4.9 KiB
title, slug
| title | slug |
|---|---|
| Release 2024.8 | /releases/2024.8 |
:::::note 2024.8 has not been released yet! We're publishing these release notes as a preview of what's to come, and for our awesome beta testers trying out release candidates.
To try out the release candidate, replace your Docker image tag with the latest release candidate number, such as 2024.8.0-rc1. You can find the latest one in the latest releases on GitHub. If you don't find any, it means we haven't released one yet. :::::
Breaking changes
Manual action is required
-
LDAP property mappings simplification
LDAP property mappings have been reworked to remove Object field. With this release, instead of returning a single user or group attribute for each property mapping, you can now return several of them. Here is an example of what new property mappings look like:
return { "username": ldap.get("uid"), # list_flatten is automatically applied to top-level attributes "attributes": { "phone": list_flatten(ldap.get("phoneNumber")), # but not for attributes! }, }This property mapping populates the
usernameandattributes.phoneattributes of a user at the same time, reducing the number of mappings that are run and thus improving performance. Additionally, they are more straightforward to read, and this change allowed us to implement property mappings for OAuth and SAML sources as well.authentik will automatically migrate existing property mappings to this new format, by generating some Python code for each of the existing property mappings expressions. authentik-manager property mappings will automatically get updated to the new format.
If you have any custom property mappings, we recommend migrating them to this new format.
-
OAuth and SAML sources now sync groups by default
OAuth (specifically OpenID and Okta) sources now sync groups by default when a
groupsclaim is available.SAML sources now sync groups by default when a
http://schemas.xmlsoap.org/claims/Groupattribute is available in the assertion.To disable that behavior, create an OAuth/SAML source property mapping with the following expression:
return { "groups": [], }
Manual action may be required
-
Changes to the external user type
Since the introduction of user types with 2023.8, the main difference between internal and external users has mostly been relevant when using the Enterprise version of authentik.
With this release, authentik improves support for B2C use-cases, which external users are intended for. It is now possible to configure a default application. External users not attempting to access a specific application will always be redirected to this default application.
As part of this, external users will no longer have access to the User and Admin interfaces. If you're using the open-source version and you require this workflow, you can change users to be Internal, which will have no side-effects. For enterprise customers, please reach out to us with any questions.
Bulk changing the user type
In the container, run the command `ak change_user_type --all --type internal` to change all users to Internal. Instead of using `--all` you can also pass usernames to the command to only change individual users to internal. -
Changed HTTP healthcheck endpoints status code
For increased compatibility, the
/-/health/live/and/-/health/ready/endpoints return 200 HTTP Status codes for successful checks. Previously these endpoints returned 204, which means in most cases no changes are required.
New features
-
Source property mappings for SCIM, OAuth, SAML and Plex sources
-
SAML Source encryption support
It is now possible to configure a SAML Source to decrypt and validate encrypted assertions. This can be configured by certaing a Certificate-keypair and selecting it in the SAML Source.
Upgrading
This release does not introduce any new requirements.
docker-compose
To upgrade, download the new docker-compose file and update the Docker stack with the new version, using these commands:
wget -O docker-compose.yml https://goauthentik.io/version/2024.8/docker-compose.yml
docker compose up -d
The -O flag retains the downloaded file's name, overwriting any existing local file with the same name.
Kubernetes
Upgrade the Helm Chart to the new version, using the following commands:
helm repo update
helm upgrade authentik authentik/authentik -f values.yaml --version ^2024.8