersonation.py
@ -29,8 +29,7 @@ class TestImpersonation(APITestCase):
            reverse(
                "authentik_api:user-impersonate",
                kwargs={"pk": self.other_user.pk},
-            ),
-            data={"reason": "some reason"},
+            )
        )

        response = self.client.get(reverse("authentik_api:user-me"))
@ -56,8 +55,7 @@ class TestImpersonation(APITestCase):
            reverse(
                "authentik_api:user-impersonate",
                kwargs={"pk": self.other_user.pk},
-            ),
-            data={"reason": "some reason"},
+            )
        )
        self.assertEqual(response.status_code, 201)

@ -77,8 +75,7 @@ class TestImpersonation(APITestCase):
            reverse(
                "authentik_api:user-impersonate",
                kwargs={"pk": self.other_user.pk},
-            ),
-            data={"reason": "some reason"},
+            )
        )
        self.assertEqual(response.status_code, 201)

@ -92,8 +89,7 @@ class TestImpersonation(APITestCase):
        self.client.force_login(self.other_user)

        response = self.client.post(
-            reverse("authentik_api:user-impersonate", kwargs={"pk": self.user.pk}),
-            data={"reason": "some reason"},
+            reverse("authentik_api:user-impersonate", kwargs={"pk": self.user.pk})
        )
        self.assertEqual(response.status_code, 403)

@ -109,8 +105,7 @@ class TestImpersonation(APITestCase):
        self.client.force_login(self.user)

        response = self.client.post(
-            reverse("authentik_api:user-impersonate", kwargs={"pk": self.other_user.pk}),
-            data={"reason": "some reason"},
+            reverse("authentik_api:user-impersonate", kwargs={"pk": self.other_user.pk})
        )
        self.assertEqual(response.status_code, 401)

@ -123,22 +118,7 @@ class TestImpersonation(APITestCase):
        self.client.force_login(self.user)

        response = self.client.post(
-            reverse("authentik_api:user-impersonate", kwargs={"pk": self.user.pk}),
-            data={"reason": "some reason"},
-        )
-        self.assertEqual(response.status_code, 401)
-
-        response = self.client.get(reverse("authentik_api:user-me"))
-        response_body = loads(response.content.decode())
-        self.assertEqual(response_body["user"]["username"], self.user.username)
-
-    def test_impersonate_reason_required(self):
-        """test impersonation that user must provide reason"""
-        self.client.force_login(self.user)
-
-        response = self.client.post(
-            reverse("authentik_api:user-impersonate", kwargs={"pk": self.user.pk}),
-            data={"reason": ""},
+            reverse("authentik_api:user-impersonate", kwargs={"pk": self.user.pk})
        )
        self.assertEqual(response.status_code, 401)

--- a/authentik/core/tests/test_transactional_applications_api.py
+++ b/authentik/core/tests/test_transactional_applications_api.py
@ -1,13 +1,11 @@
 """Test Transactional API"""

 from django.urls import reverse
-from guardian.shortcuts import assign_perm
 from rest_framework.test import APITestCase

-from authentik.core.models import Application, Group
-from authentik.core.tests.utils import create_test_flow, create_test_user
+from authentik.core.models import Application
+from authentik.core.tests.utils import create_test_admin_user, create_test_flow
 from authentik.lib.generators import generate_id
-from authentik.policies.models import PolicyBinding
 from authentik.providers.oauth2.models import OAuth2Provider


@ -15,9 +13,7 @@ class TestTransactionalApplicationsAPI(APITestCase):
    """Test Transactional API"""

    def setUp(self) -> None:
-        self.user = create_test_user()
-        assign_perm("authentik_core.add_application", self.user)
-        assign_perm("authentik_providers_oauth2.add_oauth2provider", self.user)
+        self.user = create_test_admin_user()

    def test_create_transactional(self):
        """Test transactional Application + provider creation"""
@ -46,66 +42,6 @@ class TestTransactionalApplicationsAPI(APITestCase):
        self.assertIsNotNone(app)
        self.assertEqual(app.provider.pk, provider.pk)

-    def test_create_transactional_permission_denied(self):
-        """Test transactional Application + provider creation (missing permissions)"""
-        self.client.force_login(self.user)
-        uid = generate_id()
-        response = self.client.put(
-            reverse("authentik_api:core-transactional-application"),
-            data={
-                "app": {
-                    "name": uid,
-                    "slug": uid,
-                },
-                "provider_model": "authentik_providers_saml.samlprovider",
-                "provider": {
-                    "name": uid,
-                    "authorization_flow": str(create_test_flow().pk),
-                    "invalidation_flow": str(create_test_flow().pk),
-                    "acs_url": "https://goauthentik.io",
-                },
-            },
-        )
-        self.assertJSONEqual(
-            response.content.decode(),
-            {"provider": "User lacks permission to create authentik_providers_saml.samlprovider"},
-        )
-
-    def test_create_transactional_bindings(self):
-        """Test transactional Application + provider creation"""
-        assign_perm("authentik_policies.add_policybinding", self.user)
-        self.client.force_login(self.user)
-        uid = generate_id()
-        group = Group.objects.create(name=generate_id())
-        authorization_flow = create_test_flow()
-        response = self.client.put(
-            reverse("authentik_api:core-transactional-application"),
-            data={
-                "app": {
-                    "name": uid,
-                    "slug": uid,
-                },
-                "provider_model": "authentik_providers_oauth2.oauth2provider",
-                "provider": {
-                    "name": uid,
-                    "authorization_flow": str(authorization_flow.pk),
-                    "invalidation_flow": str(authorization_flow.pk),
-                    "redirect_uris": [],
-                },
-                "policy_bindings": [{"group": group.pk, "order": 0}],
-            },
-        )
-        self.assertJSONEqual(response.content.decode(), {"applied": True, "logs": []})
-        provider = OAuth2Provider.objects.filter(name=uid).first()
-        self.assertIsNotNone(provider)
-        app = Application.objects.filter(slug=uid).first()
-        self.assertIsNotNone(app)
-        self.assertEqual(app.provider.pk, provider.pk)
-        binding = PolicyBinding.objects.filter(target=app).first()
-        self.assertIsNotNone(binding)
-        self.assertEqual(binding.target, app)
-        self.assertEqual(binding.group, group)
-
    def test_create_transactional_invalid(self):
        """Test transactional Application + provider creation"""
        self.client.force_login(self.user)
@ -135,32 +71,3 @@ class TestTransactionalApplicationsAPI(APITestCase):
                }
            },
        )
-
-    def test_create_transactional_duplicate_name_provider(self):
-        """Test transactional Application + provider creation"""
-        self.client.force_login(self.user)
-        uid = generate_id()
-        OAuth2Provider.objects.create(
-            name=uid,
-            authorization_flow=create_test_flow(),
-            invalidation_flow=create_test_flow(),
-        )
-        response = self.client.put(
-            reverse("authentik_api:core-transactional-application"),
-            data={
-                "app": {
-                    "name": uid,
-                    "slug": uid,
-                },
-                "provider_model": "authentik_providers_oauth2.oauth2provider",
-                "provider": {
-                    "name": uid,
-                    "authorization_flow": str(create_test_flow().pk),
-                    "invalidation_flow": str(create_test_flow().pk),
-                },
-            },
-        )
-        self.assertJSONEqual(
-            response.content.decode(),
-            {"provider": {"name": ["State is set to must_created and object exists already"]}},
-        )
--- a/authentik/enterprise/middleware.py
+++ b/authentik/enterprise/middleware.py
@ -6,6 +6,7 @@ from django.http import HttpRequest, HttpResponse, JsonResponse
 from django.urls import resolve
 from structlog.stdlib import BoundLogger, get_logger

+from authentik.core.api.users import UserViewSet
 from authentik.enterprise.api import LicenseViewSet
 from authentik.enterprise.license import LicenseKey
 from authentik.enterprise.models import LicenseUsageStatus
@ -59,6 +60,9 @@ class EnterpriseMiddleware:
        # Flow executor is mounted as an API path but explicitly allowed
        if request.resolver_match._func_path == class_to_path(FlowExecutorView):
            return True
+        # Always allow making changes to users, even in case the license has ben exceeded
+        if request.resolver_match._func_path == class_to_path(UserViewSet):
+            return True
        # Only apply these restrictions to the API
        if "authentik_api" not in request.resolver_match.app_names:
            return True
--- a/authentik/enterprise/stages/authenticator_endpoint_gdtc/views/dtc.py
+++ b/authentik/enterprise/stages/authenticator_endpoint_gdtc/views/dtc.py
@ -4,7 +4,9 @@ from typing import Any
 from django.http import HttpRequest, HttpResponse, HttpResponseRedirect
 from django.template.response import TemplateResponse
 from django.urls import reverse
+from django.utils.decorators import method_decorator
 from django.views import View
+from django.views.decorators.clickjacking import xframe_options_sameorigin
 from googleapiclient.discovery import build

 from authentik.enterprise.stages.authenticator_endpoint_gdtc.models import (
@ -26,6 +28,7 @@ HEADER_ACCESS_CHALLENGE_RESPONSE = "X-Verified-Access-Challenge-Response"
 DEVICE_TRUST_VERIFIED_ACCESS = "VerifiedAccess"


+@method_decorator(xframe_options_sameorigin, name="dispatch")
 class GoogleChromeDeviceTrustConnector(View):
    """Google Chrome Device-trust connector based endpoint authenticator"""

--- a/authentik/enterprise/tests/test_read_only.py
+++ b/authentik/enterprise/tests/test_read_only.py
@ -215,3 +215,49 @@ class TestReadOnly(FlowTestCase):
            {"detail": "Request denied due to expired/invalid license.", "code": "denied_license"},
        )
        self.assertEqual(response.status_code, 400)
+
+    @patch(
+        "authentik.enterprise.license.LicenseKey.validate",
+        MagicMock(
+            return_value=LicenseKey(
+                aud="",
+                exp=expiry_valid,
+                name=generate_id(),
+                internal_users=100,
+                external_users=100,
+            )
+        ),
+    )
+    @patch(
+        "authentik.enterprise.license.LicenseKey.get_internal_user_count",
+        MagicMock(return_value=1000),
+    )
+    @patch(
+        "authentik.enterprise.license.LicenseKey.get_external_user_count",
+        MagicMock(return_value=1000),
+    )
+    @patch(
+        "authentik.enterprise.license.LicenseKey.record_usage",
+        MagicMock(),
+    )
+    def test_manage_users(self):
+        """Test that managing users is still possible"""
+        License.objects.create(key=generate_id())
+        usage = LicenseUsage.objects.create(
+            internal_user_count=100,
+            external_user_count=100,
+            status=LicenseUsageStatus.VALID,
+        )
+        usage.record_date = now() - timedelta(weeks=THRESHOLD_READ_ONLY_WEEKS + 1)
+        usage.save(update_fields=["record_date"])
+
+        admin = create_test_admin_user()
+        self.client.force_login(admin)
+
+        # Reading is always allowed
+        response = self.client.get(reverse("authentik_api:user-list"))
+        self.assertEqual(response.status_code, 200)
+
+        # Writing should also be allowed
+        response = self.client.patch(reverse("authentik_api:user-detail", kwargs={"pk": admin.pk}))
+        self.assertEqual(response.status_code, 200)
--- a/authentik/events/models.py
+++ b/authentik/events/models.py
@ -60,7 +60,7 @@ def default_event_duration():
    """Default duration an Event is saved.
    This is used as a fallback when no brand is available"""
    try:
-        tenant = get_current_tenant(only=["event_retention"])
+        tenant = get_current_tenant()
        return now() + timedelta_from_string(tenant.event_retention)
    except Tenant.DoesNotExist:
        return now() + timedelta(days=365)
--- a/authentik/flows/stage.py
+++ b/authentik/flows/stage.py
@ -2,6 +2,7 @@

 from typing import TYPE_CHECKING

+from django.conf import settings
 from django.contrib.auth.models import AnonymousUser
 from django.http import HttpRequest
 from django.http.request import QueryDict
@ -224,6 +225,14 @@ class ChallengeStageView(StageView):
                full_errors[field].append(field_error)
        challenge_response.initial_data["response_errors"] = full_errors
        if not challenge_response.is_valid():
+            if settings.TEST:
+                raise StageInvalidException(
+                    (
+                        f"Invalid challenge response: \n\t{challenge_response.errors}"
+                        f"\n\nValidated data:\n\t {challenge_response.data}"
+                        f"\n\nInitial data:\n\t {challenge_response.initial_data}"
+                    ),
+                )
            self.logger.error(
                "f(ch): invalid challenge response",
                errors=challenge_response.errors,
--- a/authentik/root/settings.py
+++ b/authentik/root/settings.py
@ -38,7 +38,6 @@ LANGUAGE_COOKIE_NAME = "authentik_language"
 SESSION_COOKIE_NAME = "authentik_session"
 SESSION_COOKIE_DOMAIN = CONFIG.get("cookie_domain", None)
 APPEND_SLASH = False
-X_FRAME_OPTIONS = "SAMEORIGIN"

 AUTHENTICATION_BACKENDS = [
    "django.contrib.auth.backends.ModelBackend",
@ -304,10 +303,12 @@ DATABASES = {
        "USER": CONFIG.get("postgresql.user"),
        "PASSWORD": CONFIG.get("postgresql.password"),
        "PORT": CONFIG.get("postgresql.port"),
-        "SSLMODE": CONFIG.get("postgresql.sslmode"),
-        "SSLROOTCERT": CONFIG.get("postgresql.sslrootcert"),
-        "SSLCERT": CONFIG.get("postgresql.sslcert"),
-        "SSLKEY": CONFIG.get("postgresql.sslkey"),
+        "OPTIONS": {
+            "sslmode": CONFIG.get("postgresql.sslmode"),
+            "sslrootcert": CONFIG.get("postgresql.sslrootcert"),
+            "sslcert": CONFIG.get("postgresql.sslcert"),
+            "sslkey": CONFIG.get("postgresql.sslkey"),
+        },
        "TEST": {
            "NAME": CONFIG.get("postgresql.test.name"),
        },
--- a/authentik/sources/kerberos/models.py
+++ b/authentik/sources/kerberos/models.py
@ -6,6 +6,7 @@ from tempfile import gettempdir
 from typing import Any

 import gssapi
+import kadmin
 import pglock
 from django.db import connection, models
 from django.db.models.fields import b64decode
@ -13,8 +14,6 @@ from django.http import HttpRequest
 from django.shortcuts import reverse
 from django.templatetags.static import static
 from django.utils.translation import gettext_lazy as _
-from kadmin import KAdmin
-from kadmin.exceptions import PyKAdminException
 from rest_framework.serializers import Serializer
 from structlog.stdlib import get_logger

@ -31,8 +30,9 @@ from authentik.flows.challenge import RedirectChallenge
 LOGGER = get_logger()


-# Creating kadmin connections is expensive. As such, this global is used to reuse
-# existing kadmin connections instead of creating new ones
+# python-kadmin leaks file descriptors. As such, this global is used to reuse
+# existing kadmin connections instead of creating new ones, which results in less to no file
+# descriptors leaks
 _kadmin_connections: dict[str, Any] = {}


@ -198,13 +198,13 @@ class KerberosSource(Source):
        conf_path.write_text(self.krb5_conf)
        return str(conf_path)

-    def _kadmin_init(self) -> KAdmin | None:
+    def _kadmin_init(self) -> "kadmin.KAdmin | None":
        # kadmin doesn't use a ccache for its connection
        # as such, we don't need to create a separate ccache for each source
        if not self.sync_principal:
            return None
        if self.sync_password:
-            return KAdmin.with_password(
+            return kadmin.init_with_password(
                self.sync_principal,
                self.sync_password,
            )
@ -215,18 +215,18 @@ class KerberosSource(Source):
                keytab_path.touch(mode=0o600)
                keytab_path.write_bytes(b64decode(self.sync_keytab))
                keytab = f"FILE:{keytab_path}"
-            return KAdmin.with_keytab(
+            return kadmin.init_with_keytab(
                self.sync_principal,
                keytab,
            )
        if self.sync_ccache:
-            return KAdmin.with_ccache(
+            return kadmin.init_with_ccache(
                self.sync_principal,
                self.sync_ccache,
            )
        return None

-    def connection(self) -> KAdmin | None:
+    def connection(self) -> "kadmin.KAdmin | None":
        """Get kadmin connection"""
        if str(self.pk) not in _kadmin_connections:
            kadm = self._kadmin_init()
@ -246,7 +246,7 @@ class KerberosSource(Source):
                    status["status"] = "no connection"
                    return status
                status["principal_exists"] = kadm.principal_exists(self.sync_principal)
-            except PyKAdminException as exc:
+            except kadmin.KAdminError as exc:
                status["status"] = str(exc)
        return status

--- a/authentik/sources/kerberos/signals.py
+++ b/authentik/sources/kerberos/signals.py
@ -1,8 +1,8 @@
 """authentik kerberos source signals"""

+import kadmin
 from django.db.models.signals import post_save
 from django.dispatch import receiver
-from kadmin.exceptions import PyKAdminException
 from rest_framework.serializers import ValidationError
 from structlog.stdlib import get_logger

@ -48,7 +48,7 @@ def kerberos_sync_password(sender, user: User, password: str, **_):
                source.connection().getprinc(user_source_connection.identifier).change_password(
                    password
                )
-            except PyKAdminException as exc:
+            except kadmin.KAdminError as exc:
                LOGGER.warning("failed to set Kerberos password", exc=exc, source=source)
                Event.new(
                    EventAction.CONFIGURATION_ERROR,
--- a/authentik/sources/kerberos/sync.py
+++ b/authentik/sources/kerberos/sync.py
@ -2,9 +2,9 @@

 from typing import Any

+import kadmin
 from django.core.exceptions import FieldError
 from django.db import IntegrityError, transaction
-from kadmin import KAdmin
 from structlog.stdlib import BoundLogger, get_logger

 from authentik.core.expression.exceptions import (
@ -30,7 +30,7 @@ class KerberosSync:

    _source: KerberosSource
    _logger: BoundLogger
-    _connection: KAdmin
+    _connection: "kadmin.KAdmin"
    mapper: SourceMapper
    user_manager: PropertyMappingManager
    group_manager: PropertyMappingManager
@ -161,7 +161,7 @@ class KerberosSync:

        user_count = 0
        with Krb5ConfContext(self._source):
-            for principal in self._connection.list_principals(None):
+            for principal in self._connection.principals():
                if self._handle_principal(principal):
                    user_count += 1
        return user_count
--- a/authentik/sources/kerberos/tests/test_auth.py
+++ b/authentik/sources/kerberos/tests/test_auth.py
@ -23,7 +23,6 @@ class TestKerberosAuth(KerberosTestCase):
        )
        self.user = User.objects.create(username=generate_id())
        self.user.set_unusable_password()
-        self.user.save()
        UserKerberosSourceConnection.objects.create(
            source=self.source, user=self.user, identifier=self.realm.user_princ
        )
--- a/authentik/sources/kerberos/tests/test_spnego.py
+++ b/authentik/sources/kerberos/tests/test_spnego.py
@ -2,8 +2,6 @@

 from base64 import b64decode, b64encode
 from pathlib import Path
-from sys import platform
-from unittest import skipUnless

 import gssapi
 from django.urls import reverse
@ -38,7 +36,6 @@ class TestSPNEGOSource(KerberosTestCase):
        )
        self.assertEqual(response.status_code, 200)

-    @skipUnless(platform.startswith("linux"), "Requires compatible GSSAPI implementation")
    def test_source_login(self):
        """test login view"""
        response = self.client.get(
--- a/authentik/stages/authenticator_validate/stage.py
+++ b/authentik/stages/authenticator_validate/stage.py
@ -332,7 +332,7 @@ class AuthenticatorValidateStageView(ChallengeStageView):
            serializer = SelectableStageSerializer(
                data={
                    "pk": stage.pk,
-                    "name": getattr(stage, "friendly_name", stage.name),
+                    "name": getattr(stage, "friendly_name", stage.name) or stage.name,
                    "verbose_name": str(stage._meta.verbose_name)
                    .replace("Setup Stage", "")
                    .strip(),
--- a/authentik/stages/authenticator_validate/tests/test_stage.py
+++ b/authentik/stages/authenticator_validate/tests/test_stage.py
@ -4,6 +4,7 @@ from unittest.mock import MagicMock, patch

 from django.test.client import RequestFactory
 from django.urls.base import reverse
+from django.utils.timezone import now

 from authentik.core.tests.utils import create_test_admin_user, create_test_flow
 from authentik.flows.models import FlowDesignation, FlowStageBinding, NotConfiguredAction
@ -13,6 +14,7 @@ from authentik.flows.views.executor import SESSION_KEY_PLAN
 from authentik.lib.generators import generate_id, generate_key
 from authentik.stages.authenticator_duo.models import AuthenticatorDuoStage, DuoDevice
 from authentik.stages.authenticator_static.models import AuthenticatorStaticStage
+from authentik.stages.authenticator_totp.models import AuthenticatorTOTPStage, TOTPDigits
 from authentik.stages.authenticator_validate.api import AuthenticatorValidateStageSerializer
 from authentik.stages.authenticator_validate.models import AuthenticatorValidateStage, DeviceClasses
 from authentik.stages.authenticator_validate.stage import PLAN_CONTEXT_DEVICE_CHALLENGES
@ -76,8 +78,8 @@ class AuthenticatorValidateStageTests(FlowTestCase):
        conf_stage = AuthenticatorStaticStage.objects.create(
            name=generate_id(),
        )
-        conf_stage2 = AuthenticatorStaticStage.objects.create(
-            name=generate_id(),
+        conf_stage2 = AuthenticatorTOTPStage.objects.create(
+            name=generate_id(), digits=TOTPDigits.SIX
        )
        stage = AuthenticatorValidateStage.objects.create(
            name=generate_id(),
@ -153,10 +155,14 @@ class AuthenticatorValidateStageTests(FlowTestCase):
            {
                "device_class": "static",
                "device_uid": "1",
+                "challenge": {},
+                "last_used": now(),
            },
            {
                "device_class": "totp",
                "device_uid": "2",
+                "challenge": {},
+                "last_used": now(),
            },
        ]
        session[SESSION_KEY_PLAN] = plan
--- a/authentik/stages/authenticator_webauthn/mds/blob.jwt
+++ b/authentik/stages/authenticator_webauthn/mds/blob.jwt
--- a/authentik/stages/identification/stage.py
+++ b/authentik/stages/identification/stage.py
@ -26,6 +26,7 @@ from authentik.flows.models import FlowDesignation
 from authentik.flows.planner import PLAN_CONTEXT_PENDING_USER
 from authentik.flows.stage import PLAN_CONTEXT_PENDING_USER_IDENTIFIER, ChallengeStageView
 from authentik.flows.views.executor import SESSION_KEY_APPLICATION_PRE, SESSION_KEY_GET
+from authentik.lib.avatars import DEFAULT_AVATAR
 from authentik.lib.utils.reflection import all_subclasses
 from authentik.lib.utils.urls import reverse_with_qs
 from authentik.root.middleware import ClientIPMiddleware
@ -76,7 +77,7 @@ class IdentificationChallenge(Challenge):
    allow_show_password = BooleanField(default=False)
    application_pre = CharField(required=False)
    flow_designation = ChoiceField(FlowDesignation.choices)
-    captcha_stage = CaptchaChallenge(required=False)
+    captcha_stage = CaptchaChallenge(required=False, allow_null=True)

    enroll_url = CharField(required=False)
    recovery_url = CharField(required=False)
@ -224,6 +225,8 @@ class IdentificationStageView(ChallengeStageView):
                        "js_url": current_stage.captcha_stage.js_url,
                        "site_key": current_stage.captcha_stage.public_key,
                        "interactive": current_stage.captcha_stage.interactive,
+                        "pending_user": "",
+                        "pending_user_avatar": DEFAULT_AVATAR,
                    }
                    if current_stage.captcha_stage
                    else None
--- a/authentik/tenants/api/settings.py
+++ b/authentik/tenants/api/settings.py
@ -23,7 +23,6 @@ class SettingsSerializer(ModelSerializer):
            "footer_links",
            "gdpr_compliance",
            "impersonation",
-            "impersonation_require_reason",
            "default_token_duration",
            "default_token_length",
        ]
--- a/authentik/tenants/migrations/0004_tenant_impersonation_require_reason.py
+++ b/authentik/tenants/migrations/0004_tenant_impersonation_require_reason.py
@ -1,21 +0,0 @@
-# Generated by Django 5.0.9 on 2024-11-07 15:08
-
-from django.db import migrations, models
-
-
-class Migration(migrations.Migration):
-
-    dependencies = [
-        ("authentik_tenants", "0003_alter_tenant_default_token_duration"),
-    ]
-
-    operations = [
-        migrations.AddField(
-            model_name="tenant",
-            name="impersonation_require_reason",
-            field=models.BooleanField(
-                default=True,
-                help_text="Require administrators to provide a reason for impersonating a user.",
-            ),
-        ),
-    ]
--- a/authentik/tenants/models.py
+++ b/authentik/tenants/models.py
@ -85,10 +85,6 @@ class Tenant(TenantMixin, SerializerModel):
    impersonation = models.BooleanField(
        help_text=_("Globally enable/disable impersonation."), default=True
    )
-    impersonation_require_reason = models.BooleanField(
-        help_text=_("Require administrators to provide a reason for impersonating a user."),
-        default=True,
-    )
    default_token_duration = models.TextField(
        help_text=_("Default token duration"),
        default=DEFAULT_TOKEN_DURATION,
--- a/authentik/tenants/utils.py
+++ b/authentik/tenants/utils.py
@ -8,11 +8,9 @@ from authentik.root.install_id import get_install_id
 from authentik.tenants.models import Tenant


-def get_current_tenant(only: list[str] | None = None) -> Tenant:
+def get_current_tenant() -> Tenant:
    """Get tenant for current request"""
-    if only is None:
-        only = []
-    return Tenant.objects.only(*only).get(schema_name=connection.schema_name)
+    return Tenant.objects.get(schema_name=connection.schema_name)


 def get_unique_identifier() -> str:
--- a/blueprints/schema.json
+++ b/blueprints/schema.json
@ -2,7 +2,7 @@
    "$schema": "http://json-schema.org/draft-07/schema",
    "$id": "https://goauthentik.io/blueprints/schema.json",
    "type": "object",
-    "title": "authentik 2024.10.4 Blueprint schema",
+    "title": "authentik 2024.10.5 Blueprint schema",
    "required": [
        "version",
        "entries"
--- a/docker-compose.yml
+++ b/docker-compose.yml
@ -31,7 +31,7 @@ services:
    volumes:
      - redis:/data
  server:
-    image: ${AUTHENTIK_IMAGE:-ghcr.io/goauthentik/server}:${AUTHENTIK_TAG:-2024.10.4}
+    image: ${AUTHENTIK_IMAGE:-ghcr.io/goauthentik/server}:${AUTHENTIK_TAG:-2024.10.5}
    restart: unless-stopped
    command: server
    environment:
@ -52,7 +52,7 @@ services:
      - postgresql
      - redis
  worker:
-    image: ${AUTHENTIK_IMAGE:-ghcr.io/goauthentik/server}:${AUTHENTIK_TAG:-2024.10.4}
+    image: ${AUTHENTIK_IMAGE:-ghcr.io/goauthentik/server}:${AUTHENTIK_TAG:-2024.10.5}
    restart: unless-stopped
    command: worker
    environment:
--- a/go.mod
+++ b/go.mod
@ -29,10 +29,10 @@ require (
 	github.com/spf13/cobra v1.8.1
 	github.com/stretchr/testify v1.9.0
 	github.com/wwt/guac v1.3.2
-	goauthentik.io/api/v3 v3.2024104.1
+	goauthentik.io/api/v3 v3.2024083.13
 	golang.org/x/exp v0.0.0-20230210204819-062eb4c674ab
-	golang.org/x/oauth2 v0.24.0
-	golang.org/x/sync v0.9.0
+	golang.org/x/oauth2 v0.23.0
+	golang.org/x/sync v0.8.0
 	gopkg.in/yaml.v2 v2.4.0
 	layeh.com/radius v0.0.0-20210819152912-ad72663a72ab
 )
--- a/go.sum
+++ b/go.sum
@ -299,8 +299,8 @@ go.opentelemetry.io/otel/trace v1.24.0 h1:CsKnnL4dUAr/0llH9FKuc698G04IrpWV0MQA/Y
 go.opentelemetry.io/otel/trace v1.24.0/go.mod h1:HPc3Xr/cOApsBI154IU0OI0HJexz+aw5uPdbs3UCjNU=
 go.uber.org/goleak v1.3.0 h1:2K3zAYmnTNqV73imy9J1T3WC+gmCePx2hEGkimedGto=
 go.uber.org/goleak v1.3.0/go.mod h1:CoHD4mav9JJNrW/WLlf7HGZPjdw8EucARQHekz1X6bE=
-goauthentik.io/api/v3 v3.2024104.1 h1:N09HAJ66W965QEYpx6sJzcaQxPsnFykVwkzVjVK/zH0=
-goauthentik.io/api/v3 v3.2024104.1/go.mod h1:zz+mEZg8rY/7eEjkMGWJ2DnGqk+zqxuybGCGrR2O4Kw=
+goauthentik.io/api/v3 v3.2024083.13 h1:xKh3feJYUeLw583zZ5ifgV0qjD37ZCOzgXPfbHQSbHM=
+goauthentik.io/api/v3 v3.2024083.13/go.mod h1:zz+mEZg8rY/7eEjkMGWJ2DnGqk+zqxuybGCGrR2O4Kw=
 golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w=
 golang.org/x/crypto v0.0.0-20190510104115-cbcb75029529/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI=
 golang.org/x/crypto v0.0.0-20190605123033-f99c8df09eb5/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI=
@ -388,8 +388,8 @@ golang.org/x/oauth2 v0.0.0-20190604053449-0f29369cfe45/go.mod h1:gOpvHmFTYa4Iltr
 golang.org/x/oauth2 v0.0.0-20191202225959-858c2ad4c8b6/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw=
 golang.org/x/oauth2 v0.0.0-20200107190931-bf48bf16ab8d/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw=
 golang.org/x/oauth2 v0.0.0-20210218202405-ba52d332ba99/go.mod h1:KelEdhl1UZF7XfJ4dDtk6s++YSgaE7mD/BuKKDLBl4A=
-golang.org/x/oauth2 v0.24.0 h1:KTBBxWqUa0ykRPLtV69rRto9TLXcqYkeswu48x/gvNE=
-golang.org/x/oauth2 v0.24.0/go.mod h1:XYTD2NtWslqkgxebSiOHnXEap4TF09sJSc7H1sXbhtI=
+golang.org/x/oauth2 v0.23.0 h1:PbgcYx2W7i4LvjJWEbf0ngHV6qJYr86PkAV3bXdLEbs=
+golang.org/x/oauth2 v0.23.0/go.mod h1:XYTD2NtWslqkgxebSiOHnXEap4TF09sJSc7H1sXbhtI=
 golang.org/x/sync v0.0.0-20180314180146-1d60e4601c6f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.0.0-20181108010431-42b317875d0f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.0.0-20181221193216-37e7f081c4d4/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
@ -400,8 +400,8 @@ golang.org/x/sync v0.0.0-20200317015054-43a5402ce75a/go.mod h1:RxMgew5VJxzue5/jJ
 golang.org/x/sync v0.0.0-20200625203802-6e8e738ad208/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.0.0-20220722155255-886fb9371eb4/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.1.0/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
-golang.org/x/sync v0.9.0 h1:fEo0HyrW1GIgZdpbhCRO0PkJajUS5H9IFUztCgEo2jQ=
-golang.org/x/sync v0.9.0/go.mod h1:Czt+wKu1gCyEFDUtn0jG5QVvpJ6rzVqr5aXyt9drQfk=
+golang.org/x/sync v0.8.0 h1:3NFvSEYkUoMifnESzZl15y791HH1qU2xm6eCJU5ZPXQ=
+golang.org/x/sync v0.8.0/go.mod h1:Czt+wKu1gCyEFDUtn0jG5QVvpJ6rzVqr5aXyt9drQfk=
 golang.org/x/sys v0.0.0-20180830151530-49385e6e1522/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
 golang.org/x/sys v0.0.0-20190215142949-d0b11bdaac8a/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
 golang.org/x/sys v0.0.0-20190312061237-fead79001313/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
--- a/internal/constants/constants.go
+++ b/internal/constants/constants.go
@ -29,4 +29,4 @@ func UserAgent() string {
 	return fmt.Sprintf("authentik@%s", FullVersion())
 }

-const VERSION = "2024.10.4"
+const VERSION = "2024.10.5"
--- a/ldap.Dockerfile
+++ b/ldap.Dockerfile
@ -33,7 +33,6 @@ RUN --mount=type=cache,sharing=locked,target=/go/pkg/mod \
 # Stage 2: Run
 FROM ghcr.io/goauthentik/fips-debian:bookworm-slim-fips

-ARG VERSION
 ARG GIT_BUILD_HASH
 ENV GIT_BUILD_HASH=$GIT_BUILD_HASH

--- a/lifecycle/ak.py
+++ b/lifecycle/ak.py
@ -1,17 +1,15 @@
 """Wrapper for lifecycle/ak, to be installed by poetry"""

-from os import system, waitstatus_to_exitcode
+from os import system
 from pathlib import Path
-from sys import argv, exit
+from sys import argv


 def main():
    """Wrapper around ak bash script"""
    current_path = Path(__file__)
    args = " ".join(argv[1:])
-    res = system(f"{current_path.parent}/ak {args}")  # nosec
-    exit_code = waitstatus_to_exitcode(res)
-    exit(exit_code)
+    system(f"{current_path.parent}/ak {args}")  # nosec


 if __name__ == "__main__":
--- a/locale/de/LC_MESSAGES/django.mo
+++ b/locale/de/LC_MESSAGES/django.mo
--- a/locale/de/LC_MESSAGES/django.po
+++ b/locale/de/LC_MESSAGES/django.po
--- a/locale/en/LC_MESSAGES/django.po
+++ b/locale/en/LC_MESSAGES/django.po
@ -8,7 +8,7 @@ msgid ""
 msgstr ""
 "Project-Id-Version: PACKAGE VERSION\n"
 "Report-Msgid-Bugs-To: \n"
-"POT-Creation-Date: 2024-11-18 00:09+0000\n"
+"POT-Creation-Date: 2024-10-23 16:39+0000\n"
 "PO-Revision-Date: YEAR-MO-DA HO:MI+ZONE\n"
 "Last-Translator: FULL NAME <EMAIL@ADDRESS>\n"
 "Language-Team: LANGUAGE <LL@li.org>\n"
@ -101,21 +101,12 @@ msgstr ""
 msgid "Brands"
 msgstr ""

-#: authentik/core/api/devices.py
-msgid "Extra description not available"
-msgstr ""
-
 #: authentik/core/api/providers.py
 msgid ""
 "When not set all providers are returned. When set to true, only backchannel "
 "providers are returned. When set to false, backchannel providers are excluded"
 msgstr ""

-#: authentik/core/api/transactional_applications.py
-#, python-brace-format
-msgid "User lacks permission to create {model}"
-msgstr ""
-
 #: authentik/core/api/users.py
 msgid "No leading or trailing slashes allowed."
 msgstr ""
@ -1135,10 +1126,6 @@ msgstr ""
 msgid "Password not set in context"
 msgstr ""

-#: authentik/policies/password/models.py
-msgid "Invalid password."
-msgstr ""
-
 #: authentik/policies/password/models.py
 #, python-format
 msgid "Password exists on %(count)d online lists."
@ -2627,7 +2614,12 @@ msgid "Captcha Stages"
 msgstr ""

 #: authentik/stages/captcha/stage.py
-msgid "Invalid captcha response. Retrying may solve this issue."
+msgid "Unknown error"
+msgstr ""
+
+#: authentik/stages/captcha/stage.py
+#, python-brace-format
+msgid "Failed to validate token: {error}"
 msgstr ""

 #: authentik/stages/captcha/stage.py
@ -3214,10 +3206,6 @@ msgstr ""
 msgid "Globally enable/disable impersonation."
 msgstr ""

-#: authentik/tenants/models.py
-msgid "Require administrators to provide a reason for impersonating a user."
-msgstr ""
-
 #: authentik/tenants/models.py
 msgid "Default token duration"
 msgstr ""
--- a/locale/fr/LC_MESSAGES/django.mo
+++ b/locale/fr/LC_MESSAGES/django.mo
--- a/locale/it/LC_MESSAGES/django.mo
+++ b/locale/it/LC_MESSAGES/django.mo
--- a/locale/it/LC_MESSAGES/django.po
+++ b/locale/it/LC_MESSAGES/django.po
@ -11,17 +11,15 @@
 # Marco Vitale, 2024
 # Kowalski Dragon (kowalski7cc) <kowalski.7cc@gmail.com>, 2024
 # albanobattistella <albanobattistella@gmail.com>, 2024
-# Nicola Mersi, 2024
-# tom max, 2024
 # 
 #, fuzzy
 msgid ""
 msgstr ""
 "Project-Id-Version: PACKAGE VERSION\n"
 "Report-Msgid-Bugs-To: \n"
-"POT-Creation-Date: 2024-11-18 00:09+0000\n"
+"POT-Creation-Date: 2024-10-18 00:09+0000\n"
 "PO-Revision-Date: 2022-09-26 16:47+0000\n"
-"Last-Translator: tom max, 2024\n"
+"Last-Translator: albanobattistella <albanobattistella@gmail.com>, 2024\n"
 "Language-Team: Italian (https://app.transifex.com/authentik/teams/119923/it/)\n"
 "MIME-Version: 1.0\n"
 "Content-Type: text/plain; charset=UTF-8\n"
@ -121,10 +119,6 @@ msgstr "Brand"
 msgid "Brands"
 msgstr "Brands"

-#: authentik/core/api/devices.py
-msgid "Extra description not available"
-msgstr "Descrizione extra non disponibile"
-
 #: authentik/core/api/providers.py
 msgid ""
 "When not set all providers are returned. When set to true, only backchannel "
@ -135,11 +129,6 @@ msgstr ""
 " vengono restituiti solo i provider di backchannel. Se impostato su falso, i"
 " provider di backchannel vengono esclusi"

-#: authentik/core/api/transactional_applications.py
-#, python-brace-format
-msgid "User lacks permission to create {model}"
-msgstr "L'utente non ha i diritti per creare {model}"
-
 #: authentik/core/api/users.py
 msgid "No leading or trailing slashes allowed."
 msgstr "Non sono consentite barre oblique iniziali o finali."
@ -594,28 +583,6 @@ msgstr "Limite massimo di connessioni raggiunto."
 msgid "(You are already connected in another tab/window)"
 msgstr "(Sei già connesso in un'altra scheda/finestra)"

-#: authentik/enterprise/stages/authenticator_endpoint_gdtc/models.py
-msgid "Endpoint Authenticator Google Device Trust Connector Stage"
-msgstr ""
-"Fase di autenticazione per la verifica dispositivo Google tramite endpoint"
-
-#: authentik/enterprise/stages/authenticator_endpoint_gdtc/models.py
-msgid "Endpoint Authenticator Google Device Trust Connector Stages"
-msgstr ""
-"Fasi di autenticazione per la verifica dispositivo Google tramite endpoint"
-
-#: authentik/enterprise/stages/authenticator_endpoint_gdtc/models.py
-msgid "Endpoint Device"
-msgstr "Dispositivo di Accesso"
-
-#: authentik/enterprise/stages/authenticator_endpoint_gdtc/models.py
-msgid "Endpoint Devices"
-msgstr "Dispositivi di Accesso"
-
-#: authentik/enterprise/stages/authenticator_endpoint_gdtc/stage.py
-msgid "Verifying your browser..."
-msgstr "Verifica del tuo browser..."
-
 #: authentik/enterprise/stages/source/models.py
 msgid ""
 "Amount of time a user can take to return from the source to continue the "
@ -1249,10 +1216,6 @@ msgstr ""
 msgid "Password not set in context"
 msgstr "Password non impostata nel contesto"

-#: authentik/policies/password/models.py
-msgid "Invalid password."
-msgstr "Password invalida."
-
 #: authentik/policies/password/models.py
 #, python-format
 msgid "Password exists on %(count)d online lists."
@ -2054,124 +2017,6 @@ msgstr ""
 msgid "Used recovery-link to authenticate."
 msgstr "Utilizzato il link di recupero per autenticarsi."

-#: authentik/sources/kerberos/models.py
-msgid "Kerberos realm"
-msgstr "Dominio Kerberos"
-
-#: authentik/sources/kerberos/models.py
-msgid "Custom krb5.conf to use. Uses the system one by default"
-msgstr ""
-"krb5.conf personalizzato da usare. Usa la configurazione di sistema per "
-"default"
-
-#: authentik/sources/kerberos/models.py
-msgid "Sync users from Kerberos into authentik"
-msgstr "Sincronizza utenti da Kerberos a authentik"
-
-#: authentik/sources/kerberos/models.py
-msgid "When a user changes their password, sync it back to Kerberos"
-msgstr "Quando un utente cambia la sua password, sincronizzala in Kerberos"
-
-#: authentik/sources/kerberos/models.py
-msgid "Principal to authenticate to kadmin for sync."
-msgstr "Entità da autenticare su kadmin per la sincronizzazione."
-
-#: authentik/sources/kerberos/models.py
-msgid "Password to authenticate to kadmin for sync"
-msgstr "Password per autenticarsi in kadmin per sincronizzare"
-
-#: authentik/sources/kerberos/models.py
-msgid ""
-"Keytab to authenticate to kadmin for sync. Must be base64-encoded or in the "
-"form TYPE:residual"
-msgstr ""
-"Keytab per autenticarsi su kadmin per la sincronizzazione. Deve essere con "
-"codifica base64 o nel formato TYPE:residual"
-
-#: authentik/sources/kerberos/models.py
-msgid ""
-"Credentials cache to authenticate to kadmin for sync. Must be in the form "
-"TYPE:residual"
-msgstr ""
-"Credenziali memorizzate nella cache per autenticarsi su kadmin per la "
-"sincronizzazione. Devono essere nel formato TYPE:residual"
-
-#: authentik/sources/kerberos/models.py
-msgid ""
-"Force the use of a specific server name for SPNEGO. Must be in the form "
-"HTTP@hostname"
-msgstr ""
-"Forza l'uso di un nome server specifico per SPNEGO. Deve essere nel formato "
-"HTTP@nomehost"
-
-#: authentik/sources/kerberos/models.py
-msgid "SPNEGO keytab base64-encoded or path to keytab in the form FILE:path"
-msgstr ""
-"keytab SPNEGO con codifica base64 o percorso del keytab nel formato "
-"FILE:percorso"
-
-#: authentik/sources/kerberos/models.py
-msgid "Credential cache to use for SPNEGO in form type:residual"
-msgstr ""
-"Cache delle credenziali da utilizzare per SPNEGO nella forma  type:residual"
-
-#: authentik/sources/kerberos/models.py
-msgid ""
-"If enabled, the authentik-stored password will be updated upon login with "
-"the Kerberos password backend"
-msgstr ""
-"Se abilitato, la password memorizzata in authentik verrà aggiornata al login"
-" nel backend Kerberos"
-
-#: authentik/sources/kerberos/models.py
-msgid "Kerberos Source"
-msgstr "Sorgente Kerberos"
-
-#: authentik/sources/kerberos/models.py
-msgid "Kerberos Sources"
-msgstr "Sorgenti Kerberos"
-
-#: authentik/sources/kerberos/models.py
-msgid "Kerberos Source Property Mapping"
-msgstr "Mappa delle proprietà della sorgente kerberos"
-
-#: authentik/sources/kerberos/models.py
-msgid "Kerberos Source Property Mappings"
-msgstr "Mappe delle proprietà della sorgente kerberos"
-
-#: authentik/sources/kerberos/models.py
-msgid "User Kerberos Source Connection"
-msgstr "Connessione sorgente dell'utente kerberos"
-
-#: authentik/sources/kerberos/models.py
-msgid "User Kerberos Source Connections"
-msgstr " Connessioni alle sorgente dell'utente kerberos"
-
-#: authentik/sources/kerberos/models.py
-msgid "Group Kerberos Source Connection"
-msgstr " Connessione sorgente del gruppo kerberos"
-
-#: authentik/sources/kerberos/models.py
-msgid "Group Kerberos Source Connections"
-msgstr "Connessioni alle sorgenti del gruppo kerberos"
-
-#: authentik/sources/kerberos/views.py
-msgid "SPNEGO authentication required"
-msgstr "autenticazione  SPNEGO necessaria"
-
-#: authentik/sources/kerberos/views.py
-msgid ""
-"\n"
-"                    Make sure you have valid tickets (obtainable via kinit)\n"
-"                    and configured the browser correctly.\n"
-"                    Please contact your administrator.\n"
-"                "
-msgstr ""
-"\n"
-"Assicurati di avere un ticket valido (ottenibile tramite kinit)\n"
-" e di aver configurato correttamente il browser. \n"
-"Contatta il tuo amministratore."
-
 #: authentik/sources/ldap/api.py
 msgid "Only a single LDAP Source with password synchronization is allowed"
 msgstr ""
@ -2890,10 +2735,13 @@ msgid "Captcha Stages"
 msgstr "Fasi Captcha"

 #: authentik/stages/captcha/stage.py
-msgid "Invalid captcha response. Retrying may solve this issue."
-msgstr ""
-"Risposta captcha non valida. Un nuovo tentativo potrebbe risolvere il "
-"problema."
+msgid "Unknown error"
+msgstr "Errore sconosciuto"
+
+#: authentik/stages/captcha/stage.py
+#, python-brace-format
+msgid "Failed to validate token: {error}"
+msgstr "Impossibile convalidare il token: {error}"

 #: authentik/stages/captcha/stage.py
 msgid "Invalid captcha response"
@ -3266,10 +3114,6 @@ msgstr "Database utente + password app"
 msgid "User database + LDAP password"
 msgstr "Database utenti + password LDAP"

-#: authentik/stages/password/models.py
-msgid "User database + Kerberos password"
-msgstr "Database utenti + password Kerberos"
-
 #: authentik/stages/password/models.py
 msgid "Selection of backends to test the password against."
 msgstr "Selezione di backend su cui testare la password."
@ -3563,12 +3407,6 @@ msgstr ""
 msgid "Globally enable/disable impersonation."
 msgstr "Abilita/disabilita globalmente la l'impersonazione."

-#: authentik/tenants/models.py
-msgid "Require administrators to provide a reason for impersonating a user."
-msgstr ""
-"Richiedi agli amministratori di fornire una ragione per impersonare un "
-"utente."
-
 #: authentik/tenants/models.py
 msgid "Default token duration"
 msgstr "Durata token predefinita"
--- a/locale/tr/LC_MESSAGES/django.mo
+++ b/locale/tr/LC_MESSAGES/django.mo
--- a/locale/tr/LC_MESSAGES/django.po
+++ b/locale/tr/LC_MESSAGES/django.po
--- a/locale/zh-Hans/LC_MESSAGES/django.mo
+++ b/locale/zh-Hans/LC_MESSAGES/django.mo
--- a/locale/zh-Hans/LC_MESSAGES/django.po
+++ b/locale/zh-Hans/LC_MESSAGES/django.po
@ -15,7 +15,7 @@ msgid ""
 msgstr ""
 "Project-Id-Version: PACKAGE VERSION\n"
 "Report-Msgid-Bugs-To: \n"
-"POT-Creation-Date: 2024-11-18 00:09+0000\n"
+"POT-Creation-Date: 2024-10-23 16:39+0000\n"
 "PO-Revision-Date: 2022-09-26 16:47+0000\n"
 "Last-Translator: deluxghost, 2024\n"
 "Language-Team: Chinese Simplified (https://app.transifex.com/authentik/teams/119923/zh-Hans/)\n"
@ -110,10 +110,6 @@ msgstr "品牌"
 msgid "Brands"
 msgstr "品牌"

-#: authentik/core/api/devices.py
-msgid "Extra description not available"
-msgstr "额外描述不可用"
-
 #: authentik/core/api/providers.py
 msgid ""
 "When not set all providers are returned. When set to true, only backchannel "
@ -121,11 +117,6 @@ msgid ""
 "excluded"
 msgstr "如果未设置，则返回所有提供程序。如果启用，仅返回反向通道提供程序。如果禁用，则返回非反向通道提供程序"

-#: authentik/core/api/transactional_applications.py
-#, python-brace-format
-msgid "User lacks permission to create {model}"
-msgstr "用户缺少创建 {model} 的权限"
-
 #: authentik/core/api/users.py
 msgid "No leading or trailing slashes allowed."
 msgstr "不允许以斜线开始或结尾。"
@ -1149,10 +1140,6 @@ msgstr "如果 zxcvbn 分数小于等于此值，则策略失败。"
 msgid "Password not set in context"
 msgstr "未在上下文中设置密码"

-#: authentik/policies/password/models.py
-msgid "Invalid password."
-msgstr "无效密码。"
-
 #: authentik/policies/password/models.py
 #, python-format
 msgid "Password exists on %(count)d online lists."
@ -2662,8 +2649,13 @@ msgid "Captcha Stages"
 msgstr "验证码阶段"

 #: authentik/stages/captcha/stage.py
-msgid "Invalid captcha response. Retrying may solve this issue."
-msgstr "无效的验证码响应。重试可能会解决此问题。"
+msgid "Unknown error"
+msgstr "未知错误"
+
+#: authentik/stages/captcha/stage.py
+#, python-brace-format
+msgid "Failed to validate token: {error}"
+msgstr "验证令牌失败：{error}"

 #: authentik/stages/captcha/stage.py
 msgid "Invalid captcha response"
@ -3269,10 +3261,6 @@ msgstr "启用时，所有由用户造成的事件会在相应用户被删除时
 msgid "Globally enable/disable impersonation."
 msgstr "全局启用/禁用模拟身份。"

-#: authentik/tenants/models.py
-msgid "Require administrators to provide a reason for impersonating a user."
-msgstr "需要管理员提供模拟用户的原因。"
-
 #: authentik/tenants/models.py
 msgid "Default token duration"
 msgstr "默认令牌持续时间"
--- a/locale/zh_CN/LC_MESSAGES/django.mo
+++ b/locale/zh_CN/LC_MESSAGES/django.mo
--- a/locale/zh_CN/LC_MESSAGES/django.po
+++ b/locale/zh_CN/LC_MESSAGES/django.po
@ -14,7 +14,7 @@ msgid ""
 msgstr ""
 "Project-Id-Version: PACKAGE VERSION\n"
 "Report-Msgid-Bugs-To: \n"
-"POT-Creation-Date: 2024-11-18 00:09+0000\n"
+"POT-Creation-Date: 2024-10-23 16:39+0000\n"
 "PO-Revision-Date: 2022-09-26 16:47+0000\n"
 "Last-Translator: deluxghost, 2024\n"
 "Language-Team: Chinese (China) (https://app.transifex.com/authentik/teams/119923/zh_CN/)\n"
@ -109,10 +109,6 @@ msgstr "品牌"
 msgid "Brands"
 msgstr "品牌"

-#: authentik/core/api/devices.py
-msgid "Extra description not available"
-msgstr "额外描述不可用"
-
 #: authentik/core/api/providers.py
 msgid ""
 "When not set all providers are returned. When set to true, only backchannel "
@ -120,11 +116,6 @@ msgid ""
 "excluded"
 msgstr "如果未设置，则返回所有提供程序。如果启用，仅返回反向通道提供程序。如果禁用，则返回非反向通道提供程序"

-#: authentik/core/api/transactional_applications.py
-#, python-brace-format
-msgid "User lacks permission to create {model}"
-msgstr "用户缺少创建 {model} 的权限"
-
 #: authentik/core/api/users.py
 msgid "No leading or trailing slashes allowed."
 msgstr "不允许前缀或后缀斜线。"
@ -1148,10 +1139,6 @@ msgstr "如果 zxcvbn 分数小于等于此值，则策略失败。"
 msgid "Password not set in context"
 msgstr "未在上下文中设置密码"

-#: authentik/policies/password/models.py
-msgid "Invalid password."
-msgstr "无效密码。"
-
 #: authentik/policies/password/models.py
 #, python-format
 msgid "Password exists on %(count)d online lists."
@ -2661,8 +2648,13 @@ msgid "Captcha Stages"
 msgstr "验证码阶段"

 #: authentik/stages/captcha/stage.py
-msgid "Invalid captcha response. Retrying may solve this issue."
-msgstr "无效的验证码响应。重试可能会解决此问题。"
+msgid "Unknown error"
+msgstr "未知错误"
+
+#: authentik/stages/captcha/stage.py
+#, python-brace-format
+msgid "Failed to validate token: {error}"
+msgstr "验证令牌失败：{error}"

 #: authentik/stages/captcha/stage.py
 msgid "Invalid captcha response"
@ -3268,10 +3260,6 @@ msgstr "启用时，所有由用户造成的事件会在相应用户被删除时
 msgid "Globally enable/disable impersonation."
 msgstr "全局启用/禁用模拟身份。"

-#: authentik/tenants/models.py
-msgid "Require administrators to provide a reason for impersonating a user."
-msgstr "需要管理员提供模拟用户的原因。"
-
 #: authentik/tenants/models.py
 msgid "Default token duration"
 msgstr "默认令牌持续时间"
--- a/package.json
+++ b/package.json
@ -1,5 +1,5 @@
 {
    "name": "@goauthentik/authentik",
-    "version": "2024.10.4",
+    "version": "2024.10.5",
    "private": true
 }
--- a/poetry.lock
+++ b/poetry.lock
--- a/pyproject.toml
+++ b/pyproject.toml
@ -1,6 +1,6 @@
 [tool.poetry]
 name = "authentik"
-version = "2024.10.4"
+version = "2024.10.5"
 description = ""
 authors = ["authentik Team <hello@goauthentik.io>"]

@ -131,13 +131,15 @@ pydantic-scim = "*"
 pyjwt = "*"
 pyrad = "*"
 python = "~3.12"
-python-kadmin-rs = "0.2.0"
+# Fork of python-kadmin with compilation fixes as it's unmaintained
+python-kadmin = { git = "https://github.com/authentik-community/python-kadmin.git", tag = "v0.2.0" }
 pyyaml = "*"
 requests-oauthlib = "*"
 scim2-filter-parser = "*"
 sentry-sdk = "*"
 service_identity = "*"
 setproctitle = "*"
+setuptools = "~69.1"
 structlog = "*"
 swagger-spec-validator = "*"
 tenant-schemas-celery = "*"
--- a/schema.yml
+++ b/schema.yml
@ -1,7 +1,7 @@
 openapi: 3.0.3
 info:
  title: authentik
-  version: 2024.10.4
+  version: 2024.10.5
  description: Making authentication simple.
  contact:
    email: hello@goauthentik.io
@ -5295,12 +5295,6 @@ paths:
        required: true
      tags:
      - core
-      requestBody:
-        content:
-          application/json:
-            schema:
-              $ref: '#/components/schemas/ImpersonationRequest'
-        required: true
      security:
      - authentik: []
      responses:
@ -42718,14 +42712,6 @@ components:
            incorrect user info is entered.
      required:
      - name
-    ImpersonationRequest:
-      type: object
-      properties:
-        reason:
-          type: string
-          minLength: 1
-      required:
-      - reason
    InstallID:
      type: object
      properties:
@ -50046,10 +50032,6 @@ components:
        impersonation:
          type: boolean
          description: Globally enable/disable impersonation.
-        impersonation_require_reason:
-          type: boolean
-          description: Require administrators to provide a reason for impersonating
-            a user.
        default_token_duration:
          type: string
          minLength: 1
@ -53804,10 +53786,6 @@ components:
        impersonation:
          type: boolean
          description: Globally enable/disable impersonation.
-        impersonation_require_reason:
-          type: boolean
-          description: Require administrators to provide a reason for impersonating
-            a user.
        default_token_duration:
          type: string
          description: Default token duration
@ -53847,10 +53825,6 @@ components:
        impersonation:
          type: boolean
          description: Globally enable/disable impersonation.
-        impersonation_require_reason:
-          type: boolean
-          description: Require administrators to provide a reason for impersonating
-            a user.
        default_token_duration:
          type: string
          minLength: 1
@ -54707,10 +54681,6 @@ components:
          $ref: '#/components/schemas/ProviderModelEnum'
        provider:
          $ref: '#/components/schemas/modelRequest'
-        policy_bindings:
-          type: array
-          items:
-            $ref: '#/components/schemas/TransactionPolicyBindingRequest'
      required:
      - app
      - provider
@ -54728,41 +54698,6 @@ components:
      required:
      - applied
      - logs
-    TransactionPolicyBindingRequest:
-      type: object
-      description: PolicyBindingSerializer which does not require target as target
-        is set implicitly
-      properties:
-        policy:
-          type: string
-          format: uuid
-          nullable: true
-        group:
-          type: string
-          format: uuid
-          nullable: true
-        user:
-          type: integer
-          nullable: true
-        negate:
-          type: boolean
-          description: Negates the outcome of the policy. Messages are unaffected.
-        enabled:
-          type: boolean
-        order:
-          type: integer
-          maximum: 2147483647
-          minimum: -2147483648
-        timeout:
-          type: integer
-          maximum: 2147483647
-          minimum: 0
-          description: Timeout after which Policy execution is terminated.
-        failure_result:
-          type: boolean
-          description: Result if the Policy execution fails.
-      required:
-      - order
    TypeCreate:
      type: object
      description: Types of an object that can be created
--- a/scripts/generate_config.py
+++ b/scripts/generate_config.py
@ -12,6 +12,9 @@ with open("local.env.yml", "w", encoding="utf-8") as _config:
            "secret_key": generate_id(),
            "postgresql": {
                "user": "postgres",
+                "read_replicas": {
+                    "0": {},
+                },
            },
            "outposts": {
                "container_image_base": "ghcr.io/goauthentik/dev-%(type)s:gh-%(build_hash)s",
--- a/web/lit-localize.json
+++ b/web/lit-localize.json
@ -6,7 +6,6 @@
        "de",
        "es",
        "fr",
-        "it",
        "ko",
        "nl",
        "pl",
--- a/web/package-lock.json
+++ b/web/package-lock.json
--- a/web/package.json
+++ b/web/package.json
@ -11,7 +11,7 @@
        "@floating-ui/dom": "^1.6.11",
        "@formatjs/intl-listformat": "^7.5.7",
        "@fortawesome/fontawesome-free": "^6.6.0",
-        "@goauthentik/api": "^2024.10.4-1732236707",
+        "@goauthentik/api": "^2024.10.2-1732206118",
        "@lit-labs/ssr": "^3.2.2",
        "@lit/context": "^1.1.2",
        "@lit/localize": "^0.12.2",
@ -135,7 +135,6 @@
        "storybook:build": "wireit",
        "storybook:build-import-map": "wireit",
        "test": "wireit",
-        "test:e2e": "wireit",
        "test:e2e:watch": "wireit",
        "test:watch": "wireit",
        "tsc": "wireit",
@ -322,24 +321,11 @@
        },
        "test": {
            "command": "wdio ./wdio.conf.ts --logLevel=warn",
-            "dependencies": [
-                "build"
-            ],
            "env": {
                "CI": "true",
                "TS_NODE_PROJECT": "tsconfig.test.json"
            }
        },
-        "test:e2e": {
-            "command": "wdio run ./tests/wdio.conf.ts",
-            "dependencies": [
-                "build"
-            ],
-            "env": {
-                "CI": "true",
-                "TS_NODE_PROJECT": "./tests/tsconfig.test.json"
-            }
-        },
        "test:e2e:watch": {
            "command": "wdio run ./tests/wdio.conf.ts",
            "dependencies": [
--- a/web/src/admin/admin-settings/AdminSettingsForm.ts
+++ b/web/src/admin/admin-settings/AdminSettingsForm.ts
@ -208,13 +208,6 @@ export class AdminSettingsForm extends Form<SettingsRequest> {
                help=${msg("Globally enable/disable impersonation.")}
            >
            </ak-switch-input>
-            <ak-switch-input
-                name="impersonationRequireReason"
-                label=${msg("Require reason for impersonation")}
-                ?checked="${this._settings?.impersonationRequireReason}"
-                help=${msg("Require administrators to provide a reason for impersonating a user.")}
-            >
-            </ak-switch-input>
            <ak-text-input
                name="defaultTokenDuration"
                label=${msg("Default token duration")}
--- a/web/src/admin/applications/ApplicationListPage.ts
+++ b/web/src/admin/applications/ApplicationListPage.ts
@ -2,7 +2,6 @@ import "@goauthentik/admin/applications/ApplicationForm";
 import { DEFAULT_CONFIG } from "@goauthentik/common/api/config";
 import MDApplication from "@goauthentik/docs/add-secure-apps/applications/index.md";
 import "@goauthentik/elements/AppIcon.js";
-import { WithBrandConfig } from "@goauthentik/elements/Interface/brandProvider";
 import "@goauthentik/elements/Markdown";
 import "@goauthentik/elements/buttons/SpinnerButton";
 import "@goauthentik/elements/forms/DeleteBulkForm";
@ -13,7 +12,7 @@ import { TableColumn } from "@goauthentik/elements/table/Table";
 import { TablePage } from "@goauthentik/elements/table/TablePage";
 import "@patternfly/elements/pf-tooltip/pf-tooltip.js";

-import { msg, str } from "@lit/localize";
+import { msg } from "@lit/localize";
 import { CSSResult, TemplateResult, css, html } from "lit";
 import { customElement, property } from "lit/decorators.js";
 import { ifDefined } from "lit/directives/if-defined.js";
@ -41,7 +40,7 @@ export const applicationListStyle = css`
 `;

@customElement("ak-application-list")
-export class ApplicationListPage extends WithBrandConfig(TablePage<Application>) {
+export class ApplicationListPage extends TablePage<Application> {
    searchEnabled(): boolean {
        return true;
    }
@ -50,7 +49,7 @@ export class ApplicationListPage extends WithBrandConfig(TablePage<Application>)
    }
    pageDescription(): string {
        return msg(
-            str`External applications that use ${this.brand.brandingTitle || "authentik"} as an identity provider via protocols like OAuth2 and SAML. All applications are shown here, even ones you cannot access.`,
+            "External applications that use authentik as an identity provider via protocols like OAuth2 and SAML. All applications are shown here, even ones you cannot access.",
        );
    }
    pageIcon(): string {
--- a/web/src/admin/applications/wizard/BasePanel.ts
+++ b/web/src/admin/applications/wizard/BasePanel.ts
@ -29,7 +29,7 @@ export class ApplicationWizardPageBase
        return AwadStyles;
    }

-    @consume({ context: applicationWizardContext, subscribe: true })
+    @consume({ context: applicationWizardContext })
    public wizard!: ApplicationWizardState;

    @query("form")
--- a/web/src/admin/applications/wizard/ContextIdentity.ts
+++ b/web/src/admin/applications/wizard/ContextIdentity.ts
@ -1,12 +1,7 @@
 import { createContext } from "@lit/context";

-import { LocalTypeCreate } from "./auth-method-choice/ak-application-wizard-authentication-method-choice.choices.js";
 import { ApplicationWizardState } from "./types";

 export const applicationWizardContext = createContext<ApplicationWizardState>(
    Symbol("ak-application-wizard-state-context"),
 );
-
-export const applicationWizardProvidersContext = createContext<LocalTypeCreate[]>(
-    Symbol("ak-application-wizard-providers-context"),
-);
--- a/web/src/admin/applications/wizard/ak-application-wizard.ts
+++ b/web/src/admin/applications/wizard/ak-application-wizard.ts
@ -1,4 +1,3 @@
-import { DEFAULT_CONFIG } from "@goauthentik/common/api/config";
 import { AkWizard } from "@goauthentik/components/ak-wizard-main/AkWizard";
 import { CustomListenerElement } from "@goauthentik/elements/utils/eventEmitter";

@ -6,10 +5,7 @@ import { ContextProvider } from "@lit/context";
 import { msg } from "@lit/localize";
 import { customElement, state } from "lit/decorators.js";

-import { ProvidersApi, ProxyMode } from "@goauthentik/api";
-
-import { applicationWizardContext, applicationWizardProvidersContext } from "./ContextIdentity";
-import { providerTypeRenderers } from "./auth-method-choice/ak-application-wizard-authentication-method-choice.choices.js";
+import { applicationWizardContext } from "./ContextIdentity";
 import { newSteps } from "./steps";
 import {
    ApplicationStep,
@ -23,7 +19,6 @@ const freshWizardState = (): ApplicationWizardState => ({
    app: {},
    provider: {},
    errors: {},
-    proxyMode: ProxyMode.Proxy,
 });

@customElement("ak-application-wizard")
@ -51,11 +46,6 @@ export class ApplicationWizard extends CustomListenerElement(
        initialValue: this.wizardState,
    });

-    wizardProviderProvider = new ContextProvider(this, {
-        context: applicationWizardProvidersContext,
-        initialValue: [],
-    });
-
    /**
     * One of our steps has multiple display variants, one for each type of service provider. We
     * want to *preserve* a customer's decisions about different providers; never make someone "go
@ -66,21 +56,6 @@ export class ApplicationWizard extends CustomListenerElement(
     */
    providerCache: Map<string, OneOfProvider> = new Map();

-    connectedCallback() {
-        super.connectedCallback();
-        new ProvidersApi(DEFAULT_CONFIG).providersAllTypesList().then((providerTypes) => {
-            const wizardReadyProviders = Object.keys(providerTypeRenderers);
-            this.wizardProviderProvider.setValue(
-                providerTypes
-                    .filter((providerType) => wizardReadyProviders.includes(providerType.modelName))
-                    .map((providerType) => ({
-                        ...providerType,
-                        renderer: providerTypeRenderers[providerType.modelName],
-                    })),
-            );
-        });
-    }
-
    // And this is where all the special cases go...
    handleUpdate(detail: ApplicationWizardStateUpdate) {
        if (detail.status === "submitted") {
--- a/web/src/admin/applications/wizard/auth-method-choice/ak-application-wizard-authentication-method-choice.choices.ts
+++ b/web/src/admin/applications/wizard/auth-method-choice/ak-application-wizard-authentication-method-choice.choices.ts
@ -1,28 +1,176 @@
 import "@goauthentik/admin/common/ak-license-notice";

+import { msg } from "@lit/localize";
 import { TemplateResult, html } from "lit";

-import type { TypeCreate } from "@goauthentik/api";
+import type { ProviderModelEnum as ProviderModelEnumType, TypeCreate } from "@goauthentik/api";
+import { ProviderModelEnum, ProxyMode } from "@goauthentik/api";
+import type {
+    LDAPProviderRequest,
+    ModelRequest,
+    OAuth2ProviderRequest,
+    ProxyProviderRequest,
+    RACProviderRequest,
+    RadiusProviderRequest,
+    SAMLProviderRequest,
+    SCIMProviderRequest,
+} from "@goauthentik/api";
+
+import { OneOfProvider } from "../types";

 type ProviderRenderer = () => TemplateResult;

+type ModelConverter = (provider: OneOfProvider) => ModelRequest;
+
+type ProviderNoteProvider = () => TemplateResult | undefined;
+type ProviderNote = ProviderNoteProvider | undefined;
+
 export type LocalTypeCreate = TypeCreate & {
+    formName: string;
+    modelName: ProviderModelEnumType;
+    converter: ModelConverter;
+    note?: ProviderNote;
    renderer: ProviderRenderer;
 };

-export const providerTypeRenderers: Record<string, () => TemplateResult> = {
-    oauth2provider: () =>
-        html`<ak-application-wizard-authentication-by-oauth></ak-application-wizard-authentication-by-oauth>`,
-    ldapprovider: () =>
-        html`<ak-application-wizard-authentication-by-ldap></ak-application-wizard-authentication-by-ldap>`,
-    proxyprovider: () =>
-        html`<ak-application-wizard-authentication-for-reverse-proxy></ak-application-wizard-authentication-for-reverse-proxy>`,
-    racprovider: () =>
-        html`<ak-application-wizard-authentication-for-rac></ak-application-wizard-authentication-for-rac>`,
-    samlprovider: () =>
-        html`<ak-application-wizard-authentication-by-saml-configuration></ak-application-wizard-authentication-by-saml-configuration>`,
-    radiusprovider: () =>
-        html`<ak-application-wizard-authentication-by-radius></ak-application-wizard-authentication-by-radius>`,
-    scimprovider: () =>
-        html`<ak-application-wizard-authentication-by-scim></ak-application-wizard-authentication-by-scim>`,
-};
+export const providerModelsList: LocalTypeCreate[] = [
+    {
+        formName: "oauth2provider",
+        name: msg("OAuth2/OIDC (Open Authorization/OpenID Connect)"),
+        description: msg("Modern applications, APIs and Single-page applications."),
+        renderer: () =>
+            html`<ak-application-wizard-authentication-by-oauth></ak-application-wizard-authentication-by-oauth>`,
+        modelName: ProviderModelEnum.Oauth2Oauth2provider,
+        converter: (provider: OneOfProvider) => ({
+            providerModel: ProviderModelEnum.Oauth2Oauth2provider,
+            ...(provider as OAuth2ProviderRequest),
+        }),
+        component: "",
+        iconUrl: "/static/authentik/sources/openidconnect.svg",
+    },
+    {
+        formName: "ldapprovider",
+        name: msg("LDAP (Lightweight Directory Access Protocol)"),
+        description: msg(
+            "Provide an LDAP interface for applications and users to authenticate against.",
+        ),
+        renderer: () =>
+            html`<ak-application-wizard-authentication-by-ldap></ak-application-wizard-authentication-by-ldap>`,
+        modelName: ProviderModelEnum.LdapLdapprovider,
+        converter: (provider: OneOfProvider) => ({
+            providerModel: ProviderModelEnum.LdapLdapprovider,
+            ...(provider as LDAPProviderRequest),
+        }),
+        component: "",
+        iconUrl: "/static/authentik/sources/ldap.png",
+    },
+    {
+        formName: "proxyprovider-proxy",
+        name: msg("Transparent Reverse Proxy"),
+        description: msg("For transparent reverse proxies with required authentication"),
+        renderer: () =>
+            html`<ak-application-wizard-authentication-for-reverse-proxy></ak-application-wizard-authentication-for-reverse-proxy>`,
+        modelName: ProviderModelEnum.ProxyProxyprovider,
+        converter: (provider: OneOfProvider) => ({
+            providerModel: ProviderModelEnum.ProxyProxyprovider,
+            ...(provider as ProxyProviderRequest),
+            mode: ProxyMode.Proxy,
+        }),
+        component: "",
+        iconUrl: "/static/authentik/sources/proxy.svg",
+    },
+    {
+        formName: "proxyprovider-forwardsingle",
+        name: msg("Forward Auth (Single Application)"),
+        description: msg("For nginx's auth_request or traefik's forwardAuth"),
+        renderer: () =>
+            html`<ak-application-wizard-authentication-for-single-forward-proxy></ak-application-wizard-authentication-for-single-forward-proxy>`,
+        modelName: ProviderModelEnum.ProxyProxyprovider,
+        converter: (provider: OneOfProvider) => ({
+            providerModel: ProviderModelEnum.ProxyProxyprovider,
+            ...(provider as ProxyProviderRequest),
+            mode: ProxyMode.ForwardSingle,
+        }),
+        component: "",
+        iconUrl: "/static/authentik/sources/proxy.svg",
+    },
+    {
+        formName: "proxyprovider-forwarddomain",
+        name: msg("Forward Auth (Domain Level)"),
+        description: msg("For nginx's auth_request or traefik's forwardAuth per root domain"),
+        renderer: () =>
+            html`<ak-application-wizard-authentication-for-forward-proxy-domain></ak-application-wizard-authentication-for-forward-proxy-domain>`,
+        modelName: ProviderModelEnum.ProxyProxyprovider,
+        converter: (provider: OneOfProvider) => ({
+            providerModel: ProviderModelEnum.ProxyProxyprovider,
+            ...(provider as ProxyProviderRequest),
+            mode: ProxyMode.ForwardDomain,
+        }),
+        component: "",
+        iconUrl: "/static/authentik/sources/proxy.svg",
+    },
+    {
+        formName: "racprovider",
+        name: msg("Remote Access Provider"),
+        description: msg("Remotely access computers/servers via RDP/SSH/VNC"),
+        renderer: () =>
+            html`<ak-application-wizard-authentication-for-rac></ak-application-wizard-authentication-for-rac>`,
+        modelName: ProviderModelEnum.RacRacprovider,
+        converter: (provider: OneOfProvider) => ({
+            providerModel: ProviderModelEnum.RacRacprovider,
+            ...(provider as RACProviderRequest),
+        }),
+        note: () => html`<ak-license-notice></ak-license-notice>`,
+        requiresEnterprise: true,
+        component: "",
+        iconUrl: "/static/authentik/sources/rac.svg",
+    },
+    {
+        formName: "samlprovider",
+        name: msg("SAML (Security Assertion Markup Language)"),
+        description: msg("Configure SAML provider manually"),
+        renderer: () =>
+            html`<ak-application-wizard-authentication-by-saml-configuration></ak-application-wizard-authentication-by-saml-configuration>`,
+        modelName: ProviderModelEnum.SamlSamlprovider,
+        converter: (provider: OneOfProvider) => ({
+            providerModel: ProviderModelEnum.SamlSamlprovider,
+            ...(provider as SAMLProviderRequest),
+        }),
+        component: "",
+        iconUrl: "/static/authentik/sources/saml.png",
+    },
+    {
+        formName: "radiusprovider",
+        name: msg("RADIUS (Remote Authentication Dial-In User Service)"),
+        description: msg("Configure RADIUS provider manually"),
+        renderer: () =>
+            html`<ak-application-wizard-authentication-by-radius></ak-application-wizard-authentication-by-radius>`,
+        modelName: ProviderModelEnum.RadiusRadiusprovider,
+        converter: (provider: OneOfProvider) => ({
+            providerModel: ProviderModelEnum.RadiusRadiusprovider,
+            ...(provider as RadiusProviderRequest),
+        }),
+        component: "",
+        iconUrl: "/static/authentik/sources/radius.svg",
+    },
+    {
+        formName: "scimprovider",
+        name: msg("SCIM (System for Cross-domain Identity Management)"),
+        description: msg("Configure SCIM provider manually"),
+        renderer: () =>
+            html`<ak-application-wizard-authentication-by-scim></ak-application-wizard-authentication-by-scim>`,
+        modelName: ProviderModelEnum.ScimScimprovider,
+        converter: (provider: OneOfProvider) => ({
+            providerModel: ProviderModelEnum.ScimScimprovider,
+            ...(provider as SCIMProviderRequest),
+        }),
+        component: "",
+        iconUrl: "/static/authentik/sources/scim.png",
+    },
+];
+
+export const providerRendererList = new Map<string, ProviderRenderer>(
+    providerModelsList.map((tc) => [tc.formName, tc.renderer]),
+);
+
+export default providerModelsList;
--- a/web/src/admin/applications/wizard/auth-method-choice/ak-application-wizard-authentication-method-choice.ts
+++ b/web/src/admin/applications/wizard/auth-method-choice/ak-application-wizard-authentication-method-choice.ts
@ -7,37 +7,41 @@ import "@goauthentik/elements/forms/HorizontalFormElement";
 import "@goauthentik/elements/wizard/TypeCreateWizardPage";
 import { TypeCreateWizardPageLayouts } from "@goauthentik/elements/wizard/TypeCreateWizardPage";

-import { consume } from "@lit/context";
 import { msg } from "@lit/localize";
 import { customElement } from "@lit/reactive-element/decorators/custom-element.js";
 import { html } from "lit";

 import BasePanel from "../BasePanel";
-import { applicationWizardProvidersContext } from "../ContextIdentity";
 import type { LocalTypeCreate } from "./ak-application-wizard-authentication-method-choice.choices";
+import providerModelsList from "./ak-application-wizard-authentication-method-choice.choices";

@customElement("ak-application-wizard-authentication-method-choice")
 export class ApplicationWizardAuthenticationMethodChoice extends WithLicenseSummary(BasePanel) {
-    @consume({ context: applicationWizardProvidersContext })
-    public providerModelsList!: LocalTypeCreate[];
-
    render() {
-        const selectedTypes = this.providerModelsList.filter(
-            (t) => t.modelName === this.wizard.providerModel,
+        const selectedTypes = providerModelsList.filter(
+            (t) => t.formName === this.wizard.providerModel,
        );

-        return this.providerModelsList.length > 0
+        // As a hack, the Application wizard has separate provider paths for our three types of
+        // proxy providers. This patch swaps the form we want to be directed to on page 3 from the
+        // modelName to the formName, so we get the right one.  This information isn't modified
+        // or forwarded, so the proxy-plus-subtype is correctly mapped on submission.
+        const typesForWizard = providerModelsList.map((provider) => ({
+            ...provider,
+            modelName: provider.formName,
+        }));
+
+        return providerModelsList.length > 0
            ? html`<form class="pf-c-form pf-m-horizontal">
                  <ak-wizard-page-type-create
-                      .types=${this.providerModelsList}
-                      name="selectProviderType"
+                      .types=${typesForWizard}
                      layout=${TypeCreateWizardPageLayouts.grid}
                      .selectedType=${selectedTypes.length > 0 ? selectedTypes[0] : undefined}
                      @select=${(ev: CustomEvent<LocalTypeCreate>) => {
                          this.dispatchWizardUpdate({
                              update: {
                                  ...this.wizard,
-                                  providerModel: ev.detail.modelName,
+                                  providerModel: ev.detail.formName,
                                  errors: {},
                              },
                              status: this.valid ? "valid" : "invalid",
--- a/web/src/admin/applications/wizard/commit/ak-application-wizard-commit-application.ts
+++ b/web/src/admin/applications/wizard/commit/ak-application-wizard-commit-application.ts
@ -22,16 +22,13 @@ import {
    type ApplicationRequest,
    CoreApi,
    type ModelRequest,
-    ProviderModelEnum,
-    ProxyMode,
-    type ProxyProviderRequest,
    type TransactionApplicationRequest,
    type TransactionApplicationResponse,
    ValidationError,
-    instanceOfValidationError,
 } from "@goauthentik/api";

 import BasePanel from "../BasePanel";
+import providerModelsList from "../auth-method-choice/ak-application-wizard-authentication-method-choice.choices";

 function cleanApplication(app: Partial<ApplicationRequest>): ApplicationRequest {
    return {
@ -41,19 +38,14 @@ function cleanApplication(app: Partial<ApplicationRequest>): ApplicationRequest
    };
 }

+type ProviderModelType = Exclude<ModelRequest["providerModel"], "11184809">;
+
 type State = {
    state: "idle" | "running" | "error" | "success";
    label: string | TemplateResult;
    icon: string[];
 };

-const providerMap: Map<string, string> = Object.values(ProviderModelEnum)
-    .filter((value) => /^authentik_providers_/.test(value) && /provider$/.test(value))
-    .reduce((acc: Map<string, string>, value) => {
-        acc.set(value.split(".")[1], value);
-        return acc;
-    }, new Map());
-
 const idleState: State = {
    state: "idle",
    label: "",
@ -77,10 +69,6 @@ const successState: State = {
    icon: ["fa-check-circle", "pf-m-success"],
 };

-type StrictProviderModelEnum = Exclude<ProviderModelEnum, "11184809">;
-// eslint-disable-next-line @typescript-eslint/no-explicit-any
-const isValidationError = (v: any): v is ValidationError => instanceOfValidationError(v);
-
@customElement("ak-application-wizard-commit-application")
 export class ApplicationWizardCommitApplication extends BasePanel {
    static get styles() {
@ -110,28 +98,19 @@ export class ApplicationWizardCommitApplication extends BasePanel {
        if (this.commitState === idleState) {
            this.response = undefined;
            this.commitState = runningState;
-
-            // Stringly-based API. Not the best, but it works. Just be aware that it is
-            // stringly-based.
-
-            const providerModel = providerMap.get(
-                this.wizard.providerModel,
-            ) as StrictProviderModelEnum;
-            const provider = this.wizard.provider as ModelRequest;
-            provider.providerModel = providerModel;
-
-            // Special case for the Proxy provider.
-            if (this.wizard.providerModel === "proxyprovider") {
-                (provider as ProxyProviderRequest).mode = this.wizard.proxyMode;
-                if ((provider as ProxyProviderRequest).mode !== ProxyMode.ForwardDomain) {
-                    (provider as ProxyProviderRequest).cookieDomain = "";
-                }
+            const providerModel = providerModelsList.find(
+                ({ formName }) => formName === this.wizard.providerModel,
+            );
+            if (!providerModel) {
+                throw new Error(
+                    `Could not determine provider model from user request: ${JSON.stringify(this.wizard, null, 2)}`,
+                );
            }

            const request: TransactionApplicationRequest = {
+                providerModel: providerModel.modelName as ProviderModelType,
                app: cleanApplication(this.wizard.app),
-                providerModel,
-                provider,
+                provider: providerModel.converter(this.wizard.provider),
            };

            this.send(request);
@ -142,7 +121,6 @@ export class ApplicationWizardCommitApplication extends BasePanel {
        data: TransactionApplicationRequest,
    ): Promise<TransactionApplicationResponse | void> {
        this.errors = undefined;
-        this.commitState = idleState;
        new CoreApi(DEFAULT_CONFIG)
            .coreTransactionalApplicationsUpdate({
                transactionApplicationRequest: data,
@ -156,26 +134,10 @@ export class ApplicationWizardCommitApplication extends BasePanel {
            // eslint-disable-next-line @typescript-eslint/no-explicit-any
            .catch(async (resolution: any) => {
                const errors = await parseAPIError(resolution);
-                console.log(errors);
-
-                // THIS is a really gross special case; if the user is duplicating the name of an
-                // existing provider, the error appears on the `app` (!) error object. We have to
-                // move that to the `provider.name` error field so it shows up in the right place.
-                if (isValidationError(errors) && Array.isArray(errors?.app?.provider)) {
-                    const providerError = errors.app.provider;
-                    errors.provider = errors.provider ?? {};
-                    errors.provider.name = providerError;
-                    delete errors.app.provider;
-                    if (Object.keys(errors.app).length === 0) {
-                        delete errors.app;
-                    }
-                }
-
-                this.errors = errors;
                this.dispatchWizardUpdate({
                    update: {
                        ...this.wizard,
-                        errors: this.errors,
+                        errors,
                    },
                    status: "failed",
                });
@ -183,7 +145,11 @@ export class ApplicationWizardCommitApplication extends BasePanel {
            });
    }

-    renderErrors(errors: ValidationError) {
+    renderErrors(errors?: ValidationError) {
+        if (!errors) {
+            return nothing;
+        }
+
        const navTo = (step: number) => () =>
            this.dispatchCustomEvent("ak-wizard-nav", {
                command: "goto",
@ -234,9 +200,7 @@ export class ApplicationWizardCommitApplication extends BasePanel {
                            >
                                ${this.commitState.label}
                            </h1>
-                            ${this.commitState === errorState
-                                ? this.renderErrors(this.errors ?? {})
-                                : nothing}
+                            ${this.renderErrors(this.errors)}
                        </div>
                    </div>
                </div>
--- a/web/src/admin/applications/wizard/methods/ak-application-wizard-authentication-method.ts
+++ b/web/src/admin/applications/wizard/methods/ak-application-wizard-authentication-method.ts
@ -1,12 +1,12 @@
-import { consume } from "@lit/context";
 import { customElement } from "@lit/reactive-element/decorators/custom-element.js";

 import BasePanel from "../BasePanel";
-import { applicationWizardProvidersContext } from "../ContextIdentity";
-import type { LocalTypeCreate } from "../auth-method-choice/ak-application-wizard-authentication-method-choice.choices";
+import { providerRendererList } from "../auth-method-choice/ak-application-wizard-authentication-method-choice.choices";
 import "./ldap/ak-application-wizard-authentication-by-ldap";
 import "./oauth/ak-application-wizard-authentication-by-oauth";
+import "./proxy/ak-application-wizard-authentication-for-forward-domain-proxy";
 import "./proxy/ak-application-wizard-authentication-for-reverse-proxy";
+import "./proxy/ak-application-wizard-authentication-for-single-forward-proxy";
 import "./rac/ak-application-wizard-authentication-for-rac";
 import "./radius/ak-application-wizard-authentication-by-radius";
 import "./saml/ak-application-wizard-authentication-by-saml-configuration";
@ -14,19 +14,14 @@ import "./scim/ak-application-wizard-authentication-by-scim";

@customElement("ak-application-wizard-authentication-method")
 export class ApplicationWizardApplicationDetails extends BasePanel {
-    @consume({ context: applicationWizardProvidersContext })
-    public providerModelsList!: LocalTypeCreate[];
-
    render() {
-        const handler: LocalTypeCreate | undefined = this.providerModelsList.find(
-            ({ modelName }) => modelName === this.wizard.providerModel,
-        );
+        const handler = providerRendererList.get(this.wizard.providerModel);
        if (!handler) {
            throw new Error(
                "Unrecognized authentication method in ak-application-wizard-authentication-method",
            );
        }
-        return handler.renderer();
+        return handler();
    }
 }

--- a/web/src/admin/applications/wizard/methods/ldap/LDAPOptionsAndHelp.ts
+++ b/web/src/admin/applications/wizard/methods/ldap/LDAPOptionsAndHelp.ts
--- a/web/src/admin/applications/wizard/methods/ldap/ak-application-wizard-authentication-by-ldap.ts
+++ b/web/src/admin/applications/wizard/methods/ldap/ak-application-wizard-authentication-by-ldap.ts
@ -1,14 +1,33 @@
 import "@goauthentik/admin/applications/wizard/ak-wizard-title";
-import { renderForm } from "@goauthentik/admin/providers/ldap/LDAPProviderFormForm.js";
+import "@goauthentik/admin/common/ak-crypto-certificate-search";
+import "@goauthentik/admin/common/ak-flow-search/ak-branded-flow-search";
+import { first } from "@goauthentik/common/utils";
+import "@goauthentik/components/ak-number-input";
+import "@goauthentik/components/ak-radio-input";
+import "@goauthentik/components/ak-switch-input";
+import "@goauthentik/components/ak-text-input";
 import { WithBrandConfig } from "@goauthentik/elements/Interface/brandProvider";
+import "@goauthentik/elements/forms/FormGroup";
+import "@goauthentik/elements/forms/HorizontalFormElement";

 import { msg } from "@lit/localize";
 import { customElement } from "@lit/reactive-element/decorators/custom-element.js";
-import { html } from "lit";
+import { html, nothing } from "lit";
+import { ifDefined } from "lit/directives/if-defined.js";

+import { FlowsInstancesListDesignationEnum } from "@goauthentik/api";
 import type { LDAPProvider } from "@goauthentik/api";

 import BaseProviderPanel from "../BaseProviderPanel";
+import {
+    bindModeOptions,
+    cryptoCertificateHelp,
+    gidStartNumberHelp,
+    mfaSupportHelp,
+    searchModeOptions,
+    tlsServerNameHelp,
+    uidStartNumberHelp,
+} from "./LDAPOptionsAndHelp";

@customElement("ak-application-wizard-authentication-by-ldap")
 export class ApplicationWizardApplicationDetails extends WithBrandConfig(BaseProviderPanel) {
@ -18,7 +37,128 @@ export class ApplicationWizardApplicationDetails extends WithBrandConfig(BasePro

        return html` <ak-wizard-title>${msg("Configure LDAP Provider")}</ak-wizard-title>
            <form class="pf-c-form pf-m-horizontal" @input=${this.handleChange}>
-                ${renderForm(provider, errors, this.brand)}
+                <ak-text-input
+                    name="name"
+                    value=${ifDefined(provider?.name)}
+                    label=${msg("Name")}
+                    .errorMessages=${errors?.name ?? []}
+                    required
+                    help=${msg("Method's display Name.")}
+                ></ak-text-input>
+
+                <ak-form-element-horizontal
+                    label=${msg("Bind flow")}
+                    ?required=${true}
+                    name="authorizationFlow"
+                    .errorMessages=${errors?.authorizationFlow ?? []}
+                >
+                    <ak-branded-flow-search
+                        flowType=${FlowsInstancesListDesignationEnum.Authentication}
+                        .currentFlow=${provider?.authorizationFlow}
+                        .brandFlow=${this.brand.flowAuthentication}
+                        required
+                    ></ak-branded-flow-search>
+                    <p class="pf-c-form__helper-text">
+                        ${msg("Flow used for users to authenticate.")}
+                    </p>
+                </ak-form-element-horizontal>
+                <ak-form-element-horizontal
+                    label=${msg("Unbind flow")}
+                    name="invalidationFlow"
+                    required
+                >
+                    <ak-branded-flow-search
+                        flowType=${FlowsInstancesListDesignationEnum.Invalidation}
+                        .currentFlow=${provider?.invalidationFlow}
+                        .brandFlow=${this.brand.flowInvalidation}
+                        required
+                    ></ak-branded-flow-search>
+                    <p class="pf-c-form__helper-text">${msg("Flow used for unbinding users.")}</p>
+                </ak-form-element-horizontal>
+
+                <ak-radio-input
+                    label=${msg("Bind mode")}
+                    name="bindMode"
+                    .options=${bindModeOptions}
+                    .value=${provider?.bindMode}
+                    help=${msg("Configure how the outpost authenticates requests.")}
+                >
+                </ak-radio-input>
+
+                <ak-radio-input
+                    label=${msg("Search mode")}
+                    name="searchMode"
+                    .options=${searchModeOptions}
+                    .value=${provider?.searchMode}
+                    help=${msg(
+                        "Configure how the outpost queries the core authentik server's users.",
+                    )}
+                >
+                </ak-radio-input>
+
+                <ak-switch-input
+                    name="mfaSupport"
+                    label=${msg("Code-based MFA Support")}
+                    ?checked=${provider?.mfaSupport ?? true}
+                    help=${mfaSupportHelp}
+                >
+                </ak-switch-input>
+
+                <ak-form-group .expanded=${true}>
+                    <span slot="header"> ${msg("Protocol settings")} </span>
+                    <div slot="body" class="pf-c-form">
+                        <ak-text-input
+                            name="baseDn"
+                            label=${msg("Base DN")}
+                            required
+                            value="${first(provider?.baseDn, "DC=ldap,DC=goauthentik,DC=io")}"
+                            .errorMessages=${errors?.baseDn ?? []}
+                            help=${msg(
+                                "LDAP DN under which bind requests and search requests can be made.",
+                            )}
+                        >
+                        </ak-text-input>
+
+                        <ak-form-element-horizontal
+                            label=${msg("Certificate")}
+                            name="certificate"
+                            .errorMessages=${errors?.certificate ?? []}
+                        >
+                            <ak-crypto-certificate-search
+                                certificate=${ifDefined(provider?.certificate ?? nothing)}
+                                name="certificate"
+                            >
+                            </ak-crypto-certificate-search>
+                            <p class="pf-c-form__helper-text">${cryptoCertificateHelp}</p>
+                        </ak-form-element-horizontal>
+
+                        <ak-text-input
+                            label=${msg("TLS Server name")}
+                            name="tlsServerName"
+                            value="${first(provider?.tlsServerName, "")}"
+                            .errorMessages=${errors?.tlsServerName ?? []}
+                            help=${tlsServerNameHelp}
+                        ></ak-text-input>
+
+                        <ak-number-input
+                            label=${msg("UID start number")}
+                            required
+                            name="uidStartNumber"
+                            value="${first(provider?.uidStartNumber, 2000)}"
+                            .errorMessages=${errors?.uidStartNumber ?? []}
+                            help=${uidStartNumberHelp}
+                        ></ak-number-input>
+
+                        <ak-number-input
+                            label=${msg("GID start number")}
+                            required
+                            name="gidStartNumber"
+                            value="${first(provider?.gidStartNumber, 4000)}"
+                            .errorMessages=${errors?.gidStartNumber ?? []}
+                            help=${gidStartNumberHelp}
+                        ></ak-number-input>
+                    </div>
+                </ak-form-group>
            </form>`;
    }
 }
--- a/web/src/admin/applications/wizard/methods/oauth/ak-application-wizard-authentication-by-oauth.ts
+++ b/web/src/admin/applications/wizard/methods/oauth/ak-application-wizard-authentication-by-oauth.ts
@ -1,11 +1,47 @@
-import { renderForm } from "@goauthentik/admin/providers/oauth2/OAuth2ProviderFormForm.js";
+import "@goauthentik/admin/applications/wizard/ak-wizard-title";
+import "@goauthentik/admin/common/ak-crypto-certificate-search";
+import "@goauthentik/admin/common/ak-flow-search/ak-branded-flow-search";
+import {
+    makeOAuth2PropertyMappingsSelector,
+    oauth2PropertyMappingsProvider,
+} from "@goauthentik/admin/providers/oauth2/OAuth2PropertyMappings.js";
+import {
+    clientTypeOptions,
+    issuerModeOptions,
+    redirectUriHelp,
+    subjectModeOptions,
+} from "@goauthentik/admin/providers/oauth2/OAuth2ProviderForm";
+import {
+    IRedirectURIInput,
+    akOAuthRedirectURIInput,
+} from "@goauthentik/admin/providers/oauth2/OAuth2ProviderRedirectURI";
+import {
+    makeSourceSelector,
+    oauth2SourcesProvider,
+} from "@goauthentik/admin/providers/oauth2/OAuth2Sources.js";
 import { DEFAULT_CONFIG } from "@goauthentik/common/api/config";
+import { ascii_letters, digits, first, randomString } from "@goauthentik/common/utils";
+import "@goauthentik/components/ak-number-input";
+import "@goauthentik/components/ak-radio-input";
+import "@goauthentik/components/ak-switch-input";
+import "@goauthentik/components/ak-text-input";
+import "@goauthentik/components/ak-textarea-input";
+import "@goauthentik/elements/ak-dual-select/ak-dual-select-dynamic-selected-provider.js";
+import "@goauthentik/elements/forms/FormGroup";
+import "@goauthentik/elements/forms/HorizontalFormElement";

 import { msg } from "@lit/localize";
 import { customElement, state } from "@lit/reactive-element/decorators.js";
-import { html } from "lit";
+import { html, nothing } from "lit";
+import { ifDefined } from "lit/directives/if-defined.js";

-import { SourcesApi } from "@goauthentik/api";
+import {
+    ClientTypeEnum,
+    FlowsInstancesListDesignationEnum,
+    MatchingModeEnum,
+    RedirectURI,
+    SourcesApi,
+} from "@goauthentik/api";
 import { type OAuth2Provider, type PaginatedOAuthSourceList } from "@goauthentik/api";

 import BaseProviderPanel from "../BaseProviderPanel";
@ -33,17 +69,258 @@ export class ApplicationWizardAuthenticationByOauth extends BaseProviderPanel {
    render() {
        const provider = this.wizard.provider as OAuth2Provider | undefined;
        const errors = this.wizard.errors.provider;
-        const showClientSecretCallback = (show: boolean) => {
-            this.showClientSecret = show;
-        };
-        return html` <ak-wizard-title>${msg("Configure OAuth2 Provider")}</ak-wizard-title>
+
+        return html`<ak-wizard-title>${msg("Configure OAuth2/OpenId Provider")}</ak-wizard-title>
            <form class="pf-c-form pf-m-horizontal" @input=${this.handleChange}>
-                ${renderForm(
-                    provider ?? {},
-                    errors,
-                    this.showClientSecret,
-                    showClientSecretCallback,
-                )}
+                <ak-text-input
+                    name="name"
+                    label=${msg("Name")}
+                    value=${ifDefined(provider?.name)}
+                    .errorMessages=${errors?.name ?? []}
+                    required
+                ></ak-text-input>
+
+                <ak-form-element-horizontal
+                    name="authorizationFlow"
+                    label=${msg("Authorization flow")}
+                    .errorMessages=${errors?.authorizationFlow ?? []}
+                    ?required=${true}
+                >
+                    <ak-flow-search
+                        flowType=${FlowsInstancesListDesignationEnum.Authorization}
+                        .currentFlow=${provider?.authorizationFlow}
+                        required
+                    ></ak-flow-search>
+                    <p class="pf-c-form__helper-text">
+                        ${msg("Flow used when authorizing this provider.")}
+                    </p>
+                </ak-form-element-horizontal>
+
+                <ak-form-group .expanded=${true}>
+                    <span slot="header"> ${msg("Protocol settings")} </span>
+                    <div slot="body" class="pf-c-form">
+                        <ak-radio-input
+                            name="clientType"
+                            label=${msg("Client type")}
+                            .value=${provider?.clientType}
+                            required
+                            @change=${(ev: CustomEvent<{ value: ClientTypeEnum }>) => {
+                                this.showClientSecret = ev.detail.value !== ClientTypeEnum.Public;
+                            }}
+                            .options=${clientTypeOptions}
+                        >
+                        </ak-radio-input>
+
+                        <ak-text-input
+                            name="clientId"
+                            label=${msg("Client ID")}
+                            value=${provider?.clientId ?? randomString(40, ascii_letters + digits)}
+                            .errorMessages=${errors?.clientId ?? []}
+                            required
+                        >
+                        </ak-text-input>
+
+                        <ak-text-input
+                            name="clientSecret"
+                            label=${msg("Client Secret")}
+                            value=${provider?.clientSecret ??
+                            randomString(128, ascii_letters + digits)}
+                            .errorMessages=${errors?.clientSecret ?? []}
+                            ?hidden=${!this.showClientSecret}
+                        >
+                        </ak-text-input>
+
+                        <ak-form-element-horizontal
+                            label=${msg("Redirect URIs/Origins")}
+                            required
+                            name="redirectUris"
+                        >
+                            <ak-array-input
+                                .items=${[]}
+                                .newItem=${() => ({
+                                    matchingMode: MatchingModeEnum.Strict,
+                                    url: "",
+                                })}
+                                .row=${(f?: RedirectURI) =>
+                                    akOAuthRedirectURIInput({
+                                        ".redirectURI": f,
+                                        "style": "width: 100%",
+                                        "name": "oauth2-redirect-uri",
+                                    } as unknown as IRedirectURIInput)}
+                            >
+                            </ak-array-input>
+                            ${redirectUriHelp}
+                        </ak-form-element-horizontal>
+
+                        <ak-form-element-horizontal
+                            label=${msg("Signing Key")}
+                            name="signingKey"
+                            .errorMessages=${errors?.signingKey ?? []}
+                        >
+                            <ak-crypto-certificate-search
+                                certificate=${ifDefined(provider?.signingKey ?? nothing)}
+                                name="certificate"
+                                singleton
+                            >
+                            </ak-crypto-certificate-search>
+                            <p class="pf-c-form__helper-text">
+                                ${msg("Key used to sign the tokens.")}
+                            </p>
+                        </ak-form-element-horizontal>
+                    </div>
+                </ak-form-group>
+
+                <ak-form-group>
+                    <span slot="header"> ${msg("Advanced flow settings")} </span>
+                    <div slot="body" class="pf-c-form">
+                        <ak-form-element-horizontal
+                            name="authenticationFlow"
+                            label=${msg("Authentication flow")}
+                        >
+                            <ak-flow-search
+                                flowType=${FlowsInstancesListDesignationEnum.Authentication}
+                                .currentFlow=${provider?.authenticationFlow}
+                            ></ak-flow-search>
+                            <p class="pf-c-form__helper-text">
+                                ${msg(
+                                    "Flow used when a user access this provider and is not authenticated.",
+                                )}
+                            </p>
+                        </ak-form-element-horizontal>
+                        <ak-form-element-horizontal
+                            label=${msg("Invalidation flow")}
+                            name="invalidationFlow"
+                            required
+                        >
+                            <ak-flow-search
+                                flowType=${FlowsInstancesListDesignationEnum.Invalidation}
+                                .currentFlow=${provider?.invalidationFlow}
+                                defaultFlowSlug="default-provider-invalidation-flow"
+                                required
+                            ></ak-flow-search>
+                            <p class="pf-c-form__helper-text">
+                                ${msg("Flow used when logging out of this provider.")}
+                            </p>
+                        </ak-form-element-horizontal>
+                    </div>
+                </ak-form-group>
+                <ak-form-group>
+                    <span slot="header"> ${msg("Advanced protocol settings")} </span>
+                    <div slot="body" class="pf-c-form">
+                        <ak-text-input
+                            name="accessCodeValidity"
+                            label=${msg("Access code validity")}
+                            required
+                            value="${first(provider?.accessCodeValidity, "minutes=1")}"
+                            .errorMessages=${errors?.accessCodeValidity ?? []}
+                            .bighelp=${html`<p class="pf-c-form__helper-text">
+                                    ${msg("Configure how long access codes are valid for.")}
+                                </p>
+                                <ak-utils-time-delta-help></ak-utils-time-delta-help>`}
+                        >
+                        </ak-text-input>
+
+                        <ak-text-input
+                            name="accessTokenValidity"
+                            label=${msg("Access Token validity")}
+                            value="${first(provider?.accessTokenValidity, "minutes=5")}"
+                            required
+                            .errorMessages=${errors?.accessTokenValidity ?? []}
+                            .bighelp=${html` <p class="pf-c-form__helper-text">
+                                    ${msg("Configure how long access tokens are valid for.")}
+                                </p>
+                                <ak-utils-time-delta-help></ak-utils-time-delta-help>`}
+                        >
+                        </ak-text-input>
+
+                        <ak-text-input
+                            name="refreshTokenValidity"
+                            label=${msg("Refresh Token validity")}
+                            value="${first(provider?.refreshTokenValidity, "days=30")}"
+                            .errorMessages=${errors?.refreshTokenValidity ?? []}
+                            ?required=${true}
+                            .bighelp=${html` <p class="pf-c-form__helper-text">
+                                    ${msg("Configure how long refresh tokens are valid for.")}
+                                </p>
+                                <ak-utils-time-delta-help></ak-utils-time-delta-help>`}
+                        >
+                        </ak-text-input>
+
+                        <ak-form-element-horizontal
+                            label=${msg("Scopes")}
+                            name="propertyMappings"
+                            .errorMessages=${errors?.propertyMappings ?? []}
+                        >
+                            <ak-dual-select-dynamic-selected
+                                .provider=${oauth2PropertyMappingsProvider}
+                                .selector=${makeOAuth2PropertyMappingsSelector(
+                                    provider?.propertyMappings,
+                                )}
+                                available-label=${msg("Available Scopes")}
+                                selected-label=${msg("Selected Scopes")}
+                            ></ak-dual-select-dynamic-selected>
+                            <p class="pf-c-form__helper-text">
+                                ${msg(
+                                    "Select which scopes can be used by the client. The client still has to specify the scope to access the data.",
+                                )}
+                            </p>
+                        </ak-form-element-horizontal>
+
+                        <ak-radio-input
+                            name="subMode"
+                            label=${msg("Subject mode")}
+                            required
+                            .options=${subjectModeOptions}
+                            .value=${provider?.subMode}
+                            help=${msg(
+                                "Configure what data should be used as unique User Identifier. For most cases, the default should be fine.",
+                            )}
+                        >
+                        </ak-radio-input>
+                        <ak-switch-input
+                            name="includeClaimsInIdToken"
+                            label=${msg("Include claims in id_token")}
+                            ?checked=${first(provider?.includeClaimsInIdToken, true)}
+                            help=${msg(
+                                "Include User claims from scopes in the id_token, for applications that don't access the userinfo endpoint.",
+                            )}
+                        ></ak-switch-input>
+                        <ak-radio-input
+                            name="issuerMode"
+                            label=${msg("Issuer mode")}
+                            required
+                            .options=${issuerModeOptions}
+                            .value=${provider?.issuerMode}
+                            help=${msg(
+                                "Configure how the issuer field of the ID Token should be filled.",
+                            )}
+                        >
+                        </ak-radio-input>
+                    </div>
+                </ak-form-group>
+
+                <ak-form-group>
+                    <span slot="header">${msg("Machine-to-Machine authentication settings")}</span>
+                    <div slot="body" class="pf-c-form">
+                        <ak-form-element-horizontal
+                            label=${msg("Trusted OIDC Sources")}
+                            name="jwksSources"
+                            .errorMessages=${errors?.jwksSources ?? []}
+                        >
+                            <ak-dual-select-dynamic-selected
+                                .provider=${oauth2SourcesProvider}
+                                .selector=${makeSourceSelector(provider?.jwksSources)}
+                                available-label=${msg("Available Sources")}
+                                selected-label=${msg("Selected Sources")}
+                            ></ak-dual-select-dynamic-selected>
+                            <p class="pf-c-form__helper-text">
+                                ${msg(
+                                    "JWTs signed by certificates configured in the selected sources can be used to authenticate to this provider.",
+                                )}
+                            </p>
+                        </ak-form-element-horizontal>
+                    </div>
+                </ak-form-group>
            </form>`;
    }
 }
--- a/web/src/admin/applications/wizard/methods/proxy/AuthenticationByProxyPage.ts
+++ b/web/src/admin/applications/wizard/methods/proxy/AuthenticationByProxyPage.ts
@ -0,0 +1,267 @@
+import "@goauthentik/admin/applications/wizard/ak-wizard-title";
+import {
+    makeSourceSelector,
+    oauth2SourcesProvider,
+} from "@goauthentik/admin/providers/oauth2/OAuth2Sources.js";
+import {
+    makeProxyPropertyMappingsSelector,
+    proxyPropertyMappingsProvider,
+} from "@goauthentik/admin/providers/proxy/ProxyProviderPropertyMappings.js";
+import { DEFAULT_CONFIG } from "@goauthentik/common/api/config";
+import { first } from "@goauthentik/common/utils";
+import "@goauthentik/components/ak-switch-input";
+import "@goauthentik/components/ak-text-input";
+import "@goauthentik/components/ak-textarea-input";
+import "@goauthentik/components/ak-toggle-group";
+import "@goauthentik/elements/ak-dual-select/ak-dual-select-dynamic-selected-provider.js";
+import "@goauthentik/elements/forms/HorizontalFormElement";
+
+import { msg } from "@lit/localize";
+import { state } from "@lit/reactive-element/decorators.js";
+import { TemplateResult, html, nothing } from "lit";
+import { ifDefined } from "lit/directives/if-defined.js";
+
+import {
+    FlowsInstancesListDesignationEnum,
+    PaginatedOAuthSourceList,
+    PaginatedScopeMappingList,
+    ProxyMode,
+    ProxyProvider,
+    SourcesApi,
+} from "@goauthentik/api";
+
+import BaseProviderPanel from "../BaseProviderPanel";
+
+type MaybeTemplateResult = TemplateResult | typeof nothing;
+
+export class AkTypeProxyApplicationWizardPage extends BaseProviderPanel {
+    constructor() {
+        super();
+        new SourcesApi(DEFAULT_CONFIG)
+            .sourcesOauthList({
+                ordering: "name",
+                hasJwks: true,
+            })
+            .then((oauthSources: PaginatedOAuthSourceList) => {
+                this.oauthSources = oauthSources;
+            });
+    }
+
+    propertyMappings?: PaginatedScopeMappingList;
+    oauthSources?: PaginatedOAuthSourceList;
+
+    @state()
+    showHttpBasic = true;
+
+    @state()
+    mode: ProxyMode = ProxyMode.Proxy;
+
+    get instance(): ProxyProvider | undefined {
+        return this.wizard.provider as ProxyProvider;
+    }
+
+    renderModeDescription(): MaybeTemplateResult {
+        return nothing;
+    }
+
+    renderProxyMode(): TemplateResult {
+        throw new Error("Must be implemented in a child class.");
+    }
+
+    renderHttpBasic() {
+        return html`<ak-text-input
+                name="basicAuthUserAttribute"
+                label=${msg("HTTP-Basic Username Key")}
+                value="${ifDefined(this.instance?.basicAuthUserAttribute)}"
+                help=${msg(
+                    "User/Group Attribute used for the user part of the HTTP-Basic Header. If not set, the user's Email address is used.",
+                )}
+            >
+            </ak-text-input>
+
+            <ak-text-input
+                name="basicAuthPasswordAttribute"
+                label=${msg("HTTP-Basic Password Key")}
+                value="${ifDefined(this.instance?.basicAuthPasswordAttribute)}"
+                help=${msg(
+                    "User/Group Attribute used for the password part of the HTTP-Basic Header.",
+                )}
+            >
+            </ak-text-input>`;
+    }
+
+    render() {
+        const errors = this.wizard.errors.provider;
+
+        return html` <ak-wizard-title>${msg("Configure Proxy Provider")}</ak-wizard-title>
+            <form class="pf-c-form pf-m-horizontal" @input=${this.handleChange}>
+                ${this.renderModeDescription()}
+                <ak-text-input
+                    name="name"
+                    value=${ifDefined(this.instance?.name)}
+                    required
+                    .errorMessages=${errors?.name ?? []}
+                    label=${msg("Name")}
+                ></ak-text-input>
+
+                <ak-form-element-horizontal
+                    label=${msg("Authorization flow")}
+                    required
+                    name="authorizationFlow"
+                    .errorMessages=${errors?.authorizationFlow ?? []}
+                >
+                    <ak-flow-search
+                        flowType=${FlowsInstancesListDesignationEnum.Authorization}
+                        .currentFlow=${this.instance?.authorizationFlow}
+                        required
+                    ></ak-flow-search>
+                    <p class="pf-c-form__helper-text">
+                        ${msg("Flow used when authorizing this provider.")}
+                    </p>
+                </ak-form-element-horizontal>
+
+                ${this.renderProxyMode()}
+
+                <ak-text-input
+                    name="accessTokenValidity"
+                    value=${first(this.instance?.accessTokenValidity, "hours=24")}
+                    label=${msg("Token validity")}
+                    help=${msg("Configure how long tokens are valid for.")}
+                    .errorMessages=${errors?.accessTokenValidity ?? []}
+                ></ak-text-input>
+
+                <ak-form-group>
+                    <span slot="header">${msg("Advanced protocol settings")}</span>
+                    <div slot="body" class="pf-c-form">
+                        <ak-form-element-horizontal
+                            label=${msg("Certificate")}
+                            name="certificate"
+                            .errorMessages=${errors?.certificate ?? []}
+                        >
+                            <ak-crypto-certificate-search
+                                certificate=${ifDefined(this.instance?.certificate ?? undefined)}
+                            ></ak-crypto-certificate-search>
+                        </ak-form-element-horizontal>
+                        <ak-form-element-horizontal
+                            label=${msg("Additional scopes")}
+                            name="propertyMappings"
+                        >
+                            <ak-dual-select-dynamic-selected
+                                .provider=${proxyPropertyMappingsProvider}
+                                .selector=${makeProxyPropertyMappingsSelector(
+                                    this.instance?.propertyMappings,
+                                )}
+                                available-label="${msg("Available Scopes")}"
+                                selected-label="${msg("Selected Scopes")}"
+                            ></ak-dual-select-dynamic-selected>
+                            <p class="pf-c-form__helper-text">
+                                ${msg("Additional scope mappings, which are passed to the proxy.")}
+                            </p>
+                        </ak-form-element-horizontal>
+
+                        <ak-textarea-input
+                            name="skipPathRegex"
+                            label=${this.mode === ProxyMode.ForwardDomain
+                                ? msg("Unauthenticated URLs")
+                                : msg("Unauthenticated Paths")}
+                            value=${ifDefined(this.instance?.skipPathRegex)}
+                            .errorMessages=${errors?.skipPathRegex ?? []}
+                            .bighelp=${html` <p class="pf-c-form__helper-text">
+                                    ${msg(
+                                        "Regular expressions for which authentication is not required. Each new line is interpreted as a new expression.",
+                                    )}
+                                </p>
+                                <p class="pf-c-form__helper-text">
+                                    ${msg(
+                                        "When using proxy or forward auth (single application) mode, the requested URL Path is checked against the regular expressions. When using forward auth (domain mode), the full requested URL including scheme and host is matched against the regular expressions.",
+                                    )}
+                                </p>`}
+                        >
+                        </ak-textarea-input>
+                    </div>
+                </ak-form-group>
+                <ak-form-group>
+                    <span slot="header"> ${msg("Advanced flow settings")} </span>
+                    <div slot="body" class="pf-c-form">
+                        <ak-form-element-horizontal
+                            name="authenticationFlow"
+                            label=${msg("Authentication flow")}
+                        >
+                            <ak-flow-search
+                                flowType=${FlowsInstancesListDesignationEnum.Authentication}
+                                .currentFlow=${this.instance?.authenticationFlow}
+                            ></ak-flow-search>
+                            <p class="pf-c-form__helper-text">
+                                ${msg(
+                                    "Flow used when a user access this provider and is not authenticated.",
+                                )}
+                            </p>
+                        </ak-form-element-horizontal>
+                        <ak-form-element-horizontal
+                            label=${msg("Invalidation flow")}
+                            name="invalidationFlow"
+                            required
+                        >
+                            <ak-flow-search
+                                flowType=${FlowsInstancesListDesignationEnum.Invalidation}
+                                .currentFlow=${this.instance?.invalidationFlow}
+                                defaultFlowSlug="default-provider-invalidation-flow"
+                                required
+                            ></ak-flow-search>
+                            <p class="pf-c-form__helper-text">
+                                ${msg("Flow used when logging out of this provider.")}
+                            </p>
+                        </ak-form-element-horizontal>
+                    </div>
+                </ak-form-group>
+                <ak-form-group>
+                    <span slot="header">${msg("Authentication settings")}</span>
+                    <div slot="body" class="pf-c-form">
+                        <ak-switch-input
+                            name="interceptHeaderAuth"
+                            ?checked=${first(this.instance?.interceptHeaderAuth, true)}
+                            label=${msg("Intercept header authentication")}
+                            help=${msg(
+                                "When enabled, authentik will intercept the Authorization header to authenticate the request.",
+                            )}
+                        ></ak-switch-input>
+
+                        <ak-switch-input
+                            name="basicAuthEnabled"
+                            ?checked=${first(this.instance?.basicAuthEnabled, false)}
+                            @change=${(ev: Event) => {
+                                const el = ev.target as HTMLInputElement;
+                                this.showHttpBasic = el.checked;
+                            }}
+                            label=${msg("Send HTTP-Basic Authentication")}
+                            help=${msg(
+                                "Send a custom HTTP-Basic Authentication header based on values from authentik.",
+                            )}
+                        ></ak-switch-input>
+
+                        ${this.showHttpBasic ? this.renderHttpBasic() : html``}
+
+                        <ak-form-element-horizontal
+                            label=${msg("Trusted OIDC Sources")}
+                            name="jwksSources"
+                            .errorMessages=${errors?.jwksSources ?? []}
+                        >
+                            <ak-dual-select-dynamic-selected
+                                .provider=${oauth2SourcesProvider}
+                                .selector=${makeSourceSelector(this.instance?.jwksSources)}
+                                available-label=${msg("Available Sources")}
+                                selected-label=${msg("Selected Sources")}
+                            ></ak-dual-select-dynamic-selected>
+                            <p class="pf-c-form__helper-text">
+                                ${msg(
+                                    "JWTs signed by certificates configured in the selected sources can be used to authenticate to this provider.",
+                                )}
+                            </p>
+                        </ak-form-element-horizontal>
+                    </div>
+                </ak-form-group>
+            </form>`;
+    }
+}
+
+export default AkTypeProxyApplicationWizardPage;
--- a/web/src/admin/applications/wizard/methods/proxy/ak-application-wizard-authentication-for-forward-domain-proxy.ts
+++ b/web/src/admin/applications/wizard/methods/proxy/ak-application-wizard-authentication-for-forward-domain-proxy.ts
@ -0,0 +1,74 @@
+import "@goauthentik/components/ak-text-input";
+
+import { msg } from "@lit/localize";
+import { customElement } from "@lit/reactive-element/decorators.js";
+import { html } from "lit";
+import { ifDefined } from "lit/directives/if-defined.js";
+
+import PFList from "@patternfly/patternfly/components/List/list.css";
+
+import { ProxyProvider } from "@goauthentik/api";
+
+import AkTypeProxyApplicationWizardPage from "./AuthenticationByProxyPage";
+
+@customElement("ak-application-wizard-authentication-for-forward-proxy-domain")
+export class AkForwardDomainProxyApplicationWizardPage extends AkTypeProxyApplicationWizardPage {
+    static get styles() {
+        return super.styles.concat(PFList);
+    }
+
+    renderModeDescription() {
+        return html`<p>
+                ${msg(
+                    "Use this provider with nginx's auth_request or traefik's forwardAuth. Only a single provider is required per root domain. You can't do per-application authorization, but you don't have to create a provider for each application.",
+                )}
+            </p>
+            <div>
+                ${msg("An example setup can look like this:")}
+                <ul class="pf-c-list">
+                    <li>${msg("authentik running on auth.example.com")}</li>
+                    <li>${msg("app1 running on app1.example.com")}</li>
+                </ul>
+                ${msg(
+                    "In this case, you'd set the Authentication URL to auth.example.com and Cookie domain to example.com.",
+                )}
+            </div>`;
+    }
+
+    renderProxyMode() {
+        const provider = this.wizard.provider as ProxyProvider | undefined;
+        const errors = this.wizard.errors.provider;
+
+        return html`
+            <ak-text-input
+                name="externalHost"
+                label=${msg("External host")}
+                value=${ifDefined(provider?.externalHost)}
+                .errorMessages=${errors?.externalHost ?? []}
+                required
+                help=${msg(
+                    "The external URL you'll authenticate at. The authentik core server should be reachable under this URL.",
+                )}
+            >
+            </ak-text-input>
+            <ak-text-input
+                name="cookieDomain"
+                label=${msg("Cookie domain")}
+                value="${ifDefined(provider?.cookieDomain)}"
+                .errorMessages=${errors?.cookieDomain ?? []}
+                required
+                help=${msg(
+                    "Set this to the domain you wish the authentication to be valid for. Must be a parent domain of the URL above. If you're running applications as app1.domain.tld, app2.domain.tld, set this to 'domain.tld'.",
+                )}
+            ></ak-text-input>
+        `;
+    }
+}
+
+export default AkForwardDomainProxyApplicationWizardPage;
+
+declare global {
+    interface HTMLElementTagNameMap {
+        "ak-application-wizard-authentication-for-forward-proxy-domain": AkForwardDomainProxyApplicationWizardPage;
+    }
+}
--- a/web/src/admin/applications/wizard/methods/proxy/ak-application-wizard-authentication-for-reverse-proxy.ts
+++ b/web/src/admin/applications/wizard/methods/proxy/ak-application-wizard-authentication-for-reverse-proxy.ts
@ -1,50 +1,55 @@
-import {
-    ProxyModeValue,
-    type SetMode,
-    type SetShowHttpBasic,
-    renderForm,
-} from "@goauthentik/admin/providers/proxy/ProxyProviderFormForm.js";
+import { first } from "@goauthentik/common/utils";
+import "@goauthentik/components/ak-switch-input";
+import "@goauthentik/components/ak-text-input";

 import { msg } from "@lit/localize";
-import { customElement, state } from "@lit/reactive-element/decorators.js";
+import { customElement } from "@lit/reactive-element/decorators.js";
 import { html } from "lit";
+import { ifDefined } from "lit/directives/if-defined.js";

-import { ProxyMode } from "@goauthentik/api";
+import { ProxyProvider } from "@goauthentik/api";

-import BaseProviderPanel from "../BaseProviderPanel.js";
+import AkTypeProxyApplicationWizardPage from "./AuthenticationByProxyPage";

@customElement("ak-application-wizard-authentication-for-reverse-proxy")
-export class AkReverseProxyApplicationWizardPage extends BaseProviderPanel {
-    @state()
-    showHttpBasic = true;
+export class AkReverseProxyApplicationWizardPage extends AkTypeProxyApplicationWizardPage {
+    renderModeDescription() {
+        return html`<p class="pf-u-mb-xl">
+            ${msg(
+                "This provider will behave like a transparent reverse-proxy, except requests must be authenticated. If your upstream application uses HTTPS, make sure to connect to the outpost using HTTPS as well.",
+            )}
+        </p>`;
+    }

-    render() {
-        const onSetMode: SetMode = (ev: CustomEvent<ProxyModeValue>) => {
-            this.dispatchWizardUpdate({
-                update: {
-                    ...this.wizard,
-                    proxyMode: ev.detail.value,
-                },
-            });
-            // We deliberately chose not to make the forms "controlled," but we do need this form to
-            // respond immediately to a state change in the wizard.
-            window.setTimeout(() => this.requestUpdate(), 0);
-        };
+    renderProxyMode() {
+        const provider = this.wizard.provider as ProxyProvider | undefined;
+        const errors = this.wizard.errors.provider;

-        const onSetShowHttpBasic: SetShowHttpBasic = (ev: Event) => {
-            const el = ev.target as HTMLInputElement;
-            this.showHttpBasic = el.checked;
-        };
-
-        return html` <ak-wizard-title>${msg("Configure Proxy Provider")}</ak-wizard-title>
-            <form class="pf-c-form pf-m-horizontal" @input=${this.handleChange}>
-                ${renderForm(this.wizard.provider ?? {}, this.wizard.errors.provider ?? [], {
-                    mode: this.wizard.proxyMode ?? ProxyMode.Proxy,
-                    onSetMode,
-                    showHttpBasic: this.showHttpBasic,
-                    onSetShowHttpBasic,
-                })}
-            </form>`;
+        return html` <ak-text-input
+                name="externalHost"
+                value=${ifDefined(provider?.externalHost)}
+                required
+                label=${msg("External host")}
+                .errorMessages=${errors?.externalHost ?? []}
+                help=${msg(
+                    "The external URL you'll access the application at. Include any non-standard port.",
+                )}
+            ></ak-text-input>
+            <ak-text-input
+                name="internalHost"
+                value=${ifDefined(provider?.internalHost)}
+                .errorMessages=${errors?.internalHost ?? []}
+                required
+                label=${msg("Internal host")}
+                help=${msg("Upstream host that the requests are forwarded to.")}
+            ></ak-text-input>
+            <ak-switch-input
+                name="internalHostSslValidation"
+                ?checked=${first(provider?.internalHostSslValidation, true)}
+                label=${msg("Internal host SSL Validation")}
+                help=${msg("Validate SSL Certificates of upstream servers.")}
+            >
+            </ak-switch-input>`;
    }
 }

--- a/web/src/admin/applications/wizard/methods/proxy/ak-application-wizard-authentication-for-single-forward-proxy.ts
+++ b/web/src/admin/applications/wizard/methods/proxy/ak-application-wizard-authentication-for-single-forward-proxy.ts
@ -0,0 +1,48 @@
+import "@goauthentik/components/ak-text-input";
+
+import { msg } from "@lit/localize";
+import { customElement } from "@lit/reactive-element/decorators.js";
+import { html } from "lit";
+import { ifDefined } from "lit/directives/if-defined.js";
+
+import { ProxyProvider } from "@goauthentik/api";
+
+import AkTypeProxyApplicationWizardPage from "./AuthenticationByProxyPage";
+
+@customElement("ak-application-wizard-authentication-for-single-forward-proxy")
+export class AkForwardSingleProxyApplicationWizardPage extends AkTypeProxyApplicationWizardPage {
+    renderModeDescription() {
+        return html`<p class="pf-u-mb-xl">
+            ${msg(
+                html`Use this provider with nginx's <code>auth_request</code> or traefik's
+                    <code>forwardAuth</code>. Each application/domain needs its own provider.
+                    Additionally, on each domain, <code>/outpost.goauthentik.io</code> must be
+                    routed to the outpost (when using a managed outpost, this is done for you).`,
+            )}
+        </p>`;
+    }
+
+    renderProxyMode() {
+        const provider = this.wizard.provider as ProxyProvider | undefined;
+        const errors = this.wizard.errors.provider;
+
+        return html`<ak-text-input
+            name="externalHost"
+            value=${ifDefined(provider?.externalHost)}
+            required
+            label=${msg("External host")}
+            .errorMessages=${errors?.externalHost ?? []}
+            help=${msg(
+                "The external URL you'll access the application at. Include any non-standard port.",
+            )}
+        ></ak-text-input>`;
+    }
+}
+
+export default AkForwardSingleProxyApplicationWizardPage;
+
+declare global {
+    interface HTMLElementTagNameMap {
+        "ak-application-wizard-authentication-for-single-forward-proxy": AkForwardSingleProxyApplicationWizardPage;
+    }
+}
--- a/web/src/admin/applications/wizard/methods/radius/ak-application-wizard-authentication-by-radius.ts
+++ b/web/src/admin/applications/wizard/methods/radius/ak-application-wizard-authentication-by-radius.ts
@ -1,7 +1,7 @@
 import "@goauthentik/admin/applications/wizard/ak-wizard-title";
 import "@goauthentik/admin/common/ak-crypto-certificate-search";
 import "@goauthentik/admin/common/ak-flow-search/ak-branded-flow-search";
-import { renderForm } from "@goauthentik/admin/providers/radius/RadiusProviderFormForm.js";
+import { ascii_letters, digits, first, randomString } from "@goauthentik/common/utils";
 import "@goauthentik/components/ak-text-input";
 import { WithBrandConfig } from "@goauthentik/elements/Interface/brandProvider";
 import "@goauthentik/elements/forms/FormGroup";
@ -10,21 +10,91 @@ import "@goauthentik/elements/forms/HorizontalFormElement";
 import { msg } from "@lit/localize";
 import { customElement } from "@lit/reactive-element/decorators.js";
 import { html } from "lit";
+import { ifDefined } from "lit/directives/if-defined.js";

-import { RadiusProvider } from "@goauthentik/api";
+import { FlowsInstancesListDesignationEnum, RadiusProvider } from "@goauthentik/api";

 import BaseProviderPanel from "../BaseProviderPanel";

@customElement("ak-application-wizard-authentication-by-radius")
 export class ApplicationWizardAuthenticationByRadius extends WithBrandConfig(BaseProviderPanel) {
    render() {
+        const provider = this.wizard.provider as RadiusProvider | undefined;
+        const errors = this.wizard.errors.provider;
+
        return html`<ak-wizard-title>${msg("Configure Radius Provider")}</ak-wizard-title>
            <form class="pf-c-form pf-m-horizontal" @input=${this.handleChange}>
-                ${renderForm(
-                    this.wizard.provider as RadiusProvider | undefined,
-                    this.wizard.errors.provider,
-                    this.brand,
-                )}
+                <ak-text-input
+                    name="name"
+                    label=${msg("Name")}
+                    value=${ifDefined(provider?.name)}
+                    .errorMessages=${errors?.name ?? []}
+                    required
+                >
+                </ak-text-input>
+
+                <ak-form-element-horizontal
+                    label=${msg("Authentication flow")}
+                    ?required=${true}
+                    name="authorizationFlow"
+                    .errorMessages=${errors?.authorizationFlow ?? []}
+                >
+                    <ak-branded-flow-search
+                        flowType=${FlowsInstancesListDesignationEnum.Authentication}
+                        .currentFlow=${provider?.authorizationFlow}
+                        .brandFlow=${this.brand.flowAuthentication}
+                        required
+                    ></ak-branded-flow-search>
+                    <p class="pf-c-form__helper-text">
+                        ${msg("Flow used for users to authenticate.")}
+                    </p>
+                </ak-form-element-horizontal>
+
+                <ak-form-group expanded>
+                    <span slot="header"> ${msg("Protocol settings")} </span>
+                    <div slot="body" class="pf-c-form">
+                        <ak-text-input
+                            name="sharedSecret"
+                            label=${msg("Shared secret")}
+                            .errorMessages=${errors?.sharedSecret ?? []}
+                            value=${first(
+                                provider?.sharedSecret,
+                                randomString(128, ascii_letters + digits),
+                            )}
+                            required
+                        ></ak-text-input>
+                        <ak-text-input
+                            name="clientNetworks"
+                            label=${msg("Client Networks")}
+                            value=${first(provider?.clientNetworks, "0.0.0.0/0, ::/0")}
+                            .errorMessages=${errors?.clientNetworks ?? []}
+                            required
+                            help=${msg(`List of CIDRs (comma-seperated) that clients can connect from. A more specific
+                            CIDR will match before a looser one. Clients connecting from a non-specified CIDR
+                            will be dropped.`)}
+                        ></ak-text-input>
+                    </div>
+                </ak-form-group>
+                <ak-form-group>
+                    <span slot="header"> ${msg("Advanced flow settings")} </span>
+                    <div slot="body" class="pf-c-form">
+                        <ak-form-element-horizontal
+                            label=${msg("Invalidation flow")}
+                            name="invalidationFlow"
+                            required
+                        >
+                            <ak-flow-search
+                                flowType=${FlowsInstancesListDesignationEnum.Invalidation}
+                                .currentFlow=${provider?.invalidationFlow}
+                                defaultFlowSlug="default-provider-invalidation-flow"
+                                required
+                            ></ak-flow-search>
+                            <p class="pf-c-form__helper-text">
+                                ${msg("Flow used when logging out of this provider.")}
+                            </p>
+                        </ak-form-element-horizontal>
+                    </div></ak-form-group
+                >
            </form>`;
    }
 }
--- a/web/src/admin/applications/wizard/methods/saml/ak-application-wizard-authentication-by-saml-configuration.ts
+++ b/web/src/admin/applications/wizard/methods/saml/ak-application-wizard-authentication-by-saml-configuration.ts
@ -1,35 +1,356 @@
+import "@goauthentik/admin/applications/wizard/ak-wizard-title";
+import "@goauthentik/admin/applications/wizard/ak-wizard-title";
+import "@goauthentik/admin/common/ak-crypto-certificate-search";
 import AkCryptoCertificateSearch from "@goauthentik/admin/common/ak-crypto-certificate-search";
-import { renderForm } from "@goauthentik/admin/providers/saml/SAMLProviderFormForm.js";
+import "@goauthentik/admin/common/ak-flow-search/ak-branded-flow-search";
+import { DEFAULT_CONFIG } from "@goauthentik/common/api/config";
+import { first } from "@goauthentik/common/utils";
+import "@goauthentik/components/ak-multi-select";
+import "@goauthentik/components/ak-number-input";
+import "@goauthentik/components/ak-radio-input";
+import "@goauthentik/components/ak-switch-input";
+import "@goauthentik/components/ak-text-input";
+import "@goauthentik/elements/forms/FormGroup";
+import "@goauthentik/elements/forms/HorizontalFormElement";

 import { msg } from "@lit/localize";
 import { customElement, state } from "@lit/reactive-element/decorators.js";
-import { html } from "lit";
+import { html, nothing } from "lit";
+import { ifDefined } from "lit/directives/if-defined.js";

-import { SAMLProvider } from "@goauthentik/api";
+import {
+    FlowsInstancesListDesignationEnum,
+    PaginatedSAMLPropertyMappingList,
+    PropertymappingsApi,
+    SAMLProvider,
+} from "@goauthentik/api";

 import BaseProviderPanel from "../BaseProviderPanel";
+import {
+    digestAlgorithmOptions,
+    signatureAlgorithmOptions,
+    spBindingOptions,
+} from "./SamlProviderOptions";
 import "./saml-property-mappings-search";

@customElement("ak-application-wizard-authentication-by-saml-configuration")
 export class ApplicationWizardProviderSamlConfiguration extends BaseProviderPanel {
+    @state()
+    propertyMappings?: PaginatedSAMLPropertyMappingList;
+
    @state()
    hasSigningKp = false;

+    constructor() {
+        super();
+        new PropertymappingsApi(DEFAULT_CONFIG)
+            .propertymappingsProviderSamlList({
+                ordering: "saml_name",
+            })
+            .then((propertyMappings: PaginatedSAMLPropertyMappingList) => {
+                this.propertyMappings = propertyMappings;
+            });
+    }
+
+    propertyMappingConfiguration(provider?: SAMLProvider) {
+        const propertyMappings = this.propertyMappings?.results ?? [];
+
+        const configuredMappings = (providerMappings: string[]) =>
+            propertyMappings.map((pm) => pm.pk).filter((pmpk) => providerMappings.includes(pmpk));
+
+        const managedMappings = () =>
+            propertyMappings
+                .filter((pm) => (pm?.managed ?? "").startsWith("goauthentik.io/providers/saml"))
+                .map((pm) => pm.pk);
+
+        const pmValues = provider?.propertyMappings
+            ? configuredMappings(provider?.propertyMappings ?? [])
+            : managedMappings();
+
+        const propertyPairs = propertyMappings.map((pm) => [pm.pk, pm.name]);
+
+        return { pmValues, propertyPairs };
+    }
+
    render() {
-        const setHasSigningKp = (ev: InputEvent) => {
-            const target = ev.target as AkCryptoCertificateSearch;
-            if (!target) return;
-            this.hasSigningKp = !!target.selectedKeypair;
-        };
+        const provider = this.wizard.provider as SAMLProvider | undefined;
+        const errors = this.wizard.errors.provider;
+
+        const { pmValues, propertyPairs } = this.propertyMappingConfiguration(provider);

        return html` <ak-wizard-title>${msg("Configure SAML Provider")}</ak-wizard-title>
            <form class="pf-c-form pf-m-horizontal" @input=${this.handleChange}>
-                ${renderForm(
-                    (this.wizard.provider as SAMLProvider) ?? {},
-                    this.wizard.errors.provider,
-                    setHasSigningKp,
-                    this.hasSigningKp,
-                )}
+                <ak-text-input
+                    name="name"
+                    value=${ifDefined(provider?.name)}
+                    required
+                    label=${msg("Name")}
+                    .errorMessages=${errors?.name ?? []}
+                ></ak-text-input>
+
+                <ak-form-element-horizontal
+                    label=${msg("Authorization flow")}
+                    ?required=${true}
+                    name="authorizationFlow"
+                    .errorMessages=${errors?.authorizationFlow ?? []}
+                >
+                    <ak-flow-search
+                        flowType=${FlowsInstancesListDesignationEnum.Authorization}
+                        .currentFlow=${provider?.authorizationFlow}
+                        required
+                    ></ak-flow-search>
+                    <p class="pf-c-form__helper-text">
+                        ${msg("Flow used when authorizing this provider.")}
+                    </p>
+                </ak-form-element-horizontal>
+
+                <ak-form-group .expanded=${true}>
+                    <span slot="header"> ${msg("Protocol settings")} </span>
+                    <div slot="body" class="pf-c-form">
+                        <ak-text-input
+                            name="acsUrl"
+                            value=${ifDefined(provider?.acsUrl)}
+                            required
+                            label=${msg("ACS URL")}
+                            .errorMessages=${errors?.acsUrl ?? []}
+                        ></ak-text-input>
+
+                        <ak-text-input
+                            name="issuer"
+                            value=${provider?.issuer || "authentik"}
+                            required
+                            label=${msg("Issuer")}
+                            help=${msg("Also known as EntityID.")}
+                            .errorMessages=${errors?.issuer ?? []}
+                        ></ak-text-input>
+
+                        <ak-radio-input
+                            name="spBinding"
+                            label=${msg("Service Provider Binding")}
+                            required
+                            .options=${spBindingOptions}
+                            .value=${provider?.spBinding}
+                            help=${msg(
+                                "Determines how authentik sends the response back to the Service Provider.",
+                            )}
+                        >
+                        </ak-radio-input>
+
+                        <ak-text-input
+                            name="audience"
+                            value=${ifDefined(provider?.audience)}
+                            label=${msg("Audience")}
+                            .errorMessages=${errors?.audience ?? []}
+                        ></ak-text-input>
+                    </div>
+                </ak-form-group>
+
+                <ak-form-group>
+                    <span slot="header"> ${msg("Advanced flow settings")}</span>
+                    <div slot="body" class="pf-c-form">
+                        <ak-form-element-horizontal
+                            name="authenticationFlow"
+                            label=${msg("Authentication flow")}
+                        >
+                            <ak-flow-search
+                                flowType=${FlowsInstancesListDesignationEnum.Authentication}
+                                .currentFlow=${provider?.authenticationFlow}
+                            ></ak-flow-search>
+                            <p class="pf-c-form__helper-text">
+                                ${msg(
+                                    "Flow used when a user access this provider and is not authenticated.",
+                                )}
+                            </p>
+                        </ak-form-element-horizontal>
+                        <ak-form-element-horizontal
+                            label=${msg("Invalidation flow")}
+                            name="invalidationFlow"
+                            required
+                        >
+                            <ak-flow-search
+                                flowType=${FlowsInstancesListDesignationEnum.Invalidation}
+                                .currentFlow=${provider?.invalidationFlow}
+                                defaultFlowSlug="default-provider-invalidation-flow"
+                                required
+                            ></ak-flow-search>
+                            <p class="pf-c-form__helper-text">
+                                ${msg("Flow used when logging out of this provider.")}
+                            </p>
+                        </ak-form-element-horizontal>
+                    </div>
+                </ak-form-group>
+                <ak-form-group>
+                    <span slot="header"> ${msg("Advanced protocol settings")} </span>
+                    <div slot="body" class="pf-c-form">
+                        <ak-form-element-horizontal
+                            label=${msg("Signing Certificate")}
+                            name="signingKp"
+                        >
+                            <ak-crypto-certificate-search
+                                certificate=${ifDefined(provider?.signingKp ?? undefined)}
+                                @input=${(ev: InputEvent) => {
+                                    const target = ev.target as AkCryptoCertificateSearch;
+                                    if (!target) return;
+                                    this.hasSigningKp = !!target.selectedKeypair;
+                                }}
+                            ></ak-crypto-certificate-search>
+                            <p class="pf-c-form__helper-text">
+                                ${msg(
+                                    "Certificate used to sign outgoing Responses going to the Service Provider.",
+                                )}
+                            </p>
+                        </ak-form-element-horizontal>
+                        ${this.hasSigningKp
+                            ? html` <ak-form-element-horizontal name="signAssertion">
+                                      <label class="pf-c-switch">
+                                          <input
+                                              class="pf-c-switch__input"
+                                              type="checkbox"
+                                              ?checked=${first(provider?.signAssertion, true)}
+                                          />
+                                          <span class="pf-c-switch__toggle">
+                                              <span class="pf-c-switch__toggle-icon">
+                                                  <i class="fas fa-check" aria-hidden="true"></i>
+                                              </span>
+                                          </span>
+                                          <span class="pf-c-switch__label"
+                                              >${msg("Sign assertions")}</span
+                                          >
+                                      </label>
+                                      <p class="pf-c-form__helper-text">
+                                          ${msg(
+                                              "When enabled, the assertion element of the SAML response will be signed.",
+                                          )}
+                                      </p>
+                                  </ak-form-element-horizontal>
+                                  <ak-form-element-horizontal name="signResponse">
+                                      <label class="pf-c-switch">
+                                          <input
+                                              class="pf-c-switch__input"
+                                              type="checkbox"
+                                              ?checked=${first(provider?.signResponse, false)}
+                                          />
+                                          <span class="pf-c-switch__toggle">
+                                              <span class="pf-c-switch__toggle-icon">
+                                                  <i class="fas fa-check" aria-hidden="true"></i>
+                                              </span>
+                                          </span>
+                                          <span class="pf-c-switch__label"
+                                              >${msg("Sign responses")}</span
+                                          >
+                                      </label>
+                                      <p class="pf-c-form__helper-text">
+                                          ${msg(
+                                              "When enabled, the assertion element of the SAML response will be signed.",
+                                          )}
+                                      </p>
+                                  </ak-form-element-horizontal>`
+                            : nothing}
+
+                        <ak-form-element-horizontal
+                            label=${msg("Verification Certificate")}
+                            name="verificationKp"
+                        >
+                            <ak-crypto-certificate-search
+                                certificate=${ifDefined(provider?.verificationKp ?? undefined)}
+                                nokey
+                            ></ak-crypto-certificate-search>
+                            <p class="pf-c-form__helper-text">
+                                ${msg(
+                                    "When selected, incoming assertion's Signatures will be validated against this certificate. To allow unsigned Requests, leave on default.",
+                                )}
+                            </p>
+                        </ak-form-element-horizontal>
+
+                        <ak-form-element-horizontal
+                            label=${msg("Encryption Certificate")}
+                            name="encryptionKp"
+                        >
+                            <ak-crypto-certificate-search
+                                certificate=${ifDefined(provider?.encryptionKp ?? undefined)}
+                            ></ak-crypto-certificate-search>
+                            <p class="pf-c-form__helper-text">
+                                ${msg(
+                                    "When selected, encrypted assertions will be decrypted using this keypair.",
+                                )}
+                            </p>
+                        </ak-form-element-horizontal>
+
+                        <ak-multi-select
+                            label=${msg("Property Mappings")}
+                            name="propertyMappings"
+                            .options=${propertyPairs}
+                            .values=${pmValues}
+                            .richhelp=${html` <p class="pf-c-form__helper-text">
+                                ${msg("Property mappings used for user mapping.")}
+                            </p>`}
+                        ></ak-multi-select>
+
+                        <ak-form-element-horizontal
+                            label=${msg("NameID Property Mapping")}
+                            name="nameIdMapping"
+                        >
+                            <ak-saml-property-mapping-search
+                                name="nameIdMapping"
+                                propertymapping=${ifDefined(provider?.nameIdMapping ?? undefined)}
+                            ></ak-saml-property-mapping-search>
+                            <p class="pf-c-form__helper-text">
+                                ${msg(
+                                    "Configure how the NameID value will be created. When left empty, the NameIDPolicy of the incoming request will be respected.",
+                                )}
+                            </p>
+                        </ak-form-element-horizontal>
+
+                        <ak-text-input
+                            name="assertionValidNotBefore"
+                            value=${provider?.assertionValidNotBefore || "minutes=-5"}
+                            required
+                            label=${msg("Assertion valid not before")}
+                            help=${msg(
+                                "Configure the maximum allowed time drift for an assertion.",
+                            )}
+                            .errorMessages=${errors?.assertionValidNotBefore ?? []}
+                        ></ak-text-input>
+
+                        <ak-text-input
+                            name="assertionValidNotOnOrAfter"
+                            value=${provider?.assertionValidNotOnOrAfter || "minutes=5"}
+                            required
+                            label=${msg("Assertion valid not on or after")}
+                            help=${msg(
+                                "Assertion not valid on or after current time + this value.",
+                            )}
+                            .errorMessages=${errors?.assertionValidNotOnOrAfter ?? []}
+                        ></ak-text-input>
+
+                        <ak-text-input
+                            name="sessionValidNotOnOrAfter"
+                            value=${provider?.sessionValidNotOnOrAfter || "minutes=86400"}
+                            required
+                            label=${msg("Session valid not on or after")}
+                            help=${msg("Session not valid on or after current time + this value.")}
+                            .errorMessages=${errors?.sessionValidNotOnOrAfter ?? []}
+                        ></ak-text-input>
+
+                        <ak-radio-input
+                            name="digestAlgorithm"
+                            label=${msg("Digest algorithm")}
+                            required
+                            .options=${digestAlgorithmOptions}
+                            .value=${provider?.digestAlgorithm}
+                        >
+                        </ak-radio-input>
+
+                        <ak-radio-input
+                            name="signatureAlgorithm"
+                            label=${msg("Signature algorithm")}
+                            required
+                            .options=${signatureAlgorithmOptions}
+                            .value=${provider?.signatureAlgorithm}
+                        >
+                        </ak-radio-input>
+                    </div>
+                </ak-form-group>
            </form>`;
    }
 }
--- a/web/src/admin/applications/wizard/methods/scim/ak-application-wizard-authentication-by-scim.ts
+++ b/web/src/admin/applications/wizard/methods/scim/ak-application-wizard-authentication-by-scim.ts
@ -1,10 +1,21 @@
-import { renderForm } from "@goauthentik/admin/providers/scim/SCIMProviderFormForm.js";
+import "@goauthentik/admin/applications/wizard/ak-wizard-title";
+import "@goauthentik/admin/common/ak-core-group-search";
+import "@goauthentik/admin/common/ak-crypto-certificate-search";
+import "@goauthentik/admin/common/ak-flow-search/ak-branded-flow-search";
+import { DEFAULT_CONFIG } from "@goauthentik/common/api/config";
+import { first } from "@goauthentik/common/utils";
+import "@goauthentik/components/ak-multi-select";
+import "@goauthentik/components/ak-switch-input";
+import "@goauthentik/components/ak-text-input";
+import "@goauthentik/elements/forms/FormGroup";
+import "@goauthentik/elements/forms/HorizontalFormElement";

 import { msg } from "@lit/localize";
 import { customElement, state } from "@lit/reactive-element/decorators.js";
 import { html } from "lit";
+import { ifDefined } from "lit/directives/if-defined.js";

-import { PaginatedSCIMMappingList, type SCIMProvider } from "@goauthentik/api";
+import { PaginatedSCIMMappingList, PropertymappingsApi, type SCIMProvider } from "@goauthentik/api";

 import BaseProviderPanel from "../BaseProviderPanel";

@ -15,15 +26,125 @@ export class ApplicationWizardAuthenticationBySCIM extends BaseProviderPanel {

    constructor() {
        super();
+        new PropertymappingsApi(DEFAULT_CONFIG)
+            .propertymappingsProviderScimList({
+                ordering: "managed",
+            })
+            .then((propertyMappings: PaginatedSCIMMappingList) => {
+                this.propertyMappings = propertyMappings;
+            });
+    }
+
+    propertyMappingConfiguration(provider?: SCIMProvider) {
+        const propertyMappings = this.propertyMappings?.results ?? [];
+
+        const configuredMappings = (providerMappings: string[]) =>
+            propertyMappings.map((pm) => pm.pk).filter((pmpk) => providerMappings.includes(pmpk));
+
+        const managedMappings = (key: string) =>
+            propertyMappings
+                .filter((pm) => pm.managed === `goauthentik.io/providers/scim/${key}`)
+                .map((pm) => pm.pk);
+
+        const pmUserValues = provider?.propertyMappings
+            ? configuredMappings(provider?.propertyMappings ?? [])
+            : managedMappings("user");
+
+        const pmGroupValues = provider?.propertyMappingsGroup
+            ? configuredMappings(provider?.propertyMappingsGroup ?? [])
+            : managedMappings("group");
+
+        const propertyPairs = propertyMappings.map((pm) => [pm.pk, pm.name]);
+
+        return { pmUserValues, pmGroupValues, propertyPairs };
    }

    render() {
+        const provider = this.wizard.provider as SCIMProvider | undefined;
+        const errors = this.wizard.errors.provider;
+
+        const { pmUserValues, pmGroupValues, propertyPairs } =
+            this.propertyMappingConfiguration(provider);
+
        return html`<ak-wizard-title>${msg("Configure SCIM Provider")}</ak-wizard-title>
            <form class="pf-c-form pf-m-horizontal" @input=${this.handleChange}>
-                ${renderForm(
-                    (this.wizard.provider as SCIMProvider) ?? {},
-                    this.wizard.errors.provider,
-                )}
+                <ak-text-input
+                    name="name"
+                    label=${msg("Name")}
+                    value=${ifDefined(provider?.name)}
+                    .errorMessages=${errors?.name ?? []}
+                    required
+                ></ak-text-input>
+                <ak-form-group expanded>
+                    <span slot="header"> ${msg("Protocol settings")} </span>
+                    <div slot="body" class="pf-c-form">
+                        <ak-text-input
+                            name="url"
+                            label=${msg("URL")}
+                            value="${first(provider?.url, "")}"
+                            required
+                            help=${msg("SCIM base url, usually ends in /v2.")}
+                            .errorMessages=${errors?.url ?? []}
+                        >
+                        </ak-text-input>
+                        <ak-text-input
+                            name="token"
+                            label=${msg("Token")}
+                            value="${first(provider?.token, "")}"
+                            .errorMessages=${errors?.token ?? []}
+                            required
+                            help=${msg(
+                                "Token to authenticate with. Currently only bearer authentication is supported.",
+                            )}
+                        >
+                        </ak-text-input>
+                    </div>
+                </ak-form-group>
+                <ak-form-group expanded>
+                    <span slot="header">${msg("User filtering")}</span>
+                    <div slot="body" class="pf-c-form">
+                        <ak-switch-input
+                            name="excludeUsersServiceAccount"
+                            ?checked=${first(provider?.excludeUsersServiceAccount, true)}
+                            label=${msg("Exclude service accounts")}
+                        ></ak-switch-input>
+                        <ak-form-element-horizontal label=${msg("Group")} name="filterGroup">
+                            <ak-core-group-search
+                                .group=${provider?.filterGroup}
+                            ></ak-core-group-search>
+                            <p class="pf-c-form__helper-text">
+                                ${msg("Only sync users within the selected group.")}
+                            </p>
+                        </ak-form-element-horizontal>
+                    </div>
+                </ak-form-group>
+                <ak-form-group ?expanded=${true}>
+                    <span slot="header"> ${msg("Attribute mapping")} </span>
+                    <div slot="body" class="pf-c-form">
+                        <ak-multi-select
+                            label=${msg("User Property Mappings")}
+                            name="propertyMappings"
+                            .options=${propertyPairs}
+                            .values=${pmUserValues}
+                            .richhelp=${html`
+                                <p class="pf-c-form__helper-text">
+                                    ${msg("Property mappings used for user mapping.")}
+                                </p>
+                            `}
+                        ></ak-multi-select>
+                        <ak-multi-select
+                            label=${msg("Group Property Mappings")}
+                            name="propertyMappingsGroup"
+                            .options=${propertyPairs}
+                            .values=${pmGroupValues}
+                            .richhelp=${html`
+                                <p class="pf-c-form__helper-text">
+                                    ${msg("Property mappings used for group creation.")}
+                                </p>
+                            `}
+                        ></ak-multi-select>
+                    </div>
+                </ak-form-group>
            </form>`;
    }
 }
--- a/web/src/admin/applications/wizard/types.ts
+++ b/web/src/admin/applications/wizard/types.ts
@ -5,7 +5,6 @@ import {
    type LDAPProviderRequest,
    type OAuth2ProviderRequest,
    type ProvidersSamlImportMetadataCreateRequest,
-    ProxyMode,
    type ProxyProviderRequest,
    type RACProviderRequest,
    type RadiusProviderRequest,
@ -28,7 +27,6 @@ export interface ApplicationWizardState {
    providerModel: string;
    app: Partial<ApplicationRequest>;
    provider: OneOfProvider;
-    proxyMode?: ProxyMode;
    errors: ValidationError;
 }

--- a/web/src/admin/common/ak-crypto-certificate-search.ts
+++ b/web/src/admin/common/ak-crypto-certificate-search.ts
@ -5,8 +5,8 @@ import "@goauthentik/elements/forms/SearchSelect";
 import { CustomListenerElement } from "@goauthentik/elements/utils/eventEmitter";

 import { html } from "lit";
-import { customElement, property, query } from "lit/decorators.js";
-import { ifDefined } from "lit/directives/if-defined.js";
+import { customElement } from "lit/decorators.js";
+import { property, query } from "lit/decorators.js";

 import {
    CertificateKeyPair,
@ -114,7 +114,6 @@ export class AkCryptoCertificateSearch extends CustomListenerElement(AKElement)
    render() {
        return html`
            <ak-search-select
-                name=${ifDefined(this.name ?? undefined)}
                .fetchObjects=${this.fetchObjects}
                .renderElement=${renderElement}
                .value=${renderValue}
--- a/web/src/admin/common/ak-flow-search/FlowSearch.ts
+++ b/web/src/admin/common/ak-flow-search/FlowSearch.ts
@ -7,7 +7,6 @@ import { CustomListenerElement } from "@goauthentik/elements/utils/eventEmitter"

 import { html } from "lit";
 import { property, query } from "lit/decorators.js";
-import { ifDefined } from "lit/directives/if-defined.js";

 import { FlowsApi, FlowsInstancesListDesignationEnum } from "@goauthentik/api";
 import type { Flow, FlowsInstancesListRequest } from "@goauthentik/api";
@ -134,7 +133,7 @@ export class FlowSearch<T extends Flow> extends CustomListenerElement(AKElement)
                .renderElement=${renderElement}
                .renderDescription=${renderDescription}
                .value=${getFlowValue}
-                name=${ifDefined(this.name ?? undefined)}
+                .name=${this.name}
                @ak-change=${this.handleSearchUpdate}
                ?blankable=${!this.required}
            >
--- a/web/src/admin/groups/RelatedUserList.ts
+++ b/web/src/admin/groups/RelatedUserList.ts
@ -1,11 +1,9 @@
 import "@goauthentik/admin/users/ServiceAccountForm";
 import "@goauthentik/admin/users/UserActiveForm";
 import "@goauthentik/admin/users/UserForm";
-import "@goauthentik/admin/users/UserImpersonateForm";
 import "@goauthentik/admin/users/UserPasswordForm";
 import "@goauthentik/admin/users/UserResetEmailForm";
 import { DEFAULT_CONFIG } from "@goauthentik/common/api/config";
-import { PFSize } from "@goauthentik/common/enums.js";
 import { MessageLevel } from "@goauthentik/common/messages";
 import { me } from "@goauthentik/common/users";
 import { getRelativeTime } from "@goauthentik/common/utils";
@ -215,22 +213,21 @@ export class RelatedUserList extends WithBrandConfig(WithCapabilitiesConfig(Tabl
                </ak-forms-modal>
                ${canImpersonate
                    ? html`
-                          <ak-forms-modal size=${PFSize.Medium} id="impersonate-request">
-                              <span slot="submit">${msg("Impersonate")}</span>
-                              <span slot="header">${msg("Impersonate")} ${item.username}</span>
-                              <ak-user-impersonate-form
-                                  slot="form"
-                                  .instancePk=${item.pk}
-                              ></ak-user-impersonate-form>
-                              <button slot="trigger" class="pf-c-button pf-m-tertiary">
-                                  <pf-tooltip
-                                      position="top"
-                                      content=${msg("Temporarily assume the identity of this user")}
-                                  >
-                                      <span>${msg("Impersonate")}</span>
-                                  </pf-tooltip>
-                              </button>
-                          </ak-forms-modal>
+                          <ak-action-button
+                              class="pf-m-tertiary"
+                              .apiRequest=${() => {
+                                  return new CoreApi(DEFAULT_CONFIG)
+                                      .coreUsersImpersonateCreate({
+                                          id: item.pk,
+                                          impersonationRequest: { reason: "" },
+                                      })
+                                      .then(() => {
+                                          window.location.href = "/";
+                                      });
+                              }}
+                          >
+                              ${msg("Impersonate")}
+                          </ak-action-button>
                      `
                    : html``}`,
        ];
--- a/web/src/admin/providers/ProviderWizard.ts
+++ b/web/src/admin/providers/ProviderWizard.ts
@ -43,11 +43,8 @@ export class ProviderWizard extends AKElement {
    @query("ak-wizard")
    wizard?: Wizard;

-    connectedCallback() {
-        super.connectedCallback();
-        new ProvidersApi(DEFAULT_CONFIG).providersAllTypesList().then((providerTypes) => {
-            this.providerTypes = providerTypes;
-        });
+    async firstUpdated(): Promise<void> {
+        this.providerTypes = await new ProvidersApi(DEFAULT_CONFIG).providersAllTypesList();
    }

    render(): TemplateResult {
@ -61,7 +58,6 @@ export class ProviderWizard extends AKElement {
                }}
            >
                <ak-wizard-page-type-create
-                    name="selectProviderType"
                    slot="initial"
                    layout=${TypeCreateWizardPageLayouts.grid}
                    .types=${this.providerTypes}
--- a/web/src/admin/providers/ldap/LDAPProviderForm.ts
+++ b/web/src/admin/providers/ldap/LDAPProviderForm.ts
@ -2,17 +2,24 @@ import "@goauthentik/admin/common/ak-crypto-certificate-search";
 import "@goauthentik/admin/common/ak-flow-search/ak-branded-flow-search";
 import { BaseProviderForm } from "@goauthentik/admin/providers/BaseProviderForm";
 import { DEFAULT_CONFIG } from "@goauthentik/common/api/config";
+import { first } from "@goauthentik/common/utils";
 import { WithBrandConfig } from "@goauthentik/elements/Interface/brandProvider";
 import "@goauthentik/elements/forms/FormGroup";
 import "@goauthentik/elements/forms/HorizontalFormElement";
 import "@goauthentik/elements/forms/Radio";
 import "@goauthentik/elements/forms/SearchSelect";

+import { msg } from "@lit/localize";
+import { TemplateResult, html } from "lit";
 import { customElement } from "lit/decorators.js";
+import { ifDefined } from "lit/directives/if-defined.js";

-import { LDAPProvider, ProvidersApi } from "@goauthentik/api";
-
-import { renderForm } from "./LDAPProviderFormForm.js";
+import {
+    FlowsInstancesListDesignationEnum,
+    LDAPAPIAccessMode,
+    LDAPProvider,
+    ProvidersApi,
+} from "@goauthentik/api";

@customElement("ak-provider-ldap-form")
 export class LDAPProviderFormPage extends WithBrandConfig(BaseProviderForm<LDAPProvider>) {
@ -35,8 +42,211 @@ export class LDAPProviderFormPage extends WithBrandConfig(BaseProviderForm<LDAPP
        }
    }

-    renderForm() {
-        return renderForm(this.instance ?? {}, [], this.brand);
+    // All Provider objects have an Authorization flow, but not all providers have an Authentication
+    // flow. LDAP needs only one field, but it is not an Authorization field, it is an
+    // Authentication field. So, yeah, we're using the authorization field to store the
+    // authentication information, which is why the ak-branded-flow-search call down there looks so
+    // weird-- we're looking up Authentication flows, but we're storing them in the Authorization
+    // field of the target Provider.
+    renderForm(): TemplateResult {
+        return html` <ak-form-element-horizontal label=${msg("Name")} ?required=${true} name="name">
+                <input
+                    type="text"
+                    value="${ifDefined(this.instance?.name)}"
+                    class="pf-c-form-control"
+                    required
+                />
+            </ak-form-element-horizontal>
+            <ak-form-element-horizontal label=${msg("Bind mode")} name="bindMode">
+                <ak-radio
+                    .options=${[
+                        {
+                            label: msg("Cached binding"),
+                            value: LDAPAPIAccessMode.Cached,
+                            default: true,
+                            description: html`${msg(
+                                "Flow is executed and session is cached in memory. Flow is executed when session expires",
+                            )}`,
+                        },
+                        {
+                            label: msg("Direct binding"),
+                            value: LDAPAPIAccessMode.Direct,
+                            description: html`${msg(
+                                "Always execute the configured bind flow to authenticate the user",
+                            )}`,
+                        },
+                    ]}
+                    .value=${this.instance?.bindMode}
+                >
+                </ak-radio>
+                <p class="pf-c-form__helper-text">
+                    ${msg("Configure how the outpost authenticates requests.")}
+                </p>
+            </ak-form-element-horizontal>
+            <ak-form-element-horizontal label=${msg("Search mode")} name="searchMode">
+                <ak-radio
+                    .options=${[
+                        {
+                            label: msg("Cached querying"),
+                            value: LDAPAPIAccessMode.Cached,
+                            default: true,
+                            description: html`${msg(
+                                "The outpost holds all users and groups in-memory and will refresh every 5 Minutes",
+                            )}`,
+                        },
+                        {
+                            label: msg("Direct querying"),
+                            value: LDAPAPIAccessMode.Direct,
+                            description: html`${msg(
+                                "Always returns the latest data, but slower than cached querying",
+                            )}`,
+                        },
+                    ]}
+                    .value=${this.instance?.searchMode}
+                >
+                </ak-radio>
+                <p class="pf-c-form__helper-text">
+                    ${msg("Configure how the outpost queries the core authentik server's users.")}
+                </p>
+            </ak-form-element-horizontal>
+            <ak-form-element-horizontal name="mfaSupport">
+                <label class="pf-c-switch">
+                    <input
+                        class="pf-c-switch__input"
+                        type="checkbox"
+                        ?checked=${first(this.instance?.mfaSupport, true)}
+                    />
+                    <span class="pf-c-switch__toggle">
+                        <span class="pf-c-switch__toggle-icon">
+                            <i class="fas fa-check" aria-hidden="true"></i>
+                        </span>
+                    </span>
+                    <span class="pf-c-switch__label">${msg("Code-based MFA Support")}</span>
+                </label>
+                <p class="pf-c-form__helper-text">
+                    ${msg(
+                        "When enabled, code-based multi-factor authentication can be used by appending a semicolon and the TOTP code to the password. This should only be enabled if all users that will bind to this provider have a TOTP device configured, as otherwise a password may incorrectly be rejected if it contains a semicolon.",
+                    )}
+                </p>
+            </ak-form-element-horizontal>
+
+            <ak-form-group expanded>
+                <span slot="header"> ${msg("Flow settings")} </span>
+                <div slot="body" class="pf-c-form">
+                    <ak-form-element-horizontal
+                        label=${msg("Bind flow")}
+                        name="authorizationFlow"
+                        required
+                    >
+                        <ak-branded-flow-search
+                            flowType=${FlowsInstancesListDesignationEnum.Authentication}
+                            .currentFlow=${this.instance?.authorizationFlow}
+                            .brandFlow=${this.brand?.flowAuthentication}
+                            required
+                        ></ak-branded-flow-search>
+                        <p class="pf-c-form__helper-text">
+                            ${msg("Flow used for users to authenticate.")}
+                        </p>
+                    </ak-form-element-horizontal>
+                    <ak-form-element-horizontal
+                        label=${msg("Unbind flow")}
+                        name="invalidationFlow"
+                        required
+                    >
+                        <ak-branded-flow-search
+                            flowType=${FlowsInstancesListDesignationEnum.Invalidation}
+                            .currentFlow=${this.instance?.invalidationFlow}
+                            .brandFlow=${this.brand.flowInvalidation}
+                            required
+                        ></ak-branded-flow-search>
+                        <p class="pf-c-form__helper-text">
+                            ${msg("Flow used for unbinding users.")}
+                        </p>
+                    </ak-form-element-horizontal>
+                </div>
+            </ak-form-group>
+            <ak-form-group .expanded=${true}>
+                <span slot="header"> ${msg("Protocol settings")} </span>
+                <div slot="body" class="pf-c-form">
+                    <ak-form-element-horizontal
+                        label=${msg("Base DN")}
+                        ?required=${true}
+                        name="baseDn"
+                    >
+                        <input
+                            type="text"
+                            value="${first(this.instance?.baseDn, "DC=ldap,DC=goauthentik,DC=io")}"
+                            class="pf-c-form-control"
+                            required
+                        />
+                        <p class="pf-c-form__helper-text">
+                            ${msg(
+                                "LDAP DN under which bind requests and search requests can be made.",
+                            )}
+                        </p>
+                    </ak-form-element-horizontal>
+                    <ak-form-element-horizontal label=${msg("Certificate")} name="certificate">
+                        <ak-crypto-certificate-search
+                            .certificate=${this.instance?.certificate}
+                        ></ak-crypto-certificate-search>
+                        <p class="pf-c-form__helper-text">
+                            ${msg(
+                                "The certificate for the above configured Base DN. As a fallback, the provider uses a self-signed certificate.",
+                            )}
+                        </p>
+                    </ak-form-element-horizontal>
+                    <ak-form-element-horizontal
+                        label=${msg("TLS Server name")}
+                        name="tlsServerName"
+                    >
+                        <input
+                            type="text"
+                            value="${first(this.instance?.tlsServerName, "")}"
+                            class="pf-c-form-control"
+                            required
+                        />
+                        <p class="pf-c-form__helper-text">
+                            ${msg(
+                                "DNS name for which the above configured certificate should be used. The certificate cannot be detected based on the base DN, as the SSL/TLS negotiation happens before such data is exchanged.",
+                            )}
+                        </p>
+                    </ak-form-element-horizontal>
+                    <ak-form-element-horizontal
+                        label=${msg("UID start number")}
+                        ?required=${true}
+                        name="uidStartNumber"
+                    >
+                        <input
+                            type="number"
+                            value="${first(this.instance?.uidStartNumber, 2000)}"
+                            class="pf-c-form-control"
+                            required
+                        />
+                        <p class="pf-c-form__helper-text">
+                            ${msg(
+                                "The start for uidNumbers, this number is added to the user.Pk to make sure that the numbers aren't too low for POSIX users. Default is 2000 to ensure that we don't collide with local users uidNumber",
+                            )}
+                        </p>
+                    </ak-form-element-horizontal>
+                    <ak-form-element-horizontal
+                        label=${msg("GID start number")}
+                        ?required=${true}
+                        name="gidStartNumber"
+                    >
+                        <input
+                            type="number"
+                            value="${first(this.instance?.gidStartNumber, 4000)}"
+                            class="pf-c-form-control"
+                            required
+                        />
+                        <p class="pf-c-form__helper-text">
+                            ${msg(
+                                "The start for gidNumbers, this number is added to a number generated from the group.Pk to make sure that the numbers aren't too low for POSIX groups. Default is 4000 to ensure that we don't collide with local groups or users primary groups gidNumber",
+                            )}
+                        </p>
+                    </ak-form-element-horizontal>
+                </div>
+            </ak-form-group>`;
    }
 }

--- a/web/src/admin/providers/ldap/LDAPProviderFormForm.ts
+++ b/web/src/admin/providers/ldap/LDAPProviderFormForm.ts
@ -1,178 +0,0 @@
-import "@goauthentik/admin/common/ak-crypto-certificate-search";
-import "@goauthentik/admin/common/ak-flow-search/ak-branded-flow-search";
-import "@goauthentik/admin/common/ak-flow-search/ak-flow-search";
-import "@goauthentik/components/ak-number-input";
-import "@goauthentik/components/ak-radio-input";
-import "@goauthentik/components/ak-text-input";
-import "@goauthentik/components/ak-textarea-input";
-import "@goauthentik/elements/ak-dual-select/ak-dual-select-dynamic-selected-provider.js";
-import "@goauthentik/elements/ak-dual-select/ak-dual-select-provider.js";
-import "@goauthentik/elements/forms/FormGroup";
-import "@goauthentik/elements/forms/HorizontalFormElement";
-import "@goauthentik/elements/forms/Radio";
-import "@goauthentik/elements/forms/SearchSelect";
-import "@goauthentik/elements/utils/TimeDeltaHelp";
-
-import { msg } from "@lit/localize";
-import { html, nothing } from "lit";
-import { ifDefined } from "lit/directives/if-defined.js";
-
-import {
-    CurrentBrand,
-    FlowsInstancesListDesignationEnum,
-    LDAPProvider,
-    ValidationError,
-} from "@goauthentik/api";
-
-import {
-    bindModeOptions,
-    cryptoCertificateHelp,
-    gidStartNumberHelp,
-    mfaSupportHelp,
-    searchModeOptions,
-    tlsServerNameHelp,
-    uidStartNumberHelp,
-} from "./LDAPOptionsAndHelp.js";
-
-// All Provider objects have an Authorization flow, but not all providers have an Authentication
-// flow. LDAP needs only one field, but it is not an Authorization field, it is an Authentication
-// field. So, yeah, we're using the authorization field to store the authentication information,
-// which is why the ak-branded-flow-search call down there looks so weird-- we're looking up
-// Authentication flows, but we're storing them in the Authorization field of the target Provider.
-
-export function renderForm(
-    provider?: Partial<LDAPProvider>,
-    errors: ValidationError = {},
-    brand?: CurrentBrand,
-) {
-    return html`
-        <ak-text-input
-            name="name"
-            value=${ifDefined(provider?.name)}
-            label=${msg("Name")}
-            .errorMessages=${errors?.name ?? []}
-            required
-            help=${msg("Method's display Name.")}
-        ></ak-text-input>
-        <ak-radio-input
-            label=${msg("Bind mode")}
-            name="bindMode"
-            .options=${bindModeOptions}
-            .value=${provider?.bindMode}
-            help=${msg("Configure how the outpost authenticates requests.")}
-        >
-        </ak-radio-input>
-
-        <ak-radio-input
-            label=${msg("Search mode")}
-            name="searchMode"
-            .options=${searchModeOptions}
-            .value=${provider?.searchMode}
-            help=${msg("Configure how the outpost queries the core authentik server's users.")}
-        >
-        </ak-radio-input>
-
-        <ak-switch-input
-            name="mfaSupport"
-            label=${msg("Code-based MFA Support")}
-            ?checked=${provider?.mfaSupport ?? true}
-            help=${mfaSupportHelp}
-        >
-        </ak-switch-input>
-
-        <ak-form-group expanded>
-            <span slot="header"> ${msg("Flow settings")} </span>
-
-            <div slot="body" class="pf-c-form">
-                <ak-form-element-horizontal
-                    label=${msg("Bind flow")}
-                    ?required=${true}
-                    name="authorizationFlow"
-                    .errorMessages=${errors?.authorizationFlow ?? []}
-                >
-                    <ak-branded-flow-search
-                        flowType=${FlowsInstancesListDesignationEnum.Authentication}
-                        .currentFlow=${provider?.authorizationFlow}
-                        .brandFlow=${brand?.flowAuthentication}
-                        required
-                    ></ak-branded-flow-search>
-                    <p class="pf-c-form__helper-text">
-                        ${msg("Flow used for users to authenticate.")}
-                    </p>
-                </ak-form-element-horizontal>
-
-                <ak-form-element-horizontal
-                    label=${msg("Unbind flow")}
-                    name="invalidationFlow"
-                    required
-                >
-                    <ak-branded-flow-search
-                        flowType=${FlowsInstancesListDesignationEnum.Invalidation}
-                        .currentFlow=${provider?.invalidationFlow}
-                        .brandFlow=${brand?.flowInvalidation}
-                        defaultFlowSlug="default-invalidation-flow"
-                        .errorMessages=${errors?.invalidationFlow ?? []}
-                        required
-                    ></ak-branded-flow-search>
-                    <p class="pf-c-form__helper-text">${msg("Flow used for unbinding users.")}</p>
-                </ak-form-element-horizontal>
-            </div>
-        </ak-form-group>
-
-        <ak-form-group expanded>
-            <span slot="header"> ${msg("Protocol settings")} </span>
-            <div slot="body" class="pf-c-form">
-                <ak-text-input
-                    name="baseDn"
-                    label=${msg("Base DN")}
-                    required
-                    value="${provider?.baseDn ?? "DC=ldap,DC=goauthentik,DC=io"}"
-                    .errorMessages=${errors?.baseDn ?? []}
-                    help=${msg(
-                        "LDAP DN under which bind requests and search requests can be made.",
-                    )}
-                >
-                </ak-text-input>
-
-                <ak-form-element-horizontal
-                    label=${msg("Certificate")}
-                    name="certificate"
-                    .errorMessages=${errors?.certificate ?? []}
-                >
-                    <ak-crypto-certificate-search
-                        certificate=${ifDefined(provider?.certificate ?? nothing)}
-                        name="certificate"
-                    >
-                    </ak-crypto-certificate-search>
-                    <p class="pf-c-form__helper-text">${cryptoCertificateHelp}</p>
-                </ak-form-element-horizontal>
-
-                <ak-text-input
-                    label=${msg("TLS Server name")}
-                    name="tlsServerName"
-                    value="${provider?.tlsServerName ?? ""}"
-                    .errorMessages=${errors?.tlsServerName ?? []}
-                    help=${tlsServerNameHelp}
-                ></ak-text-input>
-
-                <ak-number-input
-                    label=${msg("UID start number")}
-                    required
-                    name="uidStartNumber"
-                    value="${provider?.uidStartNumber ?? 2000}"
-                    .errorMessages=${errors?.uidStartNumber ?? []}
-                    help=${uidStartNumberHelp}
-                ></ak-number-input>
-
-                <ak-number-input
-                    label=${msg("GID start number")}
-                    required
-                    name="gidStartNumber"
-                    value="${provider?.gidStartNumber ?? 4000}"
-                    .errorMessages=${errors?.gidStartNumber ?? []}
-                    help=${gidStartNumberHelp}
-                ></ak-number-input>
-            </div>
-        </ak-form-group>
-    `;
-}
--- a/web/src/admin/providers/oauth2/OAuth2ProviderForm.ts
+++ b/web/src/admin/providers/oauth2/OAuth2ProviderForm.ts
@ -1,5 +1,12 @@
+import "@goauthentik/admin/common/ak-crypto-certificate-search";
+import "@goauthentik/admin/common/ak-flow-search/ak-flow-search";
 import { BaseProviderForm } from "@goauthentik/admin/providers/BaseProviderForm";
+import {
+    IRedirectURIInput,
+    akOAuthRedirectURIInput,
+} from "@goauthentik/admin/providers/oauth2/OAuth2ProviderRedirectURI";
 import { DEFAULT_CONFIG } from "@goauthentik/common/api/config";
+import { ascii_letters, digits, first, randomString } from "@goauthentik/common/utils";
 import "@goauthentik/components/ak-radio-input";
 import "@goauthentik/components/ak-text-input";
 import "@goauthentik/components/ak-textarea-input";
@ -12,12 +19,105 @@ import "@goauthentik/elements/forms/Radio";
 import "@goauthentik/elements/forms/SearchSelect";
 import "@goauthentik/elements/utils/TimeDeltaHelp";

-import { css } from "lit";
+import { msg } from "@lit/localize";
+import { TemplateResult, css, html } from "lit";
 import { customElement, state } from "lit/decorators.js";
+import { ifDefined } from "lit/directives/if-defined.js";

-import { ClientTypeEnum, OAuth2Provider, ProvidersApi } from "@goauthentik/api";
+import {
+    ClientTypeEnum,
+    FlowsInstancesListDesignationEnum,
+    IssuerModeEnum,
+    MatchingModeEnum,
+    OAuth2Provider,
+    ProvidersApi,
+    RedirectURI,
+    SubModeEnum,
+} from "@goauthentik/api";

-import { renderForm } from "./OAuth2ProviderFormForm.js";
+import {
+    makeOAuth2PropertyMappingsSelector,
+    oauth2PropertyMappingsProvider,
+} from "./OAuth2PropertyMappings.js";
+import { makeSourceSelector, oauth2SourcesProvider } from "./OAuth2Sources.js";
+
+export const clientTypeOptions = [
+    {
+        label: msg("Confidential"),
+        value: ClientTypeEnum.Confidential,
+        default: true,
+        description: html`${msg(
+            "Confidential clients are capable of maintaining the confidentiality of their credentials such as client secrets",
+        )}`,
+    },
+    {
+        label: msg("Public"),
+        value: ClientTypeEnum.Public,
+        description: html`${msg(
+            "Public clients are incapable of maintaining the confidentiality and should use methods like PKCE. ",
+        )}`,
+    },
+];
+
+export const subjectModeOptions = [
+    {
+        label: msg("Based on the User's hashed ID"),
+        value: SubModeEnum.HashedUserId,
+        default: true,
+    },
+    {
+        label: msg("Based on the User's ID"),
+        value: SubModeEnum.UserId,
+    },
+    {
+        label: msg("Based on the User's UUID"),
+        value: SubModeEnum.UserUuid,
+    },
+    {
+        label: msg("Based on the User's username"),
+        value: SubModeEnum.UserUsername,
+    },
+    {
+        label: msg("Based on the User's Email"),
+        value: SubModeEnum.UserEmail,
+        description: html`${msg("This is recommended over the UPN mode.")}`,
+    },
+    {
+        label: msg("Based on the User's UPN"),
+        value: SubModeEnum.UserUpn,
+        description: html`${msg(
+            "Requires the user to have a 'upn' attribute set, and falls back to hashed user ID. Use this mode only if you have different UPN and Mail domains.",
+        )}`,
+    },
+];
+
+export const issuerModeOptions = [
+    {
+        label: msg("Each provider has a different issuer, based on the application slug"),
+        value: IssuerModeEnum.PerProvider,
+        default: true,
+    },
+    {
+        label: msg("Same identifier is used for all providers"),
+        value: IssuerModeEnum.Global,
+    },
+];
+
+const redirectUriHelpMessages = [
+    msg(
+        "Valid redirect URIs after a successful authorization flow. Also specify any origins here for Implicit flows.",
+    ),
+    msg(
+        "If no explicit redirect URIs are specified, the first successfully used redirect URI will be saved.",
+    ),
+    msg(
+        'To allow any redirect URI, set the mode to Regex and the value to ".*". Be aware of the possible security implications this can have.',
+    ),
+];
+
+export const redirectUriHelp = html`${redirectUriHelpMessages.map(
+    (m) => html`<p class="pf-c-form__helper-text">${m}</p>`,
+)}`;

 /**
 * Form page for OAuth2 Authentication Method
@ -31,6 +131,9 @@ export class OAuth2ProviderFormPage extends BaseProviderForm<OAuth2Provider> {
    @state()
    showClientSecret = true;

+    @state()
+    redirectUris: RedirectURI[] = [];
+
    static get styles() {
        return super.styles.concat(css`
            ak-array-input {
@ -44,6 +147,7 @@ export class OAuth2ProviderFormPage extends BaseProviderForm<OAuth2Provider> {
            id: pk,
        });
        this.showClientSecret = provider.clientType === ClientTypeEnum.Confidential;
+        this.redirectUris = provider.redirectUris;
        return provider;
    }

@ -60,11 +164,245 @@ export class OAuth2ProviderFormPage extends BaseProviderForm<OAuth2Provider> {
        }
    }

-    renderForm() {
-        const showClientSecretCallback = (show: boolean) => {
-            this.showClientSecret = show;
-        };
-        return renderForm(this.instance ?? {}, [], this.showClientSecret, showClientSecretCallback);
+    renderForm(): TemplateResult {
+        const provider = this.instance;
+
+        return html` <ak-text-input
+                name="name"
+                label=${msg("Name")}
+                value=${ifDefined(provider?.name)}
+                required
+            ></ak-text-input>
+
+            <ak-form-element-horizontal
+                name="authorizationFlow"
+                label=${msg("Authorization flow")}
+                ?required=${true}
+            >
+                <ak-flow-search
+                    flowType=${FlowsInstancesListDesignationEnum.Authorization}
+                    .currentFlow=${provider?.authorizationFlow}
+                    required
+                ></ak-flow-search>
+                <p class="pf-c-form__helper-text">
+                    ${msg("Flow used when authorizing this provider.")}
+                </p>
+            </ak-form-element-horizontal>
+            <ak-form-group expanded>
+                <span slot="header"> ${msg("Protocol settings")} </span>
+                <div slot="body" class="pf-c-form">
+                    <ak-radio-input
+                        name="clientType"
+                        label=${msg("Client type")}
+                        .value=${provider?.clientType}
+                        required
+                        @change=${(ev: CustomEvent<{ value: ClientTypeEnum }>) => {
+                            this.showClientSecret = ev.detail.value !== ClientTypeEnum.Public;
+                        }}
+                        .options=${clientTypeOptions}
+                    >
+                    </ak-radio-input>
+                    <ak-text-input
+                        name="clientId"
+                        label=${msg("Client ID")}
+                        value="${first(
+                            provider?.clientId,
+                            randomString(40, ascii_letters + digits),
+                        )}"
+                        required
+                    >
+                    </ak-text-input>
+                    <ak-text-input
+                        name="clientSecret"
+                        label=${msg("Client Secret")}
+                        value="${first(
+                            provider?.clientSecret,
+                            randomString(128, ascii_letters + digits),
+                        )}"
+                        ?hidden=${!this.showClientSecret}
+                    >
+                    </ak-text-input>
+                    <ak-form-element-horizontal
+                        label=${msg("Redirect URIs/Origins")}
+                        required
+                        name="redirectUris"
+                    >
+                        <ak-array-input
+                            .items=${this.instance?.redirectUris ?? []}
+                            .newItem=${() => ({ matchingMode: MatchingModeEnum.Strict, url: "" })}
+                            .row=${(f?: RedirectURI) =>
+                                akOAuthRedirectURIInput({
+                                    ".redirectURI": f,
+                                    "style": "width: 100%",
+                                    "name": "oauth2-redirect-uri",
+                                } as unknown as IRedirectURIInput)}
+                        >
+                        </ak-array-input>
+                        ${redirectUriHelp}
+                    </ak-form-element-horizontal>
+
+                    <ak-form-element-horizontal label=${msg("Signing Key")} name="signingKey">
+                        <!-- NOTE: 'null' cast to 'undefined' on signingKey to satisfy Lit requirements -->
+                        <ak-crypto-certificate-search
+                            certificate=${ifDefined(this.instance?.signingKey ?? undefined)}
+                            singleton
+                        ></ak-crypto-certificate-search>
+                        <p class="pf-c-form__helper-text">${msg("Key used to sign the tokens.")}</p>
+                    </ak-form-element-horizontal>
+                    <ak-form-element-horizontal label=${msg("Encryption Key")} name="encryptionKey">
+                        <!-- NOTE: 'null' cast to 'undefined' on encryptionKey to satisfy Lit requirements -->
+                        <ak-crypto-certificate-search
+                            certificate=${ifDefined(this.instance?.encryptionKey ?? undefined)}
+                        ></ak-crypto-certificate-search>
+                        <p class="pf-c-form__helper-text">
+                            ${msg("Key used to encrypt the tokens.")}
+                        </p>
+                    </ak-form-element-horizontal>
+                </div>
+            </ak-form-group>
+
+            <ak-form-group>
+                <span slot="header"> ${msg("Advanced flow settings")} </span>
+                <div slot="body" class="pf-c-form">
+                    <ak-form-element-horizontal
+                        name="authenticationFlow"
+                        label=${msg("Authentication flow")}
+                    >
+                        <ak-flow-search
+                            flowType=${FlowsInstancesListDesignationEnum.Authentication}
+                            .currentFlow=${provider?.authenticationFlow}
+                        ></ak-flow-search>
+                        <p class="pf-c-form__helper-text">
+                            ${msg(
+                                "Flow used when a user access this provider and is not authenticated.",
+                            )}
+                        </p>
+                    </ak-form-element-horizontal>
+                    <ak-form-element-horizontal
+                        label=${msg("Invalidation flow")}
+                        name="invalidationFlow"
+                        required
+                    >
+                        <ak-flow-search
+                            flowType=${FlowsInstancesListDesignationEnum.Invalidation}
+                            .currentFlow=${provider?.invalidationFlow}
+                            defaultFlowSlug="default-provider-invalidation-flow"
+                            required
+                        ></ak-flow-search>
+                        <p class="pf-c-form__helper-text">
+                            ${msg("Flow used when logging out of this provider.")}
+                        </p>
+                    </ak-form-element-horizontal>
+                </div>
+            </ak-form-group>
+
+            <ak-form-group>
+                <span slot="header"> ${msg("Advanced protocol settings")} </span>
+                <div slot="body" class="pf-c-form">
+                    <ak-text-input
+                        name="accessCodeValidity"
+                        label=${msg("Access code validity")}
+                        required
+                        value="${first(provider?.accessCodeValidity, "minutes=1")}"
+                        .bighelp=${html`<p class="pf-c-form__helper-text">
+                                ${msg("Configure how long access codes are valid for.")}
+                            </p>
+                            <ak-utils-time-delta-help></ak-utils-time-delta-help>`}
+                    >
+                    </ak-text-input>
+                    <ak-text-input
+                        name="accessTokenValidity"
+                        label=${msg("Access Token validity")}
+                        value="${first(provider?.accessTokenValidity, "minutes=5")}"
+                        required
+                        .bighelp=${html` <p class="pf-c-form__helper-text">
+                                ${msg("Configure how long access tokens are valid for.")}
+                            </p>
+                            <ak-utils-time-delta-help></ak-utils-time-delta-help>`}
+                    >
+                    </ak-text-input>
+
+                    <ak-text-input
+                        name="refreshTokenValidity"
+                        label=${msg("Refresh Token validity")}
+                        value="${first(provider?.refreshTokenValidity, "days=30")}"
+                        ?required=${true}
+                        .bighelp=${html` <p class="pf-c-form__helper-text">
+                                ${msg("Configure how long refresh tokens are valid for.")}
+                            </p>
+                            <ak-utils-time-delta-help></ak-utils-time-delta-help>`}
+                    >
+                    </ak-text-input>
+                    <ak-form-element-horizontal label=${msg("Scopes")} name="propertyMappings">
+                        <ak-dual-select-dynamic-selected
+                            .provider=${oauth2PropertyMappingsProvider}
+                            .selector=${makeOAuth2PropertyMappingsSelector(
+                                provider?.propertyMappings,
+                            )}
+                            available-label=${msg("Available Scopes")}
+                            selected-label=${msg("Selected Scopes")}
+                        ></ak-dual-select-dynamic-selected>
+
+                        <p class="pf-c-form__helper-text">
+                            ${msg(
+                                "Select which scopes can be used by the client. The client still has to specify the scope to access the data.",
+                            )}
+                        </p>
+                    </ak-form-element-horizontal>
+                    <ak-radio-input
+                        name="subMode"
+                        label=${msg("Subject mode")}
+                        required
+                        .options=${subjectModeOptions}
+                        .value=${provider?.subMode}
+                        help=${msg(
+                            "Configure what data should be used as unique User Identifier. For most cases, the default should be fine.",
+                        )}
+                    >
+                    </ak-radio-input>
+                    <ak-switch-input
+                        name="includeClaimsInIdToken"
+                        label=${msg("Include claims in id_token")}
+                        ?checked=${first(provider?.includeClaimsInIdToken, true)}
+                        help=${msg(
+                            "Include User claims from scopes in the id_token, for applications that don't access the userinfo endpoint.",
+                        )}
+                    ></ak-switch-input>
+                    <ak-radio-input
+                        name="issuerMode"
+                        label=${msg("Issuer mode")}
+                        required
+                        .options=${issuerModeOptions}
+                        .value=${provider?.issuerMode}
+                        help=${msg(
+                            "Configure how the issuer field of the ID Token should be filled.",
+                        )}
+                    >
+                    </ak-radio-input>
+                </div>
+            </ak-form-group>
+
+            <ak-form-group>
+                <span slot="header">${msg("Machine-to-Machine authentication settings")}</span>
+                <div slot="body" class="pf-c-form">
+                    <ak-form-element-horizontal
+                        label=${msg("Trusted OIDC Sources")}
+                        name="jwksSources"
+                    >
+                        <ak-dual-select-dynamic-selected
+                            .provider=${oauth2SourcesProvider}
+                            .selector=${makeSourceSelector(provider?.jwksSources)}
+                            available-label=${msg("Available Sources")}
+                            selected-label=${msg("Selected Sources")}
+                        ></ak-dual-select-dynamic-selected>
+                        <p class="pf-c-form__helper-text">
+                            ${msg(
+                                "JWTs signed by certificates configured in the selected sources can be used to authenticate to this provider.",
+                            )}
+                        </p>
+                    </ak-form-element-horizontal>
+                </div>
+            </ak-form-group>`;
    }
 }

--- a/web/src/admin/providers/oauth2/OAuth2ProviderFormForm.ts
+++ b/web/src/admin/providers/oauth2/OAuth2ProviderFormForm.ts
@ -1,350 +0,0 @@
-import "@goauthentik/admin/common/ak-crypto-certificate-search";
-import "@goauthentik/admin/common/ak-flow-search/ak-flow-search";
-import {
-    IRedirectURIInput,
-    akOAuthRedirectURIInput,
-} from "@goauthentik/admin/providers/oauth2/OAuth2ProviderRedirectURI";
-import { ascii_letters, digits, randomString } from "@goauthentik/common/utils";
-import "@goauthentik/components/ak-radio-input";
-import "@goauthentik/components/ak-text-input";
-import "@goauthentik/components/ak-textarea-input";
-import "@goauthentik/elements/ak-array-input.js";
-import "@goauthentik/elements/ak-dual-select/ak-dual-select-dynamic-selected-provider.js";
-import "@goauthentik/elements/ak-dual-select/ak-dual-select-provider.js";
-import "@goauthentik/elements/forms/FormGroup";
-import "@goauthentik/elements/forms/HorizontalFormElement";
-import "@goauthentik/elements/forms/Radio";
-import "@goauthentik/elements/forms/SearchSelect";
-import "@goauthentik/elements/utils/TimeDeltaHelp";
-
-import { msg } from "@lit/localize";
-import { html } from "lit";
-import { ifDefined } from "lit/directives/if-defined.js";
-
-import {
-    ClientTypeEnum,
-    FlowsInstancesListDesignationEnum,
-    IssuerModeEnum,
-    MatchingModeEnum,
-    OAuth2Provider,
-    RedirectURI,
-    SubModeEnum,
-    ValidationError,
-} from "@goauthentik/api";
-
-import {
-    makeOAuth2PropertyMappingsSelector,
-    oauth2PropertyMappingsProvider,
-} from "./OAuth2PropertyMappings.js";
-import { makeSourceSelector, oauth2SourcesProvider } from "./OAuth2Sources.js";
-
-export const clientTypeOptions = [
-    {
-        label: msg("Confidential"),
-        value: ClientTypeEnum.Confidential,
-        default: true,
-        description: html`${msg(
-            "Confidential clients are capable of maintaining the confidentiality of their credentials such as client secrets",
-        )}`,
-    },
-    {
-        label: msg("Public"),
-        value: ClientTypeEnum.Public,
-        description: html`${msg(
-            "Public clients are incapable of maintaining the confidentiality and should use methods like PKCE. ",
-        )}`,
-    },
-];
-
-export const subjectModeOptions = [
-    {
-        label: msg("Based on the User's hashed ID"),
-        value: SubModeEnum.HashedUserId,
-        default: true,
-    },
-    {
-        label: msg("Based on the User's ID"),
-        value: SubModeEnum.UserId,
-    },
-    {
-        label: msg("Based on the User's UUID"),
-        value: SubModeEnum.UserUuid,
-    },
-    {
-        label: msg("Based on the User's username"),
-        value: SubModeEnum.UserUsername,
-    },
-    {
-        label: msg("Based on the User's Email"),
-        value: SubModeEnum.UserEmail,
-        description: html`${msg("This is recommended over the UPN mode.")}`,
-    },
-    {
-        label: msg("Based on the User's UPN"),
-        value: SubModeEnum.UserUpn,
-        description: html`${msg(
-            "Requires the user to have a 'upn' attribute set, and falls back to hashed user ID. Use this mode only if you have different UPN and Mail domains.",
-        )}`,
-    },
-];
-
-export const issuerModeOptions = [
-    {
-        label: msg("Each provider has a different issuer, based on the application slug"),
-        value: IssuerModeEnum.PerProvider,
-        default: true,
-    },
-    {
-        label: msg("Same identifier is used for all providers"),
-        value: IssuerModeEnum.Global,
-    },
-];
-
-const redirectUriHelpMessages = [
-    msg(
-        "Valid redirect URIs after a successful authorization flow. Also specify any origins here for Implicit flows.",
-    ),
-    msg(
-        "If no explicit redirect URIs are specified, the first successfully used redirect URI will be saved.",
-    ),
-    msg(
-        'To allow any redirect URI, set the mode to Regex and the value to ".*". Be aware of the possible security implications this can have.',
-    ),
-];
-
-export const redirectUriHelp = html`${redirectUriHelpMessages.map(
-    (m) => html`<p class="pf-c-form__helper-text">${m}</p>`,
-)}`;
-
-type ShowClientSecret = (show: boolean) => void;
-const defaultShowClientSecret: ShowClientSecret = (_show) => undefined;
-
-export function renderForm(
-    provider: Partial<OAuth2Provider>,
-    errors: ValidationError,
-    showClientSecret = false,
-    showClientSecretCallback: ShowClientSecret = defaultShowClientSecret,
-) {
-    return html` <ak-text-input
-            name="name"
-            label=${msg("Name")}
-            value=${ifDefined(provider?.name)}
-            required
-        ></ak-text-input>
-
-        <ak-form-element-horizontal
-            name="authorizationFlow"
-            label=${msg("Authorization flow")}
-            ?required=${true}
-        >
-            <ak-flow-search
-                flowType=${FlowsInstancesListDesignationEnum.Authorization}
-                .currentFlow=${provider?.authorizationFlow}
-                required
-            ></ak-flow-search>
-            <p class="pf-c-form__helper-text">
-                ${msg("Flow used when authorizing this provider.")}
-            </p>
-        </ak-form-element-horizontal>
-        <ak-form-group expanded>
-            <span slot="header"> ${msg("Protocol settings")} </span>
-            <div slot="body" class="pf-c-form">
-                <ak-radio-input
-                    name="clientType"
-                    label=${msg("Client type")}
-                    .value=${provider?.clientType}
-                    required
-                    @change=${(ev: CustomEvent<{ value: ClientTypeEnum }>) => {
-                        showClientSecretCallback(ev.detail.value !== ClientTypeEnum.Public);
-                    }}
-                    .options=${clientTypeOptions}
-                >
-                </ak-radio-input>
-                <ak-text-input
-                    name="clientId"
-                    label=${msg("Client ID")}
-                    value="${provider?.clientId ?? randomString(40, ascii_letters + digits)}"
-                    required
-                >
-                </ak-text-input>
-                <ak-text-input
-                    name="clientSecret"
-                    label=${msg("Client Secret")}
-                    value="${provider?.clientSecret ?? randomString(128, ascii_letters + digits)}"
-                    ?hidden=${!showClientSecret}
-                >
-                </ak-text-input>
-                <ak-form-element-horizontal
-                    label=${msg("Redirect URIs/Origins")}
-                    required
-                    name="redirectUris"
-                >
-                    <ak-array-input
-                        name="redirectUris"
-                        .items=${provider?.redirectUris ?? []}
-                        .newItem=${() => ({ matchingMode: MatchingModeEnum.Strict, url: "" })}
-                        .row=${(f?: RedirectURI) =>
-                            akOAuthRedirectURIInput({
-                                ".redirectURI": f,
-                                "style": "width: 100%",
-                                "name": "oauth2-redirect-uri",
-                            } as unknown as IRedirectURIInput)}
-                    >
-                    </ak-array-input>
-                    ${redirectUriHelp}
-                </ak-form-element-horizontal>
-
-                <ak-form-element-horizontal label=${msg("Signing Key")} name="signingKey">
-                    <!-- NOTE: 'null' cast to 'undefined' on signingKey to satisfy Lit requirements -->
-                    <ak-crypto-certificate-search
-                        certificate=${ifDefined(provider?.signingKey ?? undefined)}
-                        singleton
-                    ></ak-crypto-certificate-search>
-                    <p class="pf-c-form__helper-text">${msg("Key used to sign the tokens.")}</p>
-                </ak-form-element-horizontal>
-                <ak-form-element-horizontal label=${msg("Encryption Key")} name="encryptionKey">
-                    <!-- NOTE: 'null' cast to 'undefined' on encryptionKey to satisfy Lit requirements -->
-                    <ak-crypto-certificate-search
-                        certificate=${ifDefined(provider?.encryptionKey ?? undefined)}
-                    ></ak-crypto-certificate-search>
-                    <p class="pf-c-form__helper-text">${msg("Key used to encrypt the tokens.")}</p>
-                </ak-form-element-horizontal>
-            </div>
-        </ak-form-group>
-
-        <ak-form-group>
-            <span slot="header"> ${msg("Advanced flow settings")} </span>
-            <div slot="body" class="pf-c-form">
-                <ak-form-element-horizontal
-                    name="authenticationFlow"
-                    label=${msg("Authentication flow")}
-                >
-                    <ak-flow-search
-                        flowType=${FlowsInstancesListDesignationEnum.Authentication}
-                        .currentFlow=${provider?.authenticationFlow}
-                    ></ak-flow-search>
-                    <p class="pf-c-form__helper-text">
-                        ${msg(
-                            "Flow used when a user access this provider and is not authenticated.",
-                        )}
-                    </p>
-                </ak-form-element-horizontal>
-                <ak-form-element-horizontal
-                    label=${msg("Invalidation flow")}
-                    name="invalidationFlow"
-                    required
-                >
-                    <ak-flow-search
-                        flowType=${FlowsInstancesListDesignationEnum.Invalidation}
-                        .currentFlow=${provider?.invalidationFlow}
-                        defaultFlowSlug="default-provider-invalidation-flow"
-                        required
-                    ></ak-flow-search>
-                    <p class="pf-c-form__helper-text">
-                        ${msg("Flow used when logging out of this provider.")}
-                    </p>
-                </ak-form-element-horizontal>
-            </div>
-        </ak-form-group>
-
-        <ak-form-group>
-            <span slot="header"> ${msg("Advanced protocol settings")} </span>
-            <div slot="body" class="pf-c-form">
-                <ak-text-input
-                    name="accessCodeValidity"
-                    label=${msg("Access code validity")}
-                    required
-                    value="${provider?.accessCodeValidity ?? "minutes=1"}"
-                    .bighelp=${html`<p class="pf-c-form__helper-text">
-                            ${msg("Configure how long access codes are valid for.")}
-                        </p>
-                        <ak-utils-time-delta-help></ak-utils-time-delta-help>`}
-                >
-                </ak-text-input>
-                <ak-text-input
-                    name="accessTokenValidity"
-                    label=${msg("Access Token validity")}
-                    value="${provider?.accessTokenValidity ?? "minutes=5"}"
-                    required
-                    .bighelp=${html` <p class="pf-c-form__helper-text">
-                            ${msg("Configure how long access tokens are valid for.")}
-                        </p>
-                        <ak-utils-time-delta-help></ak-utils-time-delta-help>`}
-                >
-                </ak-text-input>
-
-                <ak-text-input
-                    name="refreshTokenValidity"
-                    label=${msg("Refresh Token validity")}
-                    value="${provider?.refreshTokenValidity ?? "days=30"}"
-                    ?required=${true}
-                    .bighelp=${html` <p class="pf-c-form__helper-text">
-                            ${msg("Configure how long refresh tokens are valid for.")}
-                        </p>
-                        <ak-utils-time-delta-help></ak-utils-time-delta-help>`}
-                >
-                </ak-text-input>
-                <ak-form-element-horizontal label=${msg("Scopes")} name="propertyMappings">
-                    <ak-dual-select-dynamic-selected
-                        .provider=${oauth2PropertyMappingsProvider}
-                        .selector=${makeOAuth2PropertyMappingsSelector(provider?.propertyMappings)}
-                        available-label=${msg("Available Scopes")}
-                        selected-label=${msg("Selected Scopes")}
-                    ></ak-dual-select-dynamic-selected>
-
-                    <p class="pf-c-form__helper-text">
-                        ${msg(
-                            "Select which scopes can be used by the client. The client still has to specify the scope to access the data.",
-                        )}
-                    </p>
-                </ak-form-element-horizontal>
-                <ak-radio-input
-                    name="subMode"
-                    label=${msg("Subject mode")}
-                    required
-                    .options=${subjectModeOptions}
-                    .value=${provider?.subMode}
-                    help=${msg(
-                        "Configure what data should be used as unique User Identifier. For most cases, the default should be fine.",
-                    )}
-                >
-                </ak-radio-input>
-                <ak-switch-input
-                    name="includeClaimsInIdToken"
-                    label=${msg("Include claims in id_token")}
-                    ?checked=${provider?.includeClaimsInIdToken ?? true}
-                    help=${msg(
-                        "Include User claims from scopes in the id_token, for applications that don't access the userinfo endpoint.",
-                    )}
-                ></ak-switch-input>
-                <ak-radio-input
-                    name="issuerMode"
-                    label=${msg("Issuer mode")}
-                    required
-                    .options=${issuerModeOptions}
-                    .value=${provider?.issuerMode}
-                    help=${msg("Configure how the issuer field of the ID Token should be filled.")}
-                >
-                </ak-radio-input>
-            </div>
-        </ak-form-group>
-
-        <ak-form-group>
-            <span slot="header">${msg("Machine-to-Machine authentication settings")}</span>
-            <div slot="body" class="pf-c-form">
-                <ak-form-element-horizontal label=${msg("Trusted OIDC Sources")} name="jwksSources">
-                    <ak-dual-select-dynamic-selected
-                        .provider=${oauth2SourcesProvider}
-                        .selector=${makeSourceSelector(provider?.jwksSources)}
-                        available-label=${msg("Available Sources")}
-                        selected-label=${msg("Selected Sources")}
-                    ></ak-dual-select-dynamic-selected>
-                    <p class="pf-c-form__helper-text">
-                        ${msg(
-                            "JWTs signed by certificates configured in the selected sources can be used to authenticate to this provider.",
-                        )}
-                    </p>
-                </ak-form-element-horizontal>
-            </div>
-        </ak-form-group>`;
-}
--- a/web/src/admin/providers/proxy/ProxyProviderForm.ts
+++ b/web/src/admin/providers/proxy/ProxyProviderForm.ts
@ -1,18 +1,39 @@
 import "@goauthentik/admin/common/ak-crypto-certificate-search";
 import "@goauthentik/admin/common/ak-flow-search/ak-flow-search";
 import { BaseProviderForm } from "@goauthentik/admin/providers/BaseProviderForm";
+import {
+    makeSourceSelector,
+    oauth2SourcesProvider,
+} from "@goauthentik/admin/providers/oauth2/OAuth2Sources.js";
 import { DEFAULT_CONFIG } from "@goauthentik/common/api/config";
+import { first } from "@goauthentik/common/utils";
+import "@goauthentik/components/ak-toggle-group";
+import "@goauthentik/elements/ak-dual-select/ak-dual-select-dynamic-selected-provider.js";
+import "@goauthentik/elements/forms/FormGroup";
+import "@goauthentik/elements/forms/HorizontalFormElement";
+import "@goauthentik/elements/forms/SearchSelect";
+import "@goauthentik/elements/utils/TimeDeltaHelp";

-import { CSSResult } from "lit";
+import { msg } from "@lit/localize";
+import { CSSResult, TemplateResult, html } from "lit";
 import { customElement, state } from "lit/decorators.js";
+import { ifDefined } from "lit/directives/if-defined.js";

 import PFContent from "@patternfly/patternfly/components/Content/content.css";
 import PFList from "@patternfly/patternfly/components/List/list.css";
 import PFSpacing from "@patternfly/patternfly/utilities/Spacing/spacing.css";

-import { ProvidersApi, ProxyMode, ProxyProvider } from "@goauthentik/api";
+import {
+    FlowsInstancesListDesignationEnum,
+    ProvidersApi,
+    ProxyMode,
+    ProxyProvider,
+} from "@goauthentik/api";

-import { SetMode, SetShowHttpBasic, renderForm } from "./ProxyProviderFormForm.js";
+import {
+    makeProxyPropertyMappingsSelector,
+    proxyPropertyMappingsProvider,
+} from "./ProxyProviderPropertyMappings.js";

@customElement("ak-provider-proxy-form")
 export class ProxyProviderFormPage extends BaseProviderForm<ProxyProvider> {
@ -24,8 +45,8 @@ export class ProxyProviderFormPage extends BaseProviderForm<ProxyProvider> {
        const provider = await new ProvidersApi(DEFAULT_CONFIG).providersProxyRetrieve({
            id: pk,
        });
-        this.showHttpBasic = provider.basicAuthEnabled ?? true;
-        this.mode = provider.mode ?? ProxyMode.Proxy;
+        this.showHttpBasic = first(provider.basicAuthEnabled, true);
+        this.mode = first(provider.mode, ProxyMode.Proxy);
        return provider;
    }

@ -52,22 +73,376 @@ export class ProxyProviderFormPage extends BaseProviderForm<ProxyProvider> {
        }
    }

-    renderForm() {
-        const onSetMode: SetMode = (ev) => {
+    renderHttpBasic(): TemplateResult {
+        return html`<ak-text-input
+                name="basicAuthUserAttribute"
+                label=${msg("HTTP-Basic Username Key")}
+                value="${ifDefined(this.instance?.basicAuthUserAttribute)}"
+                help=${msg(
+                    "User/Group Attribute used for the user part of the HTTP-Basic Header. If not set, the user's Email address is used.",
+                )}
+            >
+            </ak-text-input>
+
+            <ak-text-input
+                name="basicAuthPasswordAttribute"
+                label=${msg("HTTP-Basic Password Key")}
+                value="${ifDefined(this.instance?.basicAuthPasswordAttribute)}"
+                help=${msg(
+                    "User/Group Attribute used for the password part of the HTTP-Basic Header.",
+                )}
+            >
+            </ak-text-input>`;
+    }
+
+    renderModeSelector(): TemplateResult {
+        const setMode = (ev: CustomEvent<{ value: ProxyMode }>) => {
            this.mode = ev.detail.value;
        };

-        const onSetShowHttpBasic: SetShowHttpBasic = (ev: Event) => {
-            const el = ev.target as HTMLInputElement;
-            this.showHttpBasic = el.checked;
-        };
+        // prettier-ignore
+        return html`
+            <ak-toggle-group value=${this.mode} @ak-toggle=${setMode}>
+                <option value=${ProxyMode.Proxy}>${msg("Proxy")}</option>
+                <option value=${ProxyMode.ForwardSingle}>${msg("Forward auth (single application)")}</option>
+                <option value=${ProxyMode.ForwardDomain}>${msg("Forward auth (domain level)")}</option>
+            </ak-toggle-group>
+        `;
+    }

-        return renderForm(this.instance ?? {}, [], {
-            mode: this.mode,
-            onSetMode,
-            showHttpBasic: this.showHttpBasic,
-            onSetShowHttpBasic,
-        });
+    renderSettings(): TemplateResult {
+        switch (this.mode) {
+            case ProxyMode.Proxy:
+                return html`<p class="pf-u-mb-xl">
+                        ${msg(
+                            "This provider will behave like a transparent reverse-proxy, except requests must be authenticated. If your upstream application uses HTTPS, make sure to connect to the outpost using HTTPS as well.",
+                        )}
+                    </p>
+                    <ak-form-element-horizontal
+                        label=${msg("External host")}
+                        ?required=${true}
+                        name="externalHost"
+                    >
+                        <input
+                            type="text"
+                            value="${ifDefined(this.instance?.externalHost)}"
+                            class="pf-c-form-control"
+                            required
+                        />
+                        <p class="pf-c-form__helper-text">
+                            ${msg(
+                                "The external URL you'll access the application at. Include any non-standard port.",
+                            )}
+                        </p>
+                    </ak-form-element-horizontal>
+                    <ak-form-element-horizontal
+                        label=${msg("Internal host")}
+                        ?required=${true}
+                        name="internalHost"
+                    >
+                        <input
+                            type="text"
+                            value="${ifDefined(this.instance?.internalHost)}"
+                            class="pf-c-form-control"
+                            required
+                        />
+                        <p class="pf-c-form__helper-text">
+                            ${msg("Upstream host that the requests are forwarded to.")}
+                        </p>
+                    </ak-form-element-horizontal>
+                    <ak-form-element-horizontal name="internalHostSslValidation">
+                        <label class="pf-c-switch">
+                            <input
+                                class="pf-c-switch__input"
+                                type="checkbox"
+                                ?checked=${first(this.instance?.internalHostSslValidation, true)}
+                            />
+                            <span class="pf-c-switch__toggle">
+                                <span class="pf-c-switch__toggle-icon">
+                                    <i class="fas fa-check" aria-hidden="true"></i>
+                                </span>
+                            </span>
+                            <span class="pf-c-switch__label"
+                                >${msg("Internal host SSL Validation")}</span
+                            >
+                        </label>
+                        <p class="pf-c-form__helper-text">
+                            ${msg("Validate SSL Certificates of upstream servers.")}
+                        </p>
+                    </ak-form-element-horizontal>`;
+            case ProxyMode.ForwardSingle:
+                return html`<p class="pf-u-mb-xl">
+                        ${msg(
+                            "Use this provider with nginx's auth_request or traefik's forwardAuth. Each application/domain needs its own provider. Additionally, on each domain, /outpost.goauthentik.io must be routed to the outpost (when using a managed outpost, this is done for you).",
+                        )}
+                    </p>
+                    <ak-form-element-horizontal
+                        label=${msg("External host")}
+                        ?required=${true}
+                        name="externalHost"
+                    >
+                        <input
+                            type="text"
+                            value="${ifDefined(this.instance?.externalHost)}"
+                            class="pf-c-form-control"
+                            required
+                        />
+                        <p class="pf-c-form__helper-text">
+                            ${msg(
+                                "The external URL you'll access the application at. Include any non-standard port.",
+                            )}
+                        </p>
+                    </ak-form-element-horizontal>`;
+            case ProxyMode.ForwardDomain:
+                return html`<p class="pf-u-mb-xl">
+                        ${msg(
+                            "Use this provider with nginx's auth_request or traefik's forwardAuth. Only a single provider is required per root domain. You can't do per-application authorization, but you don't have to create a provider for each application.",
+                        )}
+                    </p>
+                    <div class="pf-u-mb-xl">
+                        ${msg("An example setup can look like this:")}
+                        <ul class="pf-c-list">
+                            <li>${msg("authentik running on auth.example.com")}</li>
+                            <li>${msg("app1 running on app1.example.com")}</li>
+                        </ul>
+                        ${msg(
+                            "In this case, you'd set the Authentication URL to auth.example.com and Cookie domain to example.com.",
+                        )}
+                    </div>
+                    <ak-form-element-horizontal
+                        label=${msg("Authentication URL")}
+                        ?required=${true}
+                        name="externalHost"
+                    >
+                        <input
+                            type="text"
+                            value="${first(this.instance?.externalHost, window.location.origin)}"
+                            class="pf-c-form-control"
+                            required
+                        />
+                        <p class="pf-c-form__helper-text">
+                            ${msg(
+                                "The external URL you'll authenticate at. The authentik core server should be reachable under this URL.",
+                            )}
+                        </p>
+                    </ak-form-element-horizontal>
+                    <ak-form-element-horizontal
+                        label=${msg("Cookie domain")}
+                        name="cookieDomain"
+                        ?required=${true}
+                    >
+                        <input
+                            type="text"
+                            value="${ifDefined(this.instance?.cookieDomain)}"
+                            class="pf-c-form-control"
+                            required
+                        />
+                        <p class="pf-c-form__helper-text">
+                            ${msg(
+                                "Set this to the domain you wish the authentication to be valid for. Must be a parent domain of the URL above. If you're running applications as app1.domain.tld, app2.domain.tld, set this to 'domain.tld'.",
+                            )}
+                        </p>
+                    </ak-form-element-horizontal>`;
+            case ProxyMode.UnknownDefaultOpenApi:
+                return html`<p>${msg("Unknown proxy mode")}</p>`;
+        }
+    }
+
+    renderForm(): TemplateResult {
+        return html`
+            <ak-form-element-horizontal label=${msg("Name")} ?required=${true} name="name">
+                <input
+                    type="text"
+                    value="${ifDefined(this.instance?.name)}"
+                    class="pf-c-form-control"
+                    required
+                />
+            </ak-form-element-horizontal>
+            <ak-form-element-horizontal
+                label=${msg("Authorization flow")}
+                required
+                name="authorizationFlow"
+            >
+                <ak-flow-search
+                    flowType=${FlowsInstancesListDesignationEnum.Authorization}
+                    .currentFlow=${this.instance?.authorizationFlow}
+                    required
+                ></ak-flow-search>
+                <p class="pf-c-form__helper-text">
+                    ${msg("Flow used when authorizing this provider.")}
+                </p>
+            </ak-form-element-horizontal>
+
+            <div class="pf-c-card pf-m-selectable pf-m-selected">
+                <div class="pf-c-card__body">${this.renderModeSelector()}</div>
+                <div class="pf-c-card__footer">${this.renderSettings()}</div>
+            </div>
+            <ak-form-element-horizontal label=${msg("Token validity")} name="accessTokenValidity">
+                <input
+                    type="text"
+                    value="${first(this.instance?.accessTokenValidity, "hours=24")}"
+                    class="pf-c-form-control"
+                />
+                <p class="pf-c-form__helper-text">
+                    ${msg("Configure how long tokens are valid for.")}
+                </p>
+                <ak-utils-time-delta-help></ak-utils-time-delta-help>
+            </ak-form-element-horizontal>
+
+            <ak-form-group>
+                <span slot="header">${msg("Advanced protocol settings")}</span>
+                <div slot="body" class="pf-c-form">
+                    <ak-form-element-horizontal label=${msg("Certificate")} name="certificate">
+                        <ak-crypto-certificate-search
+                            .certificate=${this.instance?.certificate}
+                        ></ak-crypto-certificate-search>
+                    </ak-form-element-horizontal>
+                    <ak-form-element-horizontal
+                        label=${msg("Additional scopes")}
+                        name="propertyMappings"
+                    >
+                        <ak-dual-select-dynamic-selected
+                            .provider=${proxyPropertyMappingsProvider}
+                            .selector=${makeProxyPropertyMappingsSelector(
+                                this.instance?.propertyMappings,
+                            )}
+                            available-label="${msg("Available Scopes")}"
+                            selected-label="${msg("Selected Scopes")}"
+                        ></ak-dual-select-dynamic-selected>
+                        <p class="pf-c-form__helper-text">
+                            ${msg("Additional scope mappings, which are passed to the proxy.")}
+                        </p>
+                    </ak-form-element-horizontal>
+
+                    <ak-form-element-horizontal
+                        label="${this.mode === ProxyMode.ForwardDomain
+                            ? msg("Unauthenticated URLs")
+                            : msg("Unauthenticated Paths")}"
+                        name="skipPathRegex"
+                    >
+                        <textarea class="pf-c-form-control">
+${this.instance?.skipPathRegex}</textarea
+                        >
+                        <p class="pf-c-form__helper-text">
+                            ${msg(
+                                "Regular expressions for which authentication is not required. Each new line is interpreted as a new expression.",
+                            )}
+                        </p>
+                        <p class="pf-c-form__helper-text">
+                            ${msg(
+                                "When using proxy or forward auth (single application) mode, the requested URL Path is checked against the regular expressions. When using forward auth (domain mode), the full requested URL including scheme and host is matched against the regular expressions.",
+                            )}
+                        </p>
+                    </ak-form-element-horizontal>
+                </div>
+            </ak-form-group>
+            <ak-form-group>
+                <span slot="header">${msg("Authentication settings")}</span>
+                <div slot="body" class="pf-c-form">
+                    <ak-form-element-horizontal name="interceptHeaderAuth">
+                        <label class="pf-c-switch">
+                            <input
+                                class="pf-c-switch__input"
+                                type="checkbox"
+                                ?checked=${first(this.instance?.interceptHeaderAuth, true)}
+                            />
+                            <span class="pf-c-switch__toggle">
+                                <span class="pf-c-switch__toggle-icon">
+                                    <i class="fas fa-check" aria-hidden="true"></i>
+                                </span>
+                            </span>
+                            <span class="pf-c-switch__label"
+                                >${msg("Intercept header authentication")}</span
+                            >
+                        </label>
+                        <p class="pf-c-form__helper-text">
+                            ${msg(
+                                "When enabled, authentik will intercept the Authorization header to authenticate the request.",
+                            )}
+                        </p>
+                    </ak-form-element-horizontal>
+                    <ak-form-element-horizontal name="basicAuthEnabled">
+                        <label class="pf-c-switch">
+                            <input
+                                class="pf-c-switch__input"
+                                type="checkbox"
+                                ?checked=${first(this.instance?.basicAuthEnabled, false)}
+                                @change=${(ev: Event) => {
+                                    const el = ev.target as HTMLInputElement;
+                                    this.showHttpBasic = el.checked;
+                                }}
+                            />
+                            <span class="pf-c-switch__toggle">
+                                <span class="pf-c-switch__toggle-icon">
+                                    <i class="fas fa-check" aria-hidden="true"></i>
+                                </span>
+                            </span>
+                            <span class="pf-c-switch__label"
+                                >${msg("Send HTTP-Basic Authentication")}</span
+                            >
+                        </label>
+                        <p class="pf-c-form__helper-text">
+                            ${msg(
+                                "Send a custom HTTP-Basic Authentication header based on values from authentik.",
+                            )}
+                        </p>
+                    </ak-form-element-horizontal>
+                    ${this.showHttpBasic ? this.renderHttpBasic() : html``}
+                    <ak-form-element-horizontal
+                        label=${msg("Trusted OIDC Sources")}
+                        name="jwksSources"
+                    >
+                        <ak-dual-select-dynamic-selected
+                            .provider=${oauth2SourcesProvider}
+                            .selector=${makeSourceSelector(this.instance?.jwksSources)}
+                            available-label=${msg("Available Sources")}
+                            selected-label=${msg("Selected Sources")}
+                        ></ak-dual-select-dynamic-selected>
+                        <p class="pf-c-form__helper-text">
+                            ${msg(
+                                "JWTs signed by certificates configured in the selected sources can be used to authenticate to this provider.",
+                            )}
+                        </p>
+                    </ak-form-element-horizontal>
+                </div>
+            </ak-form-group>
+
+            <ak-form-group>
+                <span slot="header"> ${msg("Advanced flow settings")} </span>
+                <div slot="body" class="pf-c-form">
+                    <ak-form-element-horizontal
+                        label=${msg("Authentication flow")}
+                        ?required=${false}
+                        name="authenticationFlow"
+                    >
+                        <ak-flow-search
+                            flowType=${FlowsInstancesListDesignationEnum.Authentication}
+                            .currentFlow=${this.instance?.authenticationFlow}
+                        ></ak-flow-search>
+                        <p class="pf-c-form__helper-text">
+                            ${msg(
+                                "Flow used when a user access this provider and is not authenticated.",
+                            )}
+                        </p>
+                    </ak-form-element-horizontal>
+                    <ak-form-element-horizontal
+                        label=${msg("Invalidation flow")}
+                        name="invalidationFlow"
+                        required
+                    >
+                        <ak-flow-search
+                            flowType=${FlowsInstancesListDesignationEnum.Invalidation}
+                            .currentFlow=${this.instance?.invalidationFlow}
+                            defaultFlowSlug="default-provider-invalidation-flow"
+                            required
+                        ></ak-flow-search>
+                        <p class="pf-c-form__helper-text">
+                            ${msg("Flow used when logging out of this provider.")}
+                        </p>
+                    </ak-form-element-horizontal>
+                </div>
+            </ak-form-group>
+        `;
    }
 }

--- a/web/src/admin/providers/proxy/ProxyProviderFormForm.ts
+++ b/web/src/admin/providers/proxy/ProxyProviderFormForm.ts
@ -1,343 +0,0 @@
-import "@goauthentik/admin/common/ak-crypto-certificate-search";
-import "@goauthentik/admin/common/ak-flow-search/ak-flow-search";
-import {
-    makeSourceSelector,
-    oauth2SourcesProvider,
-} from "@goauthentik/admin/providers/oauth2/OAuth2Sources.js";
-import "@goauthentik/components/ak-toggle-group";
-import "@goauthentik/elements/ak-dual-select/ak-dual-select-dynamic-selected-provider.js";
-import "@goauthentik/elements/forms/FormGroup";
-import "@goauthentik/elements/forms/HorizontalFormElement";
-import "@goauthentik/elements/forms/SearchSelect";
-import "@goauthentik/elements/utils/TimeDeltaHelp";
-import { match } from "ts-pattern";
-
-import { msg } from "@lit/localize";
-import { html, nothing } from "lit";
-import { ifDefined } from "lit/directives/if-defined.js";
-
-import {
-    FlowsInstancesListDesignationEnum,
-    ProxyMode,
-    ProxyProvider,
-    ValidationError,
-} from "@goauthentik/api";
-
-import {
-    makeProxyPropertyMappingsSelector,
-    proxyPropertyMappingsProvider,
-} from "./ProxyProviderPropertyMappings.js";
-
-export type ProxyModeValue = { value: ProxyMode };
-export type SetMode = (ev: CustomEvent<ProxyModeValue>) => void;
-export type SetShowHttpBasic = (ev: Event) => void;
-
-export interface ProxyModeExtraArgs {
-    mode: ProxyMode;
-    onSetMode: SetMode;
-    showHttpBasic: boolean;
-    onSetShowHttpBasic: SetShowHttpBasic;
-}
-
-function renderHttpBasic(provider: Partial<ProxyProvider>) {
-    return html`<ak-text-input
-            name="basicAuthUserAttribute"
-            label=${msg("HTTP-Basic Username Key")}
-            value="${ifDefined(provider?.basicAuthUserAttribute)}"
-            help=${msg(
-                "User/Group Attribute used for the user part of the HTTP-Basic Header. If not set, the user's Email address is used.",
-            )}
-        >
-        </ak-text-input>
-
-        <ak-text-input
-            name="basicAuthPasswordAttribute"
-            label=${msg("HTTP-Basic Password Key")}
-            value="${ifDefined(provider?.basicAuthPasswordAttribute)}"
-            help=${msg("User/Group Attribute used for the password part of the HTTP-Basic Header.")}
-        >
-        </ak-text-input>`;
-}
-
-function renderModeSelector(mode: ProxyMode, onSet: SetMode) {
-    // prettier-ignore
-    return html` <ak-toggle-group
-        value=${mode}
-        @ak-toggle=${onSet}
-        data-ouid-component-name="proxy-type-toggle"
-    >
-        <option value=${ProxyMode.Proxy}>${msg("Proxy")}</option>
-        <option value=${ProxyMode.ForwardSingle}>${msg("Forward auth (single application)")}</option>
-        <option value=${ProxyMode.ForwardDomain}>${msg("Forward auth (domain level)")}</option>
-    </ak-toggle-group>`;
-}
-
-function renderProxySettings(provider: Partial<ProxyProvider>, errors?: ValidationError) {
-    return html`<p class="pf-u-mb-xl">
-            ${msg(
-                "This provider will behave like a transparent reverse-proxy, except requests must be authenticated. If your upstream application uses HTTPS, make sure to connect to the outpost using HTTPS as well.",
-            )}
-        </p>
-        <ak-text-input
-            name="externalHost"
-            label=${msg("External host")}
-            value="${ifDefined(provider?.externalHost)}"
-            required
-            .errorMessages=${errors?.externalHost ?? []}
-            help=${msg(
-                "The external URL you'll access the application at. Include any non-standard port.",
-            )}
-        ></ak-text-input>
-        <ak-text-input
-            name="internalHost"
-            label=${msg("Internal host")}
-            value="${ifDefined(provider?.internalHost)}"
-            required
-            .errorMessages=${errors?.internalHost ?? []}
-            help=${msg("Upstream host that the requests are forwarded to.")}
-        ></ak-text-input>
-
-        <ak-switch-input
-            name="internalHostSslValidation"
-            label=${msg("Internal host SSL Validation")}
-            ?checked=${provider?.internalHostSslValidation ?? true}
-            help=${msg("Validate SSL Certificates of upstream servers.")}
-        >
-        </ak-switch-input>`;
-}
-
-function renderForwardSingleSettings(provider: Partial<ProxyProvider>, errors?: ValidationError) {
-    return html`<p class="pf-u-mb-xl">
-            ${msg(
-                "Use this provider with nginx's auth_request or traefik's forwardAuth. Each application/domain needs its own provider. Additionally, on each domain, /outpost.goauthentik.io must be routed to the outpost (when using a managed outpost, this is done for you).",
-            )}
-        </p>
-        <ak-text-input
-            name="externalHost"
-            label=${msg("External host")}
-            value="${ifDefined(provider?.externalHost)}"
-            required
-            .errorMessages=${errors?.externalHost ?? []}
-            help=${msg(
-                "The external URL you'll access the application at. Include any non-standard port.",
-            )}
-        ></ak-text-input>`;
-}
-
-function renderForwardDomainSettings(provider: Partial<ProxyProvider>, errors?: ValidationError) {
-    return html`<p class="pf-u-mb-xl">
-            ${msg(
-                "Use this provider with nginx's auth_request or traefik's forwardAuth. Only a single provider is required per root domain. You can't do per-application authorization, but you don't have to create a provider for each application.",
-            )}
-        </p>
-        <div class="pf-u-mb-xl">
-            ${msg("An example setup can look like this:")}
-            <ul class="pf-c-list">
-                <li>${msg("authentik running on auth.example.com")}</li>
-                <li>${msg("app1 running on app1.example.com")}</li>
-            </ul>
-            ${msg(
-                "In this case, you'd set the Authentication URL to auth.example.com and Cookie domain to example.com.",
-            )}
-        </div>
-
-        <ak-text-input
-            name="externalHost"
-            label=${msg("Authentication URL")}
-            value="${provider?.externalHost ?? window.location.origin}"
-            required
-            .errorMessages=${errors?.externalHost ?? []}
-            help=${msg(
-                "The external URL you'll authenticate at. The authentik core server should be reachable under this URL.",
-            )}
-        ></ak-text-input>
-
-        <ak-text-input
-            label=${msg("Cookie domain")}
-            name="cookieDomain"
-            value="${ifDefined(provider?.cookieDomain)}"
-            required
-            .errorMessages=${errors?.cookieDomain ?? []}
-            help=${msg(
-                "Set this to the domain you wish the authentication to be valid for. Must be a parent domain of the URL above. If you're running applications as app1.domain.tld, app2.domain.tld, set this to 'domain.tld'.",
-            )}
-        ></ak-text-input> `;
-}
-
-type StrictProxyMode = Omit<ProxyMode, "11184809">;
-
-function renderSettings(provider: Partial<ProxyProvider>, mode: ProxyMode) {
-    return match(mode as StrictProxyMode)
-        .with(ProxyMode.Proxy, () => renderProxySettings(provider))
-        .with(ProxyMode.ForwardSingle, () => renderForwardSingleSettings(provider))
-        .with(ProxyMode.ForwardDomain, () => renderForwardDomainSettings(provider))
-        .otherwise(() => {
-            throw new Error("Unrecognized proxy mode");
-        });
-}
-
-export function renderForm(
-    provider: Partial<ProxyProvider> = {},
-    errors: ValidationError = {},
-    args: ProxyModeExtraArgs,
-) {
-    const { mode, onSetMode, showHttpBasic, onSetShowHttpBasic } = args;
-
-    return html`
-        <ak-text-input
-            name="name"
-            value=${ifDefined(provider?.name)}
-            label=${msg("Name")}
-            .errorMessages=${errors?.name ?? []}
-            required
-        ></ak-text-input>
-
-        <ak-form-element-horizontal
-            label=${msg("Authorization flow")}
-            required
-            name="authorizationFlow"
-        >
-            <ak-flow-search
-                flowType=${FlowsInstancesListDesignationEnum.Authorization}
-                .currentFlow=${provider?.authorizationFlow}
-                required
-            ></ak-flow-search>
-            <p class="pf-c-form__helper-text">
-                ${msg("Flow used when authorizing this provider.")}
-            </p>
-        </ak-form-element-horizontal>
-
-        <div class="pf-c-card pf-m-selectable pf-m-selected">
-            <div class="pf-c-card__body">${renderModeSelector(mode, onSetMode)}</div>
-            <div class="pf-c-card__footer">${renderSettings(provider, mode)}</div>
-        </div>
-
-        <ak-text-input
-            label=${msg("Token validity")}
-            name="accessTokenValidity"
-            value="${provider?.accessTokenValidity ?? "hours=24"}"
-            .errorMessages=${errors?.accessTokenValidity ?? []}
-            required
-            .help=${msg("Configure how long tokens are valid for.")}
-        ></ak-text-input>
-
-        <ak-form-group>
-            <span slot="header">${msg("Advanced protocol settings")}</span>
-            <div slot="body" class="pf-c-form">
-                <ak-form-element-horizontal label=${msg("Certificate")} name="certificate">
-                    <ak-crypto-certificate-search
-                        .certificate=${provider?.certificate}
-                    ></ak-crypto-certificate-search>
-                </ak-form-element-horizontal>
-                <ak-form-element-horizontal
-                    label=${msg("Additional scopes")}
-                    name="propertyMappings"
-                >
-                    <ak-dual-select-dynamic-selected
-                        .provider=${proxyPropertyMappingsProvider}
-                        .selector=${makeProxyPropertyMappingsSelector(provider?.propertyMappings)}
-                        available-label="${msg("Available Scopes")}"
-                        selected-label="${msg("Selected Scopes")}"
-                    ></ak-dual-select-dynamic-selected>
-                    <p class="pf-c-form__helper-text">
-                        ${msg("Additional scope mappings, which are passed to the proxy.")}
-                    </p>
-                </ak-form-element-horizontal>
-
-                <ak-form-element-horizontal
-                    label="${mode === ProxyMode.ForwardDomain
-                        ? msg("Unauthenticated URLs")
-                        : msg("Unauthenticated Paths")}"
-                    name="skipPathRegex"
-                >
-                    <textarea class="pf-c-form-control">${provider?.skipPathRegex}</textarea>
-                    <p class="pf-c-form__helper-text">
-                        ${msg(
-                            "Regular expressions for which authentication is not required. Each new line is interpreted as a new expression.",
-                        )}
-                    </p>
-                    <p class="pf-c-form__helper-text">
-                        ${msg(
-                            "When using proxy or forward auth (single application) mode, the requested URL Path is checked against the regular expressions. When using forward auth (domain mode), the full requested URL including scheme and host is matched against the regular expressions.",
-                        )}
-                    </p>
-                </ak-form-element-horizontal>
-            </div>
-        </ak-form-group>
-        <ak-form-group>
-            <span slot="header">${msg("Authentication settings")}</span>
-            <div slot="body" class="pf-c-form">
-                <ak-switch-input
-                    name="interceptHeaderAuth"
-                    label=${msg("Intercept header authentication")}
-                    ?checked=${provider?.interceptHeaderAuth ?? true}
-                    help=${msg(
-                        "When enabled, authentik will intercept the Authorization header to authenticate the request.",
-                    )}
-                >
-                </ak-switch-input>
-
-                <ak-switch-input
-                    name="basicAuthEnabled"
-                    label=${msg("Send HTTP-Basic Authentication")}
-                    ?checked=${provider?.basicAuthEnabled ?? false}
-                    help=${msg(
-                        "Send a custom HTTP-Basic Authentication header based on values from authentik.",
-                    )}
-                    @change=${onSetShowHttpBasic}
-                >
-                </ak-switch-input>
-
-                ${showHttpBasic ? renderHttpBasic(provider) : nothing}
-                <ak-form-element-horizontal label=${msg("Trusted OIDC Sources")} name="jwksSources">
-                    <ak-dual-select-dynamic-selected
-                        .provider=${oauth2SourcesProvider}
-                        .selector=${makeSourceSelector(provider?.jwksSources)}
-                        available-label=${msg("Available Sources")}
-                        selected-label=${msg("Selected Sources")}
-                    ></ak-dual-select-dynamic-selected>
-                    <p class="pf-c-form__helper-text">
-                        ${msg(
-                            "JWTs signed by certificates configured in the selected sources can be used to authenticate to this provider.",
-                        )}
-                    </p>
-                </ak-form-element-horizontal>
-            </div>
-        </ak-form-group>
-
-        <ak-form-group>
-            <span slot="header"> ${msg("Advanced flow settings")} </span>
-            <div slot="body" class="pf-c-form">
-                <ak-form-element-horizontal
-                    label=${msg("Authentication flow")}
-                    name="authenticationFlow"
-                >
-                    <ak-flow-search
-                        flowType=${FlowsInstancesListDesignationEnum.Authentication}
-                        .currentFlow=${provider?.authenticationFlow}
-                    ></ak-flow-search>
-                    <p class="pf-c-form__helper-text">
-                        ${msg(
-                            "Flow used when a user access this provider and is not authenticated.",
-                        )}
-                    </p>
-                </ak-form-element-horizontal>
-                <ak-form-element-horizontal
-                    label=${msg("Invalidation flow")}
-                    name="invalidationFlow"
-                    required
-                >
-                    <ak-flow-search
-                        flowType=${FlowsInstancesListDesignationEnum.Invalidation}
-                        .currentFlow=${provider?.invalidationFlow}
-                        defaultFlowSlug="default-provider-invalidation-flow"
-                        required
-                    ></ak-flow-search>
-                    <p class="pf-c-form__helper-text">
-                        ${msg("Flow used when logging out of this provider.")}
-                    </p>
-                </ak-form-element-horizontal>
-            </div>
-        </ak-form-group>
-    `;
-}
--- a/web/src/admin/providers/radius/RadiusProviderForm.ts
+++ b/web/src/admin/providers/radius/RadiusProviderForm.ts
@ -1,12 +1,48 @@
+import "@goauthentik/admin/common/ak-flow-search/ak-branded-flow-search";
+import "@goauthentik/admin/common/ak-flow-search/ak-flow-search";
 import { BaseProviderForm } from "@goauthentik/admin/providers/BaseProviderForm";
 import { DEFAULT_CONFIG } from "@goauthentik/common/api/config";
+import { ascii_letters, digits, first, randomString } from "@goauthentik/common/utils";
 import { WithBrandConfig } from "@goauthentik/elements/Interface/brandProvider";
+import { DualSelectPair } from "@goauthentik/elements/ak-dual-select/types";
+import "@goauthentik/elements/forms/FormGroup";
+import "@goauthentik/elements/forms/HorizontalFormElement";
+import "@goauthentik/elements/forms/SearchSelect";

+import { msg } from "@lit/localize";
+import { TemplateResult, html } from "lit";
+import { ifDefined } from "lit-html/directives/if-defined.js";
 import { customElement } from "lit/decorators.js";

-import { ProvidersApi, RadiusProvider } from "@goauthentik/api";
+import {
+    FlowsInstancesListDesignationEnum,
+    PropertymappingsApi,
+    ProvidersApi,
+    RadiusProvider,
+    RadiusProviderPropertyMapping,
+} from "@goauthentik/api";

-import { renderForm } from "./RadiusProviderFormForm.js";
+export async function radiusPropertyMappingsProvider(page = 1, search = "") {
+    const propertyMappings = await new PropertymappingsApi(
+        DEFAULT_CONFIG,
+    ).propertymappingsProviderRadiusList({
+        ordering: "name",
+        pageSize: 20,
+        search: search.trim(),
+        page,
+    });
+    return {
+        pagination: propertyMappings.pagination,
+        options: propertyMappings.results.map((m) => [m.pk, m.name, m.name, m]),
+    };
+}
+
+export function makeRadiusPropertyMappingsSelector(instanceMappings?: string[]) {
+    const localMappings = instanceMappings ? new Set(instanceMappings) : undefined;
+    return localMappings
+        ? ([pk, _]: DualSelectPair) => localMappings.has(pk)
+        : ([_0, _1, _2, _]: DualSelectPair<RadiusProviderPropertyMapping>) => [];
+}

@customElement("ak-provider-radius-form")
 export class RadiusProviderFormPage extends WithBrandConfig(BaseProviderForm<RadiusProvider>) {
@ -29,8 +65,127 @@ export class RadiusProviderFormPage extends WithBrandConfig(BaseProviderForm<Rad
        }
    }

-    renderForm() {
-        return renderForm(this.instance ?? {}, [], this.brand);
+    // All Provider objects have an Authorization flow, but not all providers have an Authentication
+    // flow. Radius needs only one field, but it is not the Authorization field, it is an
+    // Authentication field. So, yeah, we're using the authorization field to store the
+    // authentication information, which is why the ak-branded-flow-search call down there looks so
+    // weird-- we're looking up Authentication flows, but we're storing them in the Authorization
+    // field of the target Provider.
+    renderForm(): TemplateResult {
+        return html`
+            <ak-form-element-horizontal label=${msg("Name")} required name="name">
+                <input
+                    type="text"
+                    value="${ifDefined(this.instance?.name)}"
+                    class="pf-c-form-control"
+                    required
+                />
+            </ak-form-element-horizontal>
+            <ak-form-element-horizontal
+                label=${msg("Authentication flow")}
+                required
+                name="authorizationFlow"
+            >
+                <ak-branded-flow-search
+                    flowType=${FlowsInstancesListDesignationEnum.Authentication}
+                    .currentFlow=${this.instance?.authorizationFlow}
+                    .brandFlow=${this.brand?.flowAuthentication}
+                    required
+                ></ak-branded-flow-search>
+                <p class="pf-c-form__helper-text">${msg("Flow used for users to authenticate.")}</p>
+            </ak-form-element-horizontal>
+            <ak-form-element-horizontal name="mfaSupport">
+                <label class="pf-c-switch">
+                    <input
+                        class="pf-c-switch__input"
+                        type="checkbox"
+                        ?checked=${first(this.instance?.mfaSupport, true)}
+                    />
+                    <span class="pf-c-switch__toggle">
+                        <span class="pf-c-switch__toggle-icon">
+                            <i class="fas fa-check" aria-hidden="true"></i>
+                        </span>
+                    </span>
+                    <span class="pf-c-switch__label">${msg("Code-based MFA Support")}</span>
+                </label>
+                <p class="pf-c-form__helper-text">
+                    ${msg(
+                        "When enabled, code-based multi-factor authentication can be used by appending a semicolon and the TOTP code to the password. This should only be enabled if all users that will bind to this provider have a TOTP device configured, as otherwise a password may incorrectly be rejected if it contains a semicolon.",
+                    )}
+                </p>
+            </ak-form-element-horizontal>
+
+            <ak-form-group expanded>
+                <span slot="header"> ${msg("Protocol settings")} </span>
+                <div slot="body" class="pf-c-form">
+                    <ak-form-element-horizontal
+                        label=${msg("Shared secret")}
+                        required
+                        name="sharedSecret"
+                    >
+                        <input
+                            type="text"
+                            value="${first(
+                                this.instance?.sharedSecret,
+                                randomString(128, ascii_letters + digits),
+                            )}"
+                            class="pf-c-form-control"
+                            required
+                        />
+                    </ak-form-element-horizontal>
+                    <ak-form-element-horizontal
+                        label=${msg("Client Networks")}
+                        required
+                        name="clientNetworks"
+                    >
+                        <input
+                            type="text"
+                            value="${first(this.instance?.clientNetworks, "0.0.0.0/0, ::/0")}"
+                            class="pf-c-form-control"
+                            required
+                        />
+                        <p class="pf-c-form__helper-text">
+                            ${msg(`List of CIDRs (comma-seperated) that clients can connect from. A more specific
+                            CIDR will match before a looser one. Clients connecting from a non-specified CIDR
+                            will be dropped.`)}
+                        </p>
+                    </ak-form-element-horizontal>
+                    <ak-form-element-horizontal
+                        label=${msg("Property mappings")}
+                        name="propertyMappings"
+                    >
+                        <ak-dual-select-dynamic-selected
+                            .provider=${radiusPropertyMappingsProvider}
+                            .selector=${makeRadiusPropertyMappingsSelector(
+                                this.instance?.propertyMappings,
+                            )}
+                            available-label=${msg("Available Property Mappings")}
+                            selected-label=${msg("Selected Property Mappings")}
+                        ></ak-dual-select-dynamic-selected>
+                    </ak-form-element-horizontal>
+                </div>
+            </ak-form-group>
+            <ak-form-group>
+                <span slot="header"> ${msg("Advanced flow settings")} </span>
+                <div slot="body" class="pf-c-form">
+                    <ak-form-element-horizontal
+                        label=${msg("Invalidation flow")}
+                        name="invalidationFlow"
+                        required
+                    >
+                        <ak-flow-search
+                            flowType=${FlowsInstancesListDesignationEnum.Invalidation}
+                            .currentFlow=${this.instance?.invalidationFlow}
+                            defaultFlowSlug="default-provider-invalidation-flow"
+                            required
+                        ></ak-flow-search>
+                        <p class="pf-c-form__helper-text">
+                            ${msg("Flow used when logging out of this provider.")}
+                        </p>
+                    </ak-form-element-horizontal>
+                </div></ak-form-group
+            >
+        `;
    }
 }

--- a/web/src/admin/providers/radius/RadiusProviderFormForm.ts
+++ b/web/src/admin/providers/radius/RadiusProviderFormForm.ts
@ -1,154 +0,0 @@
-import "@goauthentik/admin/common/ak-flow-search/ak-branded-flow-search";
-import "@goauthentik/admin/common/ak-flow-search/ak-flow-search";
-import { DEFAULT_CONFIG } from "@goauthentik/common/api/config";
-import { ascii_letters, digits, first, randomString } from "@goauthentik/common/utils";
-import { DualSelectPair } from "@goauthentik/elements/ak-dual-select/types";
-import "@goauthentik/elements/forms/FormGroup";
-import "@goauthentik/elements/forms/HorizontalFormElement";
-import "@goauthentik/elements/forms/SearchSelect";
-
-import { msg } from "@lit/localize";
-import { html } from "lit";
-import { ifDefined } from "lit/directives/if-defined.js";
-
-import {
-    CurrentBrand,
-    FlowsInstancesListDesignationEnum,
-    PropertymappingsApi,
-    RadiusProvider,
-    RadiusProviderPropertyMapping,
-    ValidationError,
-} from "@goauthentik/api";
-
-export async function radiusPropertyMappingsProvider(page = 1, search = "") {
-    const propertyMappings = await new PropertymappingsApi(
-        DEFAULT_CONFIG,
-    ).propertymappingsProviderRadiusList({
-        ordering: "name",
-        pageSize: 20,
-        search: search.trim(),
-        page,
-    });
-    return {
-        pagination: propertyMappings.pagination,
-        options: propertyMappings.results.map((m) => [m.pk, m.name, m.name, m]),
-    };
-}
-
-export function makeRadiusPropertyMappingsSelector(instanceMappings?: string[]) {
-    const localMappings = instanceMappings ? new Set(instanceMappings) : undefined;
-    return localMappings
-        ? ([pk, _]: DualSelectPair) => localMappings.has(pk)
-        : ([_0, _1, _2, _]: DualSelectPair<RadiusProviderPropertyMapping>) => [];
-}
-
-const mfaSupportHelp = msg(
-    "When enabled, code-based multi-factor authentication can be used by appending a semicolon and the TOTP code to the password. This should only be enabled if all users that will bind to this provider have a TOTP device configured, as otherwise a password may incorrectly be rejected if it contains a semicolon.",
-);
-
-const clientNetworksHelp = msg(
-    "List of CIDRs (comma-seperated) that clients can connect from. A more specific CIDR will match before a looser one. Clients connecting from a non-specified CIDR will be dropped.",
-);
-
-// All Provider objects have an Authorization flow, but not all providers have an Authentication
-// flow. Radius needs only one field, but it is not the Authorization field, it is an
-// Authentication field. So, yeah, we're using the authorization field to store the
-// authentication information, which is why the ak-branded-flow-search call down there looks so
-// weird-- we're looking up Authentication flows, but we're storing them in the Authorization
-// field of the target Provider.
-
-export function renderForm(
-    provider?: Partial<RadiusProvider>,
-    errors: ValidationError = {},
-    brand?: CurrentBrand,
-) {
-    return html`
-        <ak-text-input
-            name="name"
-            label=${msg("Name")}
-            value=${ifDefined(provider?.name)}
-            .errorMessages=${errors?.name ?? []}
-            required
-        >
-        </ak-text-input>
-
-        <ak-form-element-horizontal
-            label=${msg("Authentication flow")}
-            ?required=${true}
-            name="authorizationFlow"
-            .errorMessages=${errors?.authorizationFlow ?? []}
-        >
-            <ak-branded-flow-search
-                flowType=${FlowsInstancesListDesignationEnum.Authentication}
-                .currentFlow=${provider?.authorizationFlow}
-                .brandFlow=${brand?.flowAuthentication}
-                required
-            ></ak-branded-flow-search>
-            <p class="pf-c-form__helper-text">${msg("Flow used for users to authenticate.")}</p>
-        </ak-form-element-horizontal>
-
-        <ak-switch-input
-            name="mfaSupport"
-            label=${msg("Code-based MFA Support")}
-            ?checked=${provider?.mfaSupport ?? true}
-            help=${mfaSupportHelp}
-        >
-        </ak-switch-input>
-
-        <ak-form-group expanded>
-            <span slot="header"> ${msg("Protocol settings")} </span>
-            <div slot="body" class="pf-c-form">
-                <ak-text-input
-                    name="sharedSecret"
-                    label=${msg("Shared secret")}
-                    .errorMessages=${errors?.sharedSecret ?? []}
-                    value=${first(
-                        provider?.sharedSecret,
-                        randomString(128, ascii_letters + digits),
-                    )}
-                    required
-                ></ak-text-input>
-                <ak-text-input
-                    name="clientNetworks"
-                    label=${msg("Client Networks")}
-                    value=${first(provider?.clientNetworks, "0.0.0.0/0, ::/0")}
-                    .errorMessages=${errors?.clientNetworks ?? []}
-                    required
-                    help=${clientNetworksHelp}
-                ></ak-text-input>
-                <ak-form-element-horizontal
-                    label=${msg("Property mappings")}
-                    name="propertyMappings"
-                >
-                    <ak-dual-select-dynamic-selected
-                        .provider=${radiusPropertyMappingsProvider}
-                        .selector=${makeRadiusPropertyMappingsSelector(provider?.propertyMappings)}
-                        available-label=${msg("Available Property Mappings")}
-                        selected-label=${msg("Selected Property Mappings")}
-                    ></ak-dual-select-dynamic-selected>
-                </ak-form-element-horizontal>
-            </div>
-        </ak-form-group>
-        <ak-form-group>
-            <span slot="header"> ${msg("Advanced flow settings")} </span>
-            <div slot="body" class="pf-c-form">
-                <ak-form-element-horizontal
-                    label=${msg("Invalidation flow")}
-                    name="invalidationFlow"
-                    required
-                >
-                    <ak-flow-search
-                        flowType=${FlowsInstancesListDesignationEnum.Invalidation}
-                        .currentFlow=${provider?.invalidationFlow}
-                        .errorMessages=${errors?.invalidationFlow ?? []}
-                        defaultFlowSlug="default-invalidation-flow"
-                        required
-                    ></ak-flow-search>
-                    <p class="pf-c-form__helper-text">
-                        ${msg("Flow used when logging out of this provider.")}
-                    </p>
-                </ak-form-element-horizontal>
-            </div></ak-form-group
-        >
-    `;
-}
--- a/web/src/admin/providers/saml/SAMLProviderForm.ts
+++ b/web/src/admin/providers/saml/SAMLProviderForm.ts
@ -1,12 +1,58 @@
-import { type AkCryptoCertificateSearch } from "@goauthentik/admin/common/ak-crypto-certificate-search";
+import {
+    digestAlgorithmOptions,
+    signatureAlgorithmOptions,
+} from "@goauthentik/admin/applications/wizard/methods/saml/SamlProviderOptions";
+import "@goauthentik/admin/common/ak-crypto-certificate-search";
+import AkCryptoCertificateSearch from "@goauthentik/admin/common/ak-crypto-certificate-search";
+import "@goauthentik/admin/common/ak-flow-search/ak-flow-search";
 import { BaseProviderForm } from "@goauthentik/admin/providers/BaseProviderForm";
 import { DEFAULT_CONFIG } from "@goauthentik/common/api/config";
+import { first } from "@goauthentik/common/utils";
+import "@goauthentik/elements/ak-dual-select/ak-dual-select-dynamic-selected-provider.js";
+import { DualSelectPair } from "@goauthentik/elements/ak-dual-select/types.js";
+import "@goauthentik/elements/forms/FormGroup";
+import "@goauthentik/elements/forms/HorizontalFormElement";
+import "@goauthentik/elements/forms/Radio";
+import "@goauthentik/elements/forms/SearchSelect";
+import "@goauthentik/elements/utils/TimeDeltaHelp";

+import { msg } from "@lit/localize";
+import { TemplateResult, html, nothing } from "lit";
 import { customElement, state } from "lit/decorators.js";
+import { ifDefined } from "lit/directives/if-defined.js";

-import { ProvidersApi, SAMLProvider } from "@goauthentik/api";
+import {
+    FlowsInstancesListDesignationEnum,
+    PropertymappingsApi,
+    PropertymappingsProviderSamlListRequest,
+    ProvidersApi,
+    SAMLPropertyMapping,
+    SAMLProvider,
+    SpBindingEnum,
+} from "@goauthentik/api";

-import { renderForm } from "./SAMLProviderFormForm.js";
+export async function samlPropertyMappingsProvider(page = 1, search = "") {
+    const propertyMappings = await new PropertymappingsApi(
+        DEFAULT_CONFIG,
+    ).propertymappingsProviderSamlList({
+        ordering: "saml_name",
+        pageSize: 20,
+        search: search.trim(),
+        page,
+    });
+    return {
+        pagination: propertyMappings.pagination,
+        options: propertyMappings.results.map((m) => [m.pk, m.name, m.name, m]),
+    };
+}
+
+export function makeSAMLPropertyMappingsSelector(instanceMappings?: string[]) {
+    const localMappings = instanceMappings ? new Set(instanceMappings) : undefined;
+    return localMappings
+        ? ([pk, _]: DualSelectPair) => localMappings.has(pk)
+        : ([_0, _1, _2, mapping]: DualSelectPair<SAMLPropertyMapping>) =>
+              mapping?.managed?.startsWith("goauthentik.io/providers/saml");
+}

@customElement("ak-provider-saml-form")
 export class SAMLProviderFormPage extends BaseProviderForm<SAMLProvider> {
@ -34,14 +80,368 @@ export class SAMLProviderFormPage extends BaseProviderForm<SAMLProvider> {
        }
    }

-    renderForm() {
-        const setHasSigningKp = (ev: InputEvent) => {
-            const target = ev.target as AkCryptoCertificateSearch;
-            if (!target) return;
-            this.hasSigningKp = !!target.selectedKeypair;
-        };
+    renderForm(): TemplateResult {
+        return html` <ak-form-element-horizontal label=${msg("Name")} ?required=${true} name="name">
+                <input
+                    type="text"
+                    value="${ifDefined(this.instance?.name)}"
+                    class="pf-c-form-control"
+                    required
+                />
+            </ak-form-element-horizontal>
+            <ak-form-element-horizontal
+                label=${msg("Authorization flow")}
+                required
+                name="authorizationFlow"
+            >
+                <ak-flow-search
+                    flowType=${FlowsInstancesListDesignationEnum.Authorization}
+                    .currentFlow=${this.instance?.authorizationFlow}
+                    required
+                ></ak-flow-search>
+                <p class="pf-c-form__helper-text">
+                    ${msg("Flow used when authorizing this provider.")}
+                </p>
+            </ak-form-element-horizontal>

-        return renderForm(this.instance ?? {}, [], setHasSigningKp, this.hasSigningKp);
+            <ak-form-group .expanded=${true}>
+                <span slot="header"> ${msg("Protocol settings")} </span>
+                <div slot="body" class="pf-c-form">
+                    <ak-form-element-horizontal
+                        label=${msg("ACS URL")}
+                        ?required=${true}
+                        name="acsUrl"
+                    >
+                        <input
+                            type="text"
+                            value="${ifDefined(this.instance?.acsUrl)}"
+                            class="pf-c-form-control"
+                            required
+                        />
+                    </ak-form-element-horizontal>
+                    <ak-form-element-horizontal
+                        label=${msg("Issuer")}
+                        ?required=${true}
+                        name="issuer"
+                    >
+                        <input
+                            type="text"
+                            value="${this.instance?.issuer || "authentik"}"
+                            class="pf-c-form-control"
+                            required
+                        />
+                        <p class="pf-c-form__helper-text">${msg("Also known as EntityID.")}</p>
+                    </ak-form-element-horizontal>
+                    <ak-form-element-horizontal
+                        label=${msg("Service Provider Binding")}
+                        ?required=${true}
+                        name="spBinding"
+                    >
+                        <ak-radio
+                            .options=${[
+                                {
+                                    label: msg("Redirect"),
+                                    value: SpBindingEnum.Redirect,
+                                    default: true,
+                                },
+                                {
+                                    label: msg("Post"),
+                                    value: SpBindingEnum.Post,
+                                },
+                            ]}
+                            .value=${this.instance?.spBinding}
+                        >
+                        </ak-radio>
+                        <p class="pf-c-form__helper-text">
+                            ${msg(
+                                "Determines how authentik sends the response back to the Service Provider.",
+                            )}
+                        </p>
+                    </ak-form-element-horizontal>
+                    <ak-form-element-horizontal label=${msg("Audience")} name="audience">
+                        <input
+                            type="text"
+                            value="${ifDefined(this.instance?.audience)}"
+                            class="pf-c-form-control"
+                        />
+                    </ak-form-element-horizontal>
+                </div>
+            </ak-form-group>
+
+            <ak-form-group>
+                <span slot="header"> ${msg("Advanced flow settings")} </span>
+                <div slot="body" class="pf-c-form">
+                    <ak-form-element-horizontal
+                        label=${msg("Authentication flow")}
+                        ?required=${false}
+                        name="authenticationFlow"
+                    >
+                        <ak-flow-search
+                            flowType=${FlowsInstancesListDesignationEnum.Authentication}
+                            .currentFlow=${this.instance?.authenticationFlow}
+                        ></ak-flow-search>
+                        <p class="pf-c-form__helper-text">
+                            ${msg(
+                                "Flow used when a user access this provider and is not authenticated.",
+                            )}
+                        </p>
+                    </ak-form-element-horizontal>
+                    <ak-form-element-horizontal
+                        label=${msg("Invalidation flow")}
+                        name="invalidationFlow"
+                        required
+                    >
+                        <ak-flow-search
+                            flowType=${FlowsInstancesListDesignationEnum.Invalidation}
+                            .currentFlow=${this.instance?.invalidationFlow}
+                            defaultFlowSlug="default-provider-invalidation-flow"
+                            required
+                        ></ak-flow-search>
+                        <p class="pf-c-form__helper-text">
+                            ${msg("Flow used when logging out of this provider.")}
+                        </p>
+                    </ak-form-element-horizontal>
+                </div>
+            </ak-form-group>
+
+            <ak-form-group>
+                <span slot="header"> ${msg("Advanced protocol settings")} </span>
+                <div slot="body" class="pf-c-form">
+                    <ak-form-element-horizontal
+                        label=${msg("Signing Certificate")}
+                        name="signingKp"
+                    >
+                        <ak-crypto-certificate-search
+                            .certificate=${this.instance?.signingKp}
+                            @input=${(ev: InputEvent) => {
+                                const target = ev.target as AkCryptoCertificateSearch;
+                                if (!target) return;
+                                this.hasSigningKp = !!target.selectedKeypair;
+                            }}
+                        ></ak-crypto-certificate-search>
+                        <p class="pf-c-form__helper-text">
+                            ${msg(
+                                "Certificate used to sign outgoing Responses going to the Service Provider.",
+                            )}
+                        </p>
+                    </ak-form-element-horizontal>
+                    ${this.hasSigningKp
+                        ? html` <ak-form-element-horizontal name="signAssertion">
+                                  <label class="pf-c-switch">
+                                      <input
+                                          class="pf-c-switch__input"
+                                          type="checkbox"
+                                          ?checked=${first(this.instance?.signAssertion, true)}
+                                      />
+                                      <span class="pf-c-switch__toggle">
+                                          <span class="pf-c-switch__toggle-icon">
+                                              <i class="fas fa-check" aria-hidden="true"></i>
+                                          </span>
+                                      </span>
+                                      <span class="pf-c-switch__label"
+                                          >${msg("Sign assertions")}</span
+                                      >
+                                  </label>
+                                  <p class="pf-c-form__helper-text">
+                                      ${msg(
+                                          "When enabled, the assertion element of the SAML response will be signed.",
+                                      )}
+                                  </p>
+                              </ak-form-element-horizontal>
+                              <ak-form-element-horizontal name="signResponse">
+                                  <label class="pf-c-switch">
+                                      <input
+                                          class="pf-c-switch__input"
+                                          type="checkbox"
+                                          ?checked=${first(this.instance?.signResponse, false)}
+                                      />
+                                      <span class="pf-c-switch__toggle">
+                                          <span class="pf-c-switch__toggle-icon">
+                                              <i class="fas fa-check" aria-hidden="true"></i>
+                                          </span>
+                                      </span>
+                                      <span class="pf-c-switch__label"
+                                          >${msg("Sign responses")}</span
+                                      >
+                                  </label>
+                                  <p class="pf-c-form__helper-text">
+                                      ${msg(
+                                          "When enabled, the assertion element of the SAML response will be signed.",
+                                      )}
+                                  </p>
+                              </ak-form-element-horizontal>`
+                        : nothing}
+                    <ak-form-element-horizontal
+                        label=${msg("Verification Certificate")}
+                        name="verificationKp"
+                    >
+                        <ak-crypto-certificate-search
+                            .certificate=${this.instance?.verificationKp}
+                            nokey
+                        ></ak-crypto-certificate-search>
+                        <p class="pf-c-form__helper-text">
+                            ${msg(
+                                "When selected, incoming assertion's Signatures will be validated against this certificate. To allow unsigned Requests, leave on default.",
+                            )}
+                        </p>
+                    </ak-form-element-horizontal>
+                    <ak-form-element-horizontal
+                        label=${msg("Encryption Certificate")}
+                        name="encryptionKp"
+                    >
+                        <ak-crypto-certificate-search
+                            .certificate=${this.instance?.encryptionKp}
+                        ></ak-crypto-certificate-search>
+                        <p class="pf-c-form__helper-text">
+                            ${msg(
+                                "When selected, assertions will be encrypted using this keypair.",
+                            )}
+                        </p>
+                    </ak-form-element-horizontal>
+                    <ak-form-element-horizontal
+                        label=${msg("Property mappings")}
+                        name="propertyMappings"
+                    >
+                        <ak-dual-select-dynamic-selected
+                            .provider=${samlPropertyMappingsProvider}
+                            .selector=${makeSAMLPropertyMappingsSelector(
+                                this.instance?.propertyMappings,
+                            )}
+                            available-label=${msg("Available User Property Mappings")}
+                            selected-label=${msg("Selected User Property Mappings")}
+                        ></ak-dual-select-dynamic-selected>
+                    </ak-form-element-horizontal>
+                    <ak-form-element-horizontal
+                        label=${msg("NameID Property Mapping")}
+                        name="nameIdMapping"
+                    >
+                        <ak-search-select
+                            .fetchObjects=${async (
+                                query?: string,
+                            ): Promise<SAMLPropertyMapping[]> => {
+                                const args: PropertymappingsProviderSamlListRequest = {
+                                    ordering: "saml_name",
+                                };
+                                if (query !== undefined) {
+                                    args.search = query;
+                                }
+                                const items = await new PropertymappingsApi(
+                                    DEFAULT_CONFIG,
+                                ).propertymappingsProviderSamlList(args);
+                                return items.results;
+                            }}
+                            .renderElement=${(item: SAMLPropertyMapping): string => {
+                                return item.name;
+                            }}
+                            .value=${(
+                                item: SAMLPropertyMapping | undefined,
+                            ): string | undefined => {
+                                return item?.pk;
+                            }}
+                            .selected=${(item: SAMLPropertyMapping): boolean => {
+                                return this.instance?.nameIdMapping === item.pk;
+                            }}
+                            ?blankable=${true}
+                        >
+                        </ak-search-select>
+                        <p class="pf-c-form__helper-text">
+                            ${msg(
+                                "Configure how the NameID value will be created. When left empty, the NameIDPolicy of the incoming request will be respected.",
+                            )}
+                        </p>
+                    </ak-form-element-horizontal>
+
+                    <ak-form-element-horizontal
+                        label=${msg("Assertion valid not before")}
+                        ?required=${true}
+                        name="assertionValidNotBefore"
+                    >
+                        <input
+                            type="text"
+                            value="${this.instance?.assertionValidNotBefore || "minutes=-5"}"
+                            class="pf-c-form-control"
+                            required
+                        />
+                        <p class="pf-c-form__helper-text">
+                            ${msg("Configure the maximum allowed time drift for an assertion.")}
+                        </p>
+                        <ak-utils-time-delta-help></ak-utils-time-delta-help>
+                    </ak-form-element-horizontal>
+                    <ak-form-element-horizontal
+                        label=${msg("Assertion valid not on or after")}
+                        ?required=${true}
+                        name="assertionValidNotOnOrAfter"
+                    >
+                        <input
+                            type="text"
+                            value="${this.instance?.assertionValidNotOnOrAfter || "minutes=5"}"
+                            class="pf-c-form-control"
+                            required
+                        />
+                        <p class="pf-c-form__helper-text">
+                            ${msg("Assertion not valid on or after current time + this value.")}
+                        </p>
+                        <ak-utils-time-delta-help></ak-utils-time-delta-help>
+                    </ak-form-element-horizontal>
+                    <ak-form-element-horizontal
+                        label=${msg("Session valid not on or after")}
+                        ?required=${true}
+                        name="sessionValidNotOnOrAfter"
+                    >
+                        <input
+                            type="text"
+                            value="${this.instance?.sessionValidNotOnOrAfter || "minutes=86400"}"
+                            class="pf-c-form-control"
+                            required
+                        />
+                        <p class="pf-c-form__helper-text">
+                            ${msg("Session not valid on or after current time + this value.")}
+                        </p>
+                        <ak-utils-time-delta-help></ak-utils-time-delta-help>
+                    </ak-form-element-horizontal>
+                    <ak-form-element-horizontal
+                        label=${msg("Default relay state")}
+                        ?required=${true}
+                        name="defaultRelayState"
+                    >
+                        <input
+                            type="text"
+                            value="${this.instance?.defaultRelayState || ""}"
+                            class="pf-c-form-control"
+                            required
+                        />
+                        <p class="pf-c-form__helper-text">
+                            ${msg(
+                                "When using IDP-initiated logins, the relay state will be set to this value.",
+                            )}
+                        </p>
+                        <ak-utils-time-delta-help></ak-utils-time-delta-help>
+                    </ak-form-element-horizontal>
+
+                    <ak-form-element-horizontal
+                        label=${msg("Digest algorithm")}
+                        ?required=${true}
+                        name="digestAlgorithm"
+                    >
+                        <ak-radio
+                            .options=${digestAlgorithmOptions}
+                            .value=${this.instance?.digestAlgorithm}
+                        >
+                        </ak-radio>
+                    </ak-form-element-horizontal>
+                    <ak-form-element-horizontal
+                        label=${msg("Signature algorithm")}
+                        ?required=${true}
+                        name="signatureAlgorithm"
+                    >
+                        <ak-radio
+                            .options=${signatureAlgorithmOptions}
+                            .value=${this.instance?.signatureAlgorithm}
+                        >
+                        </ak-radio>
+                    </ak-form-element-horizontal>
+                </div>
+            </ak-form-group>`;
    }
 }

--- a/web/src/admin/providers/saml/SAMLProviderFormForm.ts
+++ b/web/src/admin/providers/saml/SAMLProviderFormForm.ts
@ -1,330 +0,0 @@
-import {
-    digestAlgorithmOptions,
-    signatureAlgorithmOptions,
-} from "@goauthentik/admin/applications/wizard/methods/saml/SamlProviderOptions";
-import "@goauthentik/admin/common/ak-crypto-certificate-search";
-import "@goauthentik/admin/common/ak-flow-search/ak-flow-search";
-import { DEFAULT_CONFIG } from "@goauthentik/common/api/config";
-import "@goauthentik/elements/ak-dual-select/ak-dual-select-dynamic-selected-provider.js";
-import { DualSelectPair } from "@goauthentik/elements/ak-dual-select/types.js";
-import "@goauthentik/elements/forms/FormGroup";
-import "@goauthentik/elements/forms/HorizontalFormElement";
-import "@goauthentik/elements/forms/Radio";
-import "@goauthentik/elements/forms/SearchSelect";
-import "@goauthentik/elements/utils/TimeDeltaHelp";
-
-import { msg } from "@lit/localize";
-import { html, nothing } from "lit";
-import { ifDefined } from "lit/directives/if-defined.js";
-
-import {
-    FlowsInstancesListDesignationEnum,
-    PropertymappingsApi,
-    PropertymappingsProviderSamlListRequest,
-    SAMLPropertyMapping,
-    SAMLProvider,
-    SpBindingEnum,
-    ValidationError,
-} from "@goauthentik/api";
-
-export async function samlPropertyMappingsProvider(page = 1, search = "") {
-    const propertyMappings = await new PropertymappingsApi(
-        DEFAULT_CONFIG,
-    ).propertymappingsProviderSamlList({
-        ordering: "saml_name",
-        pageSize: 20,
-        search: search.trim(),
-        page,
-    });
-    return {
-        pagination: propertyMappings.pagination,
-        options: propertyMappings.results.map((m) => [m.pk, m.name, m.name, m]),
-    };
-}
-
-export function makeSAMLPropertyMappingsSelector(instanceMappings?: string[]) {
-    const localMappings = instanceMappings ? new Set(instanceMappings) : undefined;
-    return localMappings
-        ? ([pk, _]: DualSelectPair) => localMappings.has(pk)
-        : ([_0, _1, _2, mapping]: DualSelectPair<SAMLPropertyMapping>) =>
-              mapping?.managed?.startsWith("goauthentik.io/providers/saml");
-}
-
-const serviceProviderBindingOptions = [
-    {
-        label: msg("Redirect"),
-        value: SpBindingEnum.Redirect,
-        default: true,
-    },
-    {
-        label: msg("Post"),
-        value: SpBindingEnum.Post,
-    },
-];
-
-function renderHasSigningKp(provider?: Partial<SAMLProvider>) {
-    return html` <ak-switch-input
-            name="signAssertion"
-            label=${msg("Sign assertions")}
-            ?checked=${provider?.signAssertion ?? true}
-            help=${msg("When enabled, the assertion element of the SAML response will be signed.")}
-        >
-        </ak-switch-input>
-
-        <ak-switch-input
-            name="signResponse"
-            label=${msg("Sign responses")}
-            ?checked=${provider?.signResponse ?? false}
-            help=${msg("When enabled, the assertion element of the SAML response will be signed.")}
-        >
-        </ak-switch-input>`;
-}
-
-export function renderForm(
-    provider: Partial<SAMLProvider> = {},
-    errors: ValidationError,
-    setHasSigningKp: (ev: InputEvent) => void,
-    hasSigningKp: boolean,
-) {
-    return html` <ak-text-input
-            name="name"
-            value=${ifDefined(provider?.name)}
-            label=${msg("Name")}
-            required
-            .errorMessages=${errors?.name ?? []}
-        ></ak-text-input>
-        <ak-form-element-horizontal
-            name="authorizationFlow"
-            label=${msg("Authorization flow")}
-            required
-        >
-            <ak-flow-search
-                flowType=${FlowsInstancesListDesignationEnum.Authorization}
-                .currentFlow=${provider?.authorizationFlow}
-                required
-                .errorMessages=${errors?.authorizationFlow ?? []}
-            ></ak-flow-search>
-            <p class="pf-c-form__helper-text">
-                ${msg("Flow used when authorizing this provider.")}
-            </p>
-        </ak-form-element-horizontal>
-
-        <ak-form-group .expanded=${true}>
-            <span slot="header"> ${msg("Protocol settings")} </span>
-            <div slot="body" class="pf-c-form">
-                <ak-text-input
-                    name="acsUrl"
-                    label=${msg("ACS URL")}
-                    value="${ifDefined(provider?.acsUrl)}"
-                    required
-                    .errorMessages=${errors?.acsUrl ?? []}
-                ></ak-text-input>
-                <ak-text-input
-                    label=${msg("Issuer")}
-                    name="issuer"
-                    value="${provider?.issuer || "authentik"}"
-                    required
-                    .errorMessages=${errors?.issuer ?? []}
-                    help=${msg("Also known as EntityID.")}
-                ></ak-text-input>
-                <ak-radio-input
-                    label=${msg("Service Provider Binding")}
-                    name="spBinding"
-                    required
-                    .options=${serviceProviderBindingOptions}
-                    .value=${provider?.spBinding}
-                    help=${msg(
-                        "Determines how authentik sends the response back to the Service Provider.",
-                    )}
-                >
-                </ak-radio-input>
-                <ak-text-input
-                    name="audience"
-                    label=${msg("Audience")}
-                    value="${ifDefined(provider?.audience)}"
-                    .errorMessages=${errors?.audience ?? []}
-                ></ak-text-input>
-            </div>
-        </ak-form-group>
-
-        <ak-form-group>
-            <span slot="header"> ${msg("Advanced flow settings")} </span>
-            <div slot="body" class="pf-c-form">
-                <ak-form-element-horizontal
-                    label=${msg("Authentication flow")}
-                    ?required=${false}
-                    name="authenticationFlow"
-                >
-                    <ak-flow-search
-                        flowType=${FlowsInstancesListDesignationEnum.Authentication}
-                        .currentFlow=${provider?.authenticationFlow}
-                    ></ak-flow-search>
-                    <p class="pf-c-form__helper-text">
-                        ${msg(
-                            "Flow used when a user access this provider and is not authenticated.",
-                        )}
-                    </p>
-                </ak-form-element-horizontal>
-                <ak-form-element-horizontal
-                    label=${msg("Invalidation flow")}
-                    name="invalidationFlow"
-                    required
-                >
-                    <ak-flow-search
-                        flowType=${FlowsInstancesListDesignationEnum.Invalidation}
-                        .currentFlow=${provider?.invalidationFlow}
-                        defaultFlowSlug="default-provider-invalidation-flow"
-                        required
-                    ></ak-flow-search>
-                    <p class="pf-c-form__helper-text">
-                        ${msg("Flow used when logging out of this provider.")}
-                    </p>
-                </ak-form-element-horizontal>
-            </div>
-        </ak-form-group>
-
-        <ak-form-group>
-            <span slot="header"> ${msg("Advanced protocol settings")} </span>
-            <div slot="body" class="pf-c-form">
-                <ak-form-element-horizontal label=${msg("Signing Certificate")} name="signingKp">
-                    <ak-crypto-certificate-search
-                        .certificate=${provider?.signingKp}
-                        @input=${setHasSigningKp}
-                    ></ak-crypto-certificate-search>
-                    <p class="pf-c-form__helper-text">
-                        ${msg(
-                            "Certificate used to sign outgoing Responses going to the Service Provider.",
-                        )}
-                    </p>
-                </ak-form-element-horizontal>
-                ${hasSigningKp ? renderHasSigningKp(provider) : nothing}
-
-                <ak-form-element-horizontal
-                    label=${msg("Verification Certificate")}
-                    name="verificationKp"
-                >
-                    <ak-crypto-certificate-search
-                        .certificate=${provider?.verificationKp}
-                        nokey
-                    ></ak-crypto-certificate-search>
-                    <p class="pf-c-form__helper-text">
-                        ${msg(
-                            "When selected, incoming assertion's Signatures will be validated against this certificate. To allow unsigned Requests, leave on default.",
-                        )}
-                    </p>
-                </ak-form-element-horizontal>
-                <ak-form-element-horizontal
-                    label=${msg("Encryption Certificate")}
-                    name="encryptionKp"
-                >
-                    <ak-crypto-certificate-search
-                        .certificate=${provider?.encryptionKp}
-                    ></ak-crypto-certificate-search>
-                    <p class="pf-c-form__helper-text">
-                        ${msg("When selected, assertions will be encrypted using this keypair.")}
-                    </p>
-                </ak-form-element-horizontal>
-                <ak-form-element-horizontal
-                    label=${msg("Property mappings")}
-                    name="propertyMappings"
-                >
-                    <ak-dual-select-dynamic-selected
-                        .provider=${samlPropertyMappingsProvider}
-                        .selector=${makeSAMLPropertyMappingsSelector(provider?.propertyMappings)}
-                        available-label=${msg("Available User Property Mappings")}
-                        selected-label=${msg("Selected User Property Mappings")}
-                    ></ak-dual-select-dynamic-selected>
-                </ak-form-element-horizontal>
-                <ak-form-element-horizontal
-                    label=${msg("NameID Property Mapping")}
-                    name="nameIdMapping"
-                >
-                    <ak-search-select
-                        .fetchObjects=${async (query?: string): Promise<SAMLPropertyMapping[]> => {
-                            const args: PropertymappingsProviderSamlListRequest = {
-                                ordering: "saml_name",
-                            };
-                            if (query !== undefined) {
-                                args.search = query;
-                            }
-                            const items = await new PropertymappingsApi(
-                                DEFAULT_CONFIG,
-                            ).propertymappingsProviderSamlList(args);
-                            return items.results;
-                        }}
-                        .renderElement=${(item: SAMLPropertyMapping): string => {
-                            return item.name;
-                        }}
-                        .value=${(item: SAMLPropertyMapping | undefined): string | undefined => {
-                            return item?.pk;
-                        }}
-                        .selected=${(item: SAMLPropertyMapping): boolean => {
-                            return provider?.nameIdMapping === item.pk;
-                        }}
-                        ?blankable=${true}
-                    >
-                    </ak-search-select>
-                    <p class="pf-c-form__helper-text">
-                        ${msg(
-                            "Configure how the NameID value will be created. When left empty, the NameIDPolicy of the incoming request will be respected.",
-                        )}
-                    </p>
-                </ak-form-element-horizontal>
-
-                <ak-text-input
-                    name="assertionValidNotBefore"
-                    label=${msg("Assertion valid not before")}
-                    value="${provider?.assertionValidNotBefore || "minutes=-5"}"
-                    required
-                    .errorMessages=${errors?.assertionValidNotBefore ?? []}
-                    help=${msg("Configure the maximum allowed time drift for an assertion.")}
-                ></ak-text-input>
-
-                <ak-text-input
-                    name="assertionValidNotOnOrAfter"
-                    label=${msg("Assertion valid not on or after")}
-                    value="${provider?.assertionValidNotOnOrAfter || "minutes=5"}"
-                    required
-                    .errorMessages=${errors?.assertionValidNotBefore ?? []}
-                    help=${msg("Assertion not valid on or after current time + this value.")}
-                ></ak-text-input>
-
-                <ak-text-input
-                    name="sessionValidNotOnOrAfter"
-                    label=${msg("Session valid not on or after")}
-                    value="${provider?.sessionValidNotOnOrAfter || "minutes=86400"}"
-                    required
-                    .errorMessages=${errors?.sessionValidNotOnOrAfter ?? []}
-                    help=${msg("Session not valid on or after current time + this value.")}
-                ></ak-text-input>
-
-                <ak-text-input
-                    name="defaultRelayState"
-                    label=${msg("Default relay state")}
-                    value="${provider?.defaultRelayState || ""}"
-                    .errorMessages=${errors?.sessionValidNotOnOrAfter ?? []}
-                    help=${msg(
-                        "When using IDP-initiated logins, the relay state will be set to this value.",
-                    )}
-                ></ak-text-input>
-
-                <ak-radio-input
-                    name="digestAlgorithm"
-                    label=${msg("Digest algorithm")}
-                    .options=${digestAlgorithmOptions}
-                    .value=${provider?.digestAlgorithm}
-                    required
-                >
-                </ak-radio-input>
-
-                <ak-radio-input
-                    name="signatureAlgorithm"
-                    label=${msg("Signature algorithm")}
-                    .options=${signatureAlgorithmOptions}
-                    .value=${provider?.signatureAlgorithm}
-                    required
-                >
-                </ak-radio-input>
-            </div>
-        </ak-form-group>`;
-}
--- a/web/src/admin/providers/scim/SCIMProviderForm.ts
+++ b/web/src/admin/providers/scim/SCIMProviderForm.ts
@ -1,11 +1,53 @@
 import { BaseProviderForm } from "@goauthentik/admin/providers/BaseProviderForm";
 import { DEFAULT_CONFIG } from "@goauthentik/common/api/config";
+import { first } from "@goauthentik/common/utils";
+import "@goauthentik/elements/ak-dual-select/ak-dual-select-dynamic-selected-provider.js";
+import { DualSelectPair } from "@goauthentik/elements/ak-dual-select/types.js";
+import "@goauthentik/elements/forms/FormGroup";
+import "@goauthentik/elements/forms/HorizontalFormElement";
+import "@goauthentik/elements/forms/Radio";
+import "@goauthentik/elements/forms/SearchSelect";

+import { msg } from "@lit/localize";
+import { TemplateResult, html } from "lit";
 import { customElement } from "lit/decorators.js";
+import { ifDefined } from "lit/directives/if-defined.js";

-import { ProvidersApi, SCIMProvider } from "@goauthentik/api";
+import {
+    CoreApi,
+    CoreGroupsListRequest,
+    Group,
+    PropertymappingsApi,
+    ProvidersApi,
+    SCIMMapping,
+    SCIMProvider,
+} from "@goauthentik/api";

-import { renderForm } from "./SCIMProviderFormForm.js";
+export async function scimPropertyMappingsProvider(page = 1, search = "") {
+    const propertyMappings = await new PropertymappingsApi(
+        DEFAULT_CONFIG,
+    ).propertymappingsProviderScimList({
+        ordering: "managed",
+        pageSize: 20,
+        search: search.trim(),
+        page,
+    });
+    return {
+        pagination: propertyMappings.pagination,
+        options: propertyMappings.results.map((m) => [m.pk, m.name, m.name, m]),
+    };
+}
+
+export function makeSCIMPropertyMappingsSelector(
+    instanceMappings: string[] | undefined,
+    defaultSelected: string,
+) {
+    const localMappings = instanceMappings ? new Set(instanceMappings) : undefined;
+    return localMappings
+        ? ([pk, _]: DualSelectPair) => localMappings.has(pk)
+        : ([_0, _1, _2, mapping]: DualSelectPair<SCIMMapping>) =>
+              mapping?.managed === defaultSelected;
+}

@customElement("ak-provider-scim-form")
 export class SCIMProviderFormPage extends BaseProviderForm<SCIMProvider> {
@ -28,8 +70,156 @@ export class SCIMProviderFormPage extends BaseProviderForm<SCIMProvider> {
        }
    }

-    renderForm() {
-        return renderForm(this.instance ?? {}, []);
+    renderForm(): TemplateResult {
+        return html` <ak-form-element-horizontal label=${msg("Name")} ?required=${true} name="name">
+                <input
+                    type="text"
+                    value="${ifDefined(this.instance?.name)}"
+                    class="pf-c-form-control"
+                    required
+                />
+            </ak-form-element-horizontal>
+            <ak-form-group .expanded=${true}>
+                <span slot="header"> ${msg("Protocol settings")} </span>
+                <div slot="body" class="pf-c-form">
+                    <ak-form-element-horizontal label=${msg("URL")} ?required=${true} name="url">
+                        <input
+                            type="text"
+                            value="${first(this.instance?.url, "")}"
+                            class="pf-c-form-control"
+                            required
+                        />
+                        <p class="pf-c-form__helper-text">
+                            ${msg("SCIM base url, usually ends in /v2.")}
+                        </p>
+                    </ak-form-element-horizontal>
+                    <ak-form-element-horizontal name="verifyCertificates">
+                        <label class="pf-c-switch">
+                            <input
+                                class="pf-c-switch__input"
+                                type="checkbox"
+                                ?checked=${first(this.instance?.verifyCertificates, true)}
+                            />
+                            <span class="pf-c-switch__toggle">
+                                <span class="pf-c-switch__toggle-icon">
+                                    <i class="fas fa-check" aria-hidden="true"></i>
+                                </span>
+                            </span>
+                            <span class="pf-c-switch__label"
+                                >${msg("Verify SCIM server's certificates")}</span
+                            >
+                        </label>
+                    </ak-form-element-horizontal>
+                    <ak-form-element-horizontal
+                        label=${msg("Token")}
+                        ?required=${true}
+                        name="token"
+                    >
+                        <input
+                            type="text"
+                            value="${first(this.instance?.token, "")}"
+                            class="pf-c-form-control"
+                            required
+                        />
+                        <p class="pf-c-form__helper-text">
+                            ${msg(
+                                "Token to authenticate with. Currently only bearer authentication is supported.",
+                            )}
+                        </p>
+                    </ak-form-element-horizontal>
+                </div>
+            </ak-form-group>
+            <ak-form-group ?expanded=${true}>
+                <span slot="header">${msg("User filtering")}</span>
+                <div slot="body" class="pf-c-form">
+                    <ak-form-element-horizontal name="excludeUsersServiceAccount">
+                        <label class="pf-c-switch">
+                            <input
+                                class="pf-c-switch__input"
+                                type="checkbox"
+                                ?checked=${first(this.instance?.excludeUsersServiceAccount, true)}
+                            />
+                            <span class="pf-c-switch__toggle">
+                                <span class="pf-c-switch__toggle-icon">
+                                    <i class="fas fa-check" aria-hidden="true"></i>
+                                </span>
+                            </span>
+                            <span class="pf-c-switch__label"
+                                >${msg("Exclude service accounts")}</span
+                            >
+                        </label>
+                    </ak-form-element-horizontal>
+                    <ak-form-element-horizontal label=${msg("Group")} name="filterGroup">
+                        <ak-search-select
+                            .fetchObjects=${async (query?: string): Promise<Group[]> => {
+                                const args: CoreGroupsListRequest = {
+                                    ordering: "name",
+                                    includeUsers: false,
+                                };
+                                if (query !== undefined) {
+                                    args.search = query;
+                                }
+                                const groups = await new CoreApi(DEFAULT_CONFIG).coreGroupsList(
+                                    args,
+                                );
+                                return groups.results;
+                            }}
+                            .renderElement=${(group: Group): string => {
+                                return group.name;
+                            }}
+                            .value=${(group: Group | undefined): string | undefined => {
+                                return group ? group.pk : undefined;
+                            }}
+                            .selected=${(group: Group): boolean => {
+                                return group.pk === this.instance?.filterGroup;
+                            }}
+                            ?blankable=${true}
+                        >
+                        </ak-search-select>
+                        <p class="pf-c-form__helper-text">
+                            ${msg("Only sync users within the selected group.")}
+                        </p>
+                    </ak-form-element-horizontal>
+                </div>
+            </ak-form-group>
+            <ak-form-group ?expanded=${true}>
+                <span slot="header"> ${msg("Attribute mapping")} </span>
+                <div slot="body" class="pf-c-form">
+                    <ak-form-element-horizontal
+                        label=${msg("User Property Mappings")}
+                        name="propertyMappings">
+                        <ak-dual-select-dynamic-selected
+                            .provider=${scimPropertyMappingsProvider}
+                            .selector=${makeSCIMPropertyMappingsSelector(
+                                this.instance?.propertyMappings,
+                                "goauthentik.io/providers/scim/user",
+                            )}
+                            available-label=${msg("Available User Property Mappings")}
+                            selected-label=${msg("Selected User Property Mappings")}
+                        ></ak-dual-select-dynamic-selected>
+                        </select>
+                        <p class="pf-c-form__helper-text">
+                            ${msg("Property mappings used to user mapping.")}
+                        </p>
+                    </ak-form-element-horizontal>
+                    <ak-form-element-horizontal
+                        label=${msg("Group Property Mappings")}
+                        name="propertyMappingsGroup">
+                        <ak-dual-select-dynamic-selected
+                            .provider=${scimPropertyMappingsProvider}
+                            .selector=${makeSCIMPropertyMappingsSelector(
+                                this.instance?.propertyMappingsGroup,
+                                "goauthentik.io/providers/scim/group",
+                            )}
+                            available-label=${msg("Available Group Property Mappings")}
+                            selected-label=${msg("Selected Group Property Mappings")}
+                        ></ak-dual-select-dynamic-selected>
+                        <p class="pf-c-form__helper-text">
+                            ${msg("Property mappings used to group creation.")}
+                        </p>
+                    </ak-form-element-horizontal>
+                </div>
+            </ak-form-group>`;
    }
 }

--- a/web/src/admin/providers/scim/SCIMProviderFormForm.ts
+++ b/web/src/admin/providers/scim/SCIMProviderFormForm.ts
@ -1,173 +0,0 @@
-import { DEFAULT_CONFIG } from "@goauthentik/common/api/config";
-import { first } from "@goauthentik/common/utils";
-import "@goauthentik/elements/ak-dual-select/ak-dual-select-dynamic-selected-provider.js";
-import { DualSelectPair } from "@goauthentik/elements/ak-dual-select/types.js";
-import "@goauthentik/elements/forms/FormGroup";
-import "@goauthentik/elements/forms/HorizontalFormElement";
-import "@goauthentik/elements/forms/Radio";
-import "@goauthentik/elements/forms/SearchSelect";
-
-import { msg } from "@lit/localize";
-import { html } from "lit";
-import { ifDefined } from "lit/directives/if-defined.js";
-
-import {
-    CoreApi,
-    CoreGroupsListRequest,
-    Group,
-    PropertymappingsApi,
-    SCIMMapping,
-    SCIMProvider,
-    ValidationError,
-} from "@goauthentik/api";
-
-export async function scimPropertyMappingsProvider(page = 1, search = "") {
-    const propertyMappings = await new PropertymappingsApi(
-        DEFAULT_CONFIG,
-    ).propertymappingsProviderScimList({
-        ordering: "managed",
-        pageSize: 20,
-        search: search.trim(),
-        page,
-    });
-    return {
-        pagination: propertyMappings.pagination,
-        options: propertyMappings.results.map((m) => [m.pk, m.name, m.name, m]),
-    };
-}
-
-export function makeSCIMPropertyMappingsSelector(
-    instanceMappings: string[] | undefined,
-    defaultSelected: string,
-) {
-    const localMappings = instanceMappings ? new Set(instanceMappings) : undefined;
-    return localMappings
-        ? ([pk, _]: DualSelectPair) => localMappings.has(pk)
-        : ([_0, _1, _2, mapping]: DualSelectPair<SCIMMapping>) =>
-              mapping?.managed === defaultSelected;
-}
-
-export function renderForm(provider?: Partial<SCIMProvider>, errors: ValidationError = {}) {
-    return html`
-        <ak-text-input
-            name="name"
-            value=${ifDefined(provider?.name)}
-            label=${msg("Name")}
-            .errorMessages=${errors?.name ?? []}
-            required
-            help=${msg("Method's display Name.")}
-        ></ak-text-input>
-        <ak-form-group expanded>
-            <span slot="header"> ${msg("Protocol settings")} </span>
-            <div slot="body" class="pf-c-form">
-                <ak-text-input
-                    name="url"
-                    label=${msg("URL")}
-                    value="${first(provider?.url, "")}"
-                    .errorMessages=${errors?.url ?? []}
-                    required
-                    help=${msg("SCIM base url, usually ends in /v2.")}
-                ></ak-text-input>
-
-                <ak-switch-input
-                    name="verifyCertificates"
-                    label=${msg("Verify SCIM server's certificates")}
-                    ?checked=${provider?.verifyCertificates ?? true}
-                >
-                </ak-switch-input>
-
-                <ak-text-input
-                    name="token"
-                    label=${msg("Token")}
-                    value="${provider?.token ?? ""}"
-                    .errorMessages=${errors?.token ?? []}
-                    required
-                    help=${msg(
-                        "Token to authenticate with. Currently only bearer authentication is supported.",
-                    )}
-                ></ak-text-input>
-            </div>
-        </ak-form-group>
-        <ak-form-group expanded>
-            <span slot="header">${msg("User filtering")}</span>
-            <div slot="body" class="pf-c-form">
-                <ak-switch-input
-                    name="excludeUsersServiceAccount"
-                    label=${msg("Exclude service accounts")}
-                    ?checked=${first(provider?.excludeUsersServiceAccount, true)}
-                >
-                </ak-switch-input>
-
-                <ak-form-element-horizontal label=${msg("Group")} name="filterGroup">
-                    <ak-search-select
-                        .fetchObjects=${async (query?: string): Promise<Group[]> => {
-                            const args: CoreGroupsListRequest = {
-                                ordering: "name",
-                                includeUsers: false,
-                            };
-                            if (query !== undefined) {
-                                args.search = query;
-                            }
-                            const groups = await new CoreApi(DEFAULT_CONFIG).coreGroupsList(args);
-                            return groups.results;
-                        }}
-                        .renderElement=${(group: Group): string => {
-                            return group.name;
-                        }}
-                        .value=${(group: Group | undefined): string | undefined => {
-                            return group ? group.pk : undefined;
-                        }}
-                        .selected=${(group: Group): boolean => {
-                            return group.pk === provider?.filterGroup;
-                        }}
-                        blankable
-                    >
-                    </ak-search-select>
-                    <p class="pf-c-form__helper-text">
-                        ${msg("Only sync users within the selected group.")}
-                    </p>
-                </ak-form-element-horizontal>
-            </div>
-        </ak-form-group>
-
-        <ak-form-group expanded>
-            <span slot="header"> ${msg("Attribute mapping")} </span>
-            <div slot="body" class="pf-c-form">
-                <ak-form-element-horizontal
-                    label=${msg("User Property Mappings")}
-                    name="propertyMappings"
-                >
-                    <ak-dual-select-dynamic-selected
-                        .provider=${scimPropertyMappingsProvider}
-                        .selector=${makeSCIMPropertyMappingsSelector(
-                            provider?.propertyMappings,
-                            "goauthentik.io/providers/scim/user",
-                        )}
-                        available-label=${msg("Available User Property Mappings")}
-                        selected-label=${msg("Selected User Property Mappings")}
-                    ></ak-dual-select-dynamic-selected>
-                    <p class="pf-c-form__helper-text">
-                        ${msg("Property mappings used to user mapping.")}
-                    </p>
-                </ak-form-element-horizontal>
-                <ak-form-element-horizontal
-                    label=${msg("Group Property Mappings")}
-                    name="propertyMappingsGroup"
-                >
-                    <ak-dual-select-dynamic-selected
-                        .provider=${scimPropertyMappingsProvider}
-                        .selector=${makeSCIMPropertyMappingsSelector(
-                            provider?.propertyMappingsGroup,
-                            "goauthentik.io/providers/scim/group",
-                        )}
-                        available-label=${msg("Available Group Property Mappings")}
-                        selected-label=${msg("Selected Group Property Mappings")}
-                    ></ak-dual-select-dynamic-selected>
-                    <p class="pf-c-form__helper-text">
-                        ${msg("Property mappings used to group creation.")}
-                    </p>
-                </ak-form-element-horizontal>
-            </div>
-        </ak-form-group>
-    `;
-}
--- a/web/src/admin/users/UserForm.ts
+++ b/web/src/admin/users/UserForm.ts
@ -20,9 +20,6 @@ export class UserForm extends ModelForm<User, number> {
    @property({ attribute: false })
    group?: Group;

-    @property()
-    defaultPath: string = "users";
-
    static get defaultUserAttributes(): { [key: string]: unknown } {
        return {};
    }
@ -175,7 +172,7 @@ export class UserForm extends ModelForm<User, number> {
            <ak-form-element-horizontal label=${msg("Path")} ?required=${true} name="path">
                <input
                    type="text"
-                    value="${first(this.instance?.path, this.defaultPath)}"
+                    value="${first(this.instance?.path, "users")}"
                    class="pf-c-form-control"
                    required
                />
--- a/web/src/admin/users/UserImpersonateForm.ts
+++ b/web/src/admin/users/UserImpersonateForm.ts
@ -1,40 +0,0 @@
-import { DEFAULT_CONFIG } from "@goauthentik/common/api/config";
-import "@goauthentik/components/ak-text-input";
-import { Form } from "@goauthentik/elements/forms/Form";
-
-import { msg } from "@lit/localize";
-import { TemplateResult, html } from "lit";
-import { customElement, property } from "lit/decorators.js";
-
-import { CoreApi, ImpersonationRequest } from "@goauthentik/api";
-
-@customElement("ak-user-impersonate-form")
-export class UserImpersonateForm extends Form<ImpersonationRequest> {
-    @property({ type: Number })
-    instancePk?: number;
-
-    async send(data: ImpersonationRequest): Promise<void> {
-        return new CoreApi(DEFAULT_CONFIG)
-            .coreUsersImpersonateCreate({
-                id: this.instancePk || 0,
-                impersonationRequest: data,
-            })
-            .then(() => {
-                window.location.href = "/";
-            });
-    }
-
-    renderForm(): TemplateResult {
-        return html`<ak-text-input
-            name="reason"
-            label=${msg("Reason")}
-            help=${msg("Reason for impersonating the user")}
-        ></ak-text-input>`;
-    }
-}
-
-declare global {
-    interface HTMLElementTagNameMap {
-        "ak-user-impersonate-form": UserImpersonateForm;
-    }
-}
--- a/web/src/admin/users/UserListPage.ts
+++ b/web/src/admin/users/UserListPage.ts
@ -2,7 +2,6 @@ import { AdminInterface } from "@goauthentik/admin/AdminInterface";
 import "@goauthentik/admin/users/ServiceAccountForm";
 import "@goauthentik/admin/users/UserActiveForm";
 import "@goauthentik/admin/users/UserForm";
-import "@goauthentik/admin/users/UserImpersonateForm";
 import "@goauthentik/admin/users/UserPasswordForm";
 import "@goauthentik/admin/users/UserResetEmailForm";
 import { DEFAULT_CONFIG } from "@goauthentik/common/api/config";
@ -267,22 +266,21 @@ export class UserListPage extends WithBrandConfig(WithCapabilitiesConfig(TablePa
                </ak-forms-modal>
                ${canImpersonate
                    ? html`
-                          <ak-forms-modal size=${PFSize.Medium} id="impersonate-request">
-                              <span slot="submit">${msg("Impersonate")}</span>
-                              <span slot="header">${msg("Impersonate")} ${item.username}</span>
-                              <ak-user-impersonate-form
-                                  slot="form"
-                                  .instancePk=${item.pk}
-                              ></ak-user-impersonate-form>
-                              <button slot="trigger" class="pf-c-button pf-m-tertiary">
-                                  <pf-tooltip
-                                      position="top"
-                                      content=${msg("Temporarily assume the identity of this user")}
-                                  >
-                                      <span>${msg("Impersonate")}</span>
-                                  </pf-tooltip>
-                              </button>
-                          </ak-forms-modal>
+                          <ak-action-button
+                              class="pf-m-tertiary"
+                              .apiRequest=${() => {
+                                  return new CoreApi(DEFAULT_CONFIG)
+                                      .coreUsersImpersonateCreate({
+                                          id: item.pk,
+                                          impersonationRequest: { reason: "" },
+                                      })
+                                      .then(() => {
+                                          window.location.href = "/";
+                                      });
+                              }}
+                          >
+                              ${msg("Impersonate")}
+                          </ak-action-button>
                      `
                    : html``}`,
        ];
@ -395,7 +393,7 @@ export class UserListPage extends WithBrandConfig(WithCapabilitiesConfig(TablePa
            <ak-forms-modal>
                <span slot="submit"> ${msg("Create")} </span>
                <span slot="header"> ${msg("Create User")} </span>
-                <ak-user-form defaultPath=${this.activePath} slot="form"> </ak-user-form>
+                <ak-user-form slot="form"> </ak-user-form>
                <button slot="trigger" class="pf-c-button pf-m-primary">${msg("Create")}</button>
            </ak-forms-modal>
            <ak-forms-modal .closeAfterSuccessfulSubmit=${false} .cancelText=${msg("Close")}>
@ -417,9 +415,6 @@ export class UserListPage extends WithBrandConfig(WithCapabilitiesConfig(TablePa
                    <ak-treeview
                        .items=${this.userPaths?.paths || []}
                        activePath=${this.activePath}
-                        @ak-refresh=${(ev: CustomEvent<{ path: string }>) => {
-                            this.activePath = ev.detail.path;
-                        }}
                    ></ak-treeview>
                </div>
            </div>
--- a/web/src/admin/users/UserViewPage.ts
+++ b/web/src/admin/users/UserViewPage.ts
@ -5,7 +5,6 @@ import "@goauthentik/admin/users/UserActiveForm";
 import "@goauthentik/admin/users/UserApplicationTable";
 import "@goauthentik/admin/users/UserChart";
 import "@goauthentik/admin/users/UserForm";
-import "@goauthentik/admin/users/UserImpersonateForm";
 import {
    renderRecoveryEmailRequest,
    requestRecoveryLink,
@ -209,22 +208,27 @@ export class UserViewPage extends WithCapabilitiesConfig(AKElement) {
            </ak-user-active-form>
            ${canImpersonate
                ? html`
-                      <ak-forms-modal size=${PFSize.Medium} id="impersonate-request">
-                          <span slot="submit">${msg("Impersonate")}</span>
-                          <span slot="header">${msg("Impersonate")} ${user.username}</span>
-                          <ak-user-impersonate-form
-                              slot="form"
-                              .instancePk=${user.pk}
-                          ></ak-user-impersonate-form>
-                          <button slot="trigger" class="pf-c-button pf-m-secondary pf-m-block">
-                              <pf-tooltip
-                                  position="top"
-                                  content=${msg("Temporarily assume the identity of this user")}
-                              >
-                                  <span>${msg("Impersonate")}</span>
-                              </pf-tooltip>
-                          </button>
-                      </ak-forms-modal>
+                      <ak-action-button
+                          class="pf-m-secondary pf-m-block"
+                          id="impersonate-user-button"
+                          .apiRequest=${() => {
+                              return new CoreApi(DEFAULT_CONFIG)
+                                  .coreUsersImpersonateCreate({
+                                      id: user.pk,
+                                      impersonationRequest: { reason: "" },
+                                  })
+                                  .then(() => {
+                                      window.location.href = "/";
+                                  });
+                          }}
+                      >
+                          <pf-tooltip
+                              position="top"
+                              content=${msg("Temporarily assume the identity of this user")}
+                          >
+                              ${msg("Impersonate")}
+                          </pf-tooltip>
+                      </ak-action-button>
                  `
                : nothing}
        </div> `;
--- a/web/src/common/constants.ts
+++ b/web/src/common/constants.ts
@ -3,7 +3,7 @@ export const SUCCESS_CLASS = "pf-m-success";
 export const ERROR_CLASS = "pf-m-danger";
 export const PROGRESS_CLASS = "pf-m-in-progress";
 export const CURRENT_CLASS = "pf-m-current";
-export const VERSION = "2024.10.4";
+export const VERSION = "2024.10.5";
 export const TITLE_DEFAULT = "authentik";
 export const ROUTE_SEPARATOR = ";";

--- a/web/src/elements/TreeView.ts
+++ b/web/src/elements/TreeView.ts
@ -89,9 +89,6 @@ export class TreeViewNode extends AKElement {
                                new CustomEvent(EVENT_REFRESH, {
                                    bubbles: true,
                                    composed: true,
-                                    detail: {
-                                        path: this.fullPath,
-                                    },
                                }),
                            );
                        }}
--- a/web/src/elements/ak-locale-context/definitions.ts
+++ b/web/src/elements/ak-locale-context/definitions.ts
@ -42,19 +42,18 @@ const debug: LocaleRow = [

 // prettier-ignore
 const LOCALE_TABLE: LocaleRow[] = [
-    ["de",      /^de([_-]|$)/i,      () => msg("German"),                async () => await import("@goauthentik/locales/de")],
    ["en",      /^en([_-]|$)/i,      () => msg("English"),               async () => await import("@goauthentik/locales/en")],
    ["es",      /^es([_-]|$)/i,      () => msg("Spanish"),               async () => await import("@goauthentik/locales/es")],
+    ["de",      /^de([_-]|$)/i,      () => msg("German"),                async () => await import("@goauthentik/locales/de")],
    ["fr",      /^fr([_-]|$)/i,      () => msg("French"),                async () => await import("@goauthentik/locales/fr")],
-    ["it",      /^it([_-]|$)/i,      () => msg("Italian"),               async () => await import("@goauthentik/locales/it")],
    ["ko",      /^ko([_-]|$)/i,      () => msg("Korean"),                async () => await import("@goauthentik/locales/ko")],
    ["nl",      /^nl([_-]|$)/i,      () => msg("Dutch"),                 async () => await import("@goauthentik/locales/nl")],
    ["pl",      /^pl([_-]|$)/i,      () => msg("Polish"),                async () => await import("@goauthentik/locales/pl")],
    ["ru",      /^ru([_-]|$)/i,      () => msg("Russian"),               async () => await import("@goauthentik/locales/ru")],
    ["tr",      /^tr([_-]|$)/i,      () => msg("Turkish"),               async () => await import("@goauthentik/locales/tr")],
+    ["zh-Hant", /^zh[_-](HK|Hant)/i, () => msg("Chinese (traditional)"), async () => await import("@goauthentik/locales/zh-Hant")],
    ["zh_TW",   /^zh[_-]TW$/i,       () => msg("Taiwanese Mandarin"),    async () => await import("@goauthentik/locales/zh_TW")],
    ["zh-Hans", /^zh(\b|_)/i,        () => msg("Chinese (simplified)"),  async () => await import("@goauthentik/locales/zh-Hans")],
-    ["zh-Hant", /^zh[_-](HK|Hant)/i, () => msg("Chinese (traditional)"), async () => await import("@goauthentik/locales/zh-Hant")],
    debug
 ];

--- a/web/src/elements/forms/FormGroup.ts
+++ b/web/src/elements/forms/FormGroup.ts
@ -44,43 +44,37 @@ export class FormGroup extends AKElement {
    }

    render(): TemplateResult {
-        return html` <div class="pf-c-form">
-            <div class="pf-c-form__field-group ${this.expanded ? "pf-m-expanded" : ""}">
-                <div class="pf-c-form__field-group-toggle">
-                    <div class="pf-c-form__field-group-toggle-button">
-                        <button
-                            class="pf-c-button pf-m-plain"
-                            type="button"
-                            aria-expanded="${this.expanded}"
-                            aria-label=${this.ariaLabel}
-                            @click=${() => {
-                                this.expanded = !this.expanded;
-                            }}
-                        >
-                            <span class="pf-c-form__field-group-toggle-icon">
-                                <i class="fas fa-angle-right" aria-hidden="true"></i>
-                            </span>
-                        </button>
-                    </div>
+        return html`<div class="pf-c-form__field-group ${this.expanded ? "pf-m-expanded" : ""}">
+            <div class="pf-c-form__field-group-toggle">
+                <div class="pf-c-form__field-group-toggle-button">
+                    <button
+                        class="pf-c-button pf-m-plain"
+                        type="button"
+                        aria-expanded="${this.expanded}"
+                        aria-label=${this.ariaLabel}
+                        @click=${() => {
+                            this.expanded = !this.expanded;
+                        }}
+                    >
+                        <span class="pf-c-form__field-group-toggle-icon">
+                            <i class="fas fa-angle-right" aria-hidden="true"></i>
+                        </span>
+                    </button>
                </div>
-                <div class="pf-c-form__field-group-header">
-                    <div class="pf-c-form__field-group-header-main">
-                        <div class="pf-c-form__field-group-header-title">
-                            <div class="pf-c-form__field-group-header-title-text">
-                                <slot name="header"></slot>
-                            </div>
-                        </div>
-                        <div class="pf-c-form__field-group-header-description">
-                            <slot name="description"></slot>
-                        </div>
-                    </div>
-                </div>
-                <slot
-                    ?hidden=${!this.expanded}
-                    class="pf-c-form__field-group-body"
-                    name="body"
-                ></slot>
            </div>
+            <div class="pf-c-form__field-group-header">
+                <div class="pf-c-form__field-group-header-main">
+                    <div class="pf-c-form__field-group-header-title">
+                        <div class="pf-c-form__field-group-header-title-text">
+                            <slot name="header"></slot>
+                        </div>
+                    </div>
+                    <div class="pf-c-form__field-group-header-description">
+                        <slot name="description"></slot>
+                    </div>
+                </div>
+            </div>
+            <slot ?hidden=${!this.expanded} class="pf-c-form__field-group-body" name="body"></slot>
        </div>`;
    }
 }
--- a/Show More
+++ b/Show More