enterprise: initial enterprise (#5721)

* initial Signed-off-by: Jens Langhammer <jens@goauthentik.io> * add user type Signed-off-by: Jens Langhammer <jens@goauthentik.io> * add external users Signed-off-by: Jens Langhammer <jens@goauthentik.io> * add ui, add more logic, add public JWT validation key Signed-off-by: Jens Langhammer <jens@goauthentik.io> * revert to not use install_id as session jwt signing key Signed-off-by: Jens Langhammer <jens@goauthentik.io> * fix more Signed-off-by: Jens Langhammer <jens@goauthentik.io> * switch to PKI Signed-off-by: Jens Langhammer <jens@goauthentik.io> * add more licensing stuff Signed-off-by: Jens Langhammer <jens@goauthentik.io> * add install ID to form Signed-off-by: Jens Langhammer <jens@goauthentik.io> * fix bugs Signed-off-by: Jens Langhammer <jens@goauthentik.io> * start adding tests Signed-off-by: Jens Langhammer <jens@goauthentik.io> * fixes Signed-off-by: Jens Langhammer <jens@goauthentik.io> * use x5c correctly Signed-off-by: Jens Langhammer <jens@goauthentik.io> * license checks Signed-off-by: Jens Langhammer <jens@goauthentik.io> * use production CA Signed-off-by: Jens Langhammer <jens@goauthentik.io> * more Signed-off-by: Jens Langhammer <jens@goauthentik.io> * more UI stuff Signed-off-by: Jens Langhammer <jens@goauthentik.io> * rename to summary Signed-off-by: Jens Langhammer <jens@goauthentik.io> * update locale, improve ui Signed-off-by: Jens Langhammer <jens@goauthentik.io> * add direct button Signed-off-by: Jens Langhammer <jens@goauthentik.io> * update link Signed-off-by: Jens Langhammer <jens@goauthentik.io> * format and such Signed-off-by: Jens Langhammer <jens@goauthentik.io> * remove old attributes from ldap Signed-off-by: Jens Langhammer <jens@goauthentik.io> * remove is_enterprise_licensed Signed-off-by: Jens Langhammer <jens@goauthentik.io> * fix Signed-off-by: Jens Langhammer <jens@goauthentik.io> * fix admin interface styling issue Signed-off-by: Jens Langhammer <jens@goauthentik.io> * Update authentik/core/models.py Co-authored-by: Tana M Berry <tanamarieberry@yahoo.com> Signed-off-by: Jens L. <jens@beryju.org> * fix default case Signed-off-by: Jens Langhammer <jens@goauthentik.io> --------- Signed-off-by: Jens Langhammer <jens@goauthentik.io> Signed-off-by: Jens L. <jens@beryju.org> Co-authored-by: Tana M Berry <tanamarieberry@yahoo.com>
2023-07-17 17:57:08 +02:00 · 2023-07-17 17:57:08 +02:00 · 41af486006
parent cf799fca03
commit 41af486006
56 changed files with 2534 additions and 128 deletions
--- a/.gitignore
+++ b/.gitignore
@ -204,3 +204,4 @@ data/
 # Local Netlify folder
 .netlify
 .ruff_cache
--- a/authentik/api/tests/test_auth.py
+++ b/authentik/api/tests/test_auth.py
@ -9,7 +9,7 @@ from rest_framework.exceptions import AuthenticationFailed
 from authentik.api.authentication import bearer_auth
 from authentik.blueprints.tests import reconcile_app
-from authentik.core.models import USER_ATTRIBUTE_SA, Token, TokenIntents
+from authentik.core.models import Token, TokenIntents, User, UserTypes
 from authentik.core.tests.utils import create_test_admin_user, create_test_flow
 from authentik.lib.generators import generate_id
 from authentik.providers.oauth2.constants import SCOPE_AUTHENTIK_API
@ -57,8 +57,8 @@ class TestAPIAuth(TestCase):
    @reconcile_app("authentik_outposts")
    def test_managed_outpost_success(self):
        """Test managed outpost"""
-        user = bearer_auth(f"Bearer {settings.SECRET_KEY}".encode())
+        user: User = bearer_auth(f"Bearer {settings.SECRET_KEY}".encode())
-        self.assertEqual(user.attributes[USER_ATTRIBUTE_SA], True)
+        self.assertEqual(user.type, UserTypes.INTERNAL_SERVICE_ACCOUNT)
    def test_jwt_valid(self):
        """Test valid JWT"""
--- a/authentik/api/v3/config.py
+++ b/authentik/api/v3/config.py
@ -3,6 +3,7 @@ from pathlib import Path
 from django.conf import settings
 from django.db import models
 from django.dispatch import Signal
 from drf_spectacular.utils import extend_schema
 from rest_framework.fields import (
    BooleanField,
@ -21,6 +22,8 @@ from authentik.core.api.utils import PassiveSerializer
 from authentik.events.geo import GEOIP_READER
 from authentik.lib.config import CONFIG
 capabilities = Signal()
 class Capabilities(models.TextChoices):
    """Define capabilities which influence which APIs can/should be used"""
@ -73,6 +76,9 @@ class ConfigView(APIView):
            caps.append(Capabilities.CAN_DEBUG)
        if "authentik.enterprise" in settings.INSTALLED_APPS:
            caps.append(Capabilities.IS_ENTERPRISE)
        for _, result in capabilities.send(sender=self):
            if result:
                caps.append(result)
        return caps
    def get_config(self) -> ConfigSerializer:
--- a/authentik/core/api/users.py
+++ b/authentik/core/api/users.py
@ -59,7 +59,6 @@ from authentik.core.middleware import (
    SESSION_KEY_IMPERSONATE_USER,
 )
 from authentik.core.models import (
    USER_ATTRIBUTE_SA,
    USER_ATTRIBUTE_TOKEN_EXPIRING,
    USER_PATH_SERVICE_ACCOUNT,
    AuthenticatedSession,
@ -67,6 +66,7 @@ from authentik.core.models import (
    Token,
    TokenIntents,
    User,
    UserTypes,
 )
 from authentik.events.models import Event, EventAction
 from authentik.flows.exceptions import FlowNonApplicableException
@ -147,6 +147,18 @@ class UserSerializer(ModelSerializer):
                raise ValidationError(_("No empty segments in user path allowed."))
        return path
    def validate_type(self, user_type: str) -> str:
        """Validate user type, internal_service_account is an internal value"""
        if (
            self.instance
            and self.instance.type == UserTypes.INTERNAL_SERVICE_ACCOUNT
            and user_type != UserTypes.INTERNAL_SERVICE_ACCOUNT.value
        ):
            raise ValidationError("Can't change internal service account to other user type.")
        if not self.instance and user_type == UserTypes.INTERNAL_SERVICE_ACCOUNT.value:
            raise ValidationError("Setting a user to internal service account is not allowed.")
        return user_type
    class Meta:
        model = User
        fields = [
@ -163,6 +175,7 @@ class UserSerializer(ModelSerializer):
            "attributes",
            "uid",
            "path",
            "type",
        ]
        extra_kwargs = {
            "name": {"allow_blank": True},
@ -211,6 +224,7 @@ class UserSelfSerializer(ModelSerializer):
            "avatar",
            "uid",
            "settings",
            "type",
        ]
        extra_kwargs = {
            "is_active": {"read_only": True},
@ -329,6 +343,7 @@ class UsersFilter(FilterSet):
            "attributes",
            "groups_by_name",
            "groups_by_pk",
            "type",
        ]
@ -421,7 +436,8 @@ class UserViewSet(UsedByMixin, ModelViewSet):
                user: User = User.objects.create(
                    username=username,
                    name=username,
-                    attributes={USER_ATTRIBUTE_SA: True, USER_ATTRIBUTE_TOKEN_EXPIRING: expiring},
+                    type=UserTypes.SERVICE_ACCOUNT,
                    attributes={USER_ATTRIBUTE_TOKEN_EXPIRING: expiring},
                    path=USER_PATH_SERVICE_ACCOUNT,
                )
                user.set_unusable_password()
--- a/authentik/core/migrations/0030_user_type.py
+++ b/authentik/core/migrations/0030_user_type.py
@ -0,0 +1,43 @@
 # Generated by Django 4.1.7 on 2023-05-21 11:44
 from django.apps.registry import Apps
 from django.db import migrations, models
 from django.db.backends.base.schema import BaseDatabaseSchemaEditor
 def migrate_user_type(apps: Apps, schema_editor: BaseDatabaseSchemaEditor):
    db_alias = schema_editor.connection.alias
    User = apps.get_model("authentik_core", "User")
    from authentik.core.models import UserTypes
    for user in User.objects.using(db_alias).all():
        user.type = UserTypes.DEFAULT
        if "goauthentik.io/user/service-account" in user.attributes:
            user.type = UserTypes.SERVICE_ACCOUNT
        if "goauthentik.io/user/override-ips" in user.attributes:
            user.type = UserTypes.INTERNAL_SERVICE_ACCOUNT
        user.save()
 class Migration(migrations.Migration):
    dependencies = [
        ("authentik_core", "0029_provider_backchannel_applications_and_more"),
    ]
    operations = [
        migrations.AddField(
            model_name="user",
            name="type",
            field=models.TextField(
                choices=[
                    ("default", "Default"),
                    ("external", "External"),
                    ("service_account", "Service Account"),
                    ("internal_service_account", "Internal Service Account"),
                ],
                default="default",
            ),
        ),
        migrations.RunPython(migrate_user_type),
    ]
--- a/authentik/core/models.py
+++ b/authentik/core/models.py
@ -36,7 +36,6 @@ from authentik.root.install_id import get_install_id
 LOGGER = get_logger()
 USER_ATTRIBUTE_DEBUG = "goauthentik.io/user/debug"
 USER_ATTRIBUTE_SA = "goauthentik.io/user/service-account"
 USER_ATTRIBUTE_GENERATED = "goauthentik.io/user/generated"
 USER_ATTRIBUTE_EXPIRES = "goauthentik.io/user/expires"
 USER_ATTRIBUTE_DELETE_ON_LOGOUT = "goauthentik.io/user/delete-on-logout"
@ -45,8 +44,6 @@ USER_ATTRIBUTE_TOKEN_EXPIRING = "goauthentik.io/user/token-expires"  # nosec
 USER_ATTRIBUTE_CHANGE_USERNAME = "goauthentik.io/user/can-change-username"
 USER_ATTRIBUTE_CHANGE_NAME = "goauthentik.io/user/can-change-name"
 USER_ATTRIBUTE_CHANGE_EMAIL = "goauthentik.io/user/can-change-email"
 USER_ATTRIBUTE_CAN_OVERRIDE_IP = "goauthentik.io/user/override-ips"
 USER_PATH_SYSTEM_PREFIX = "goauthentik.io"
 USER_PATH_SERVICE_ACCOUNT = USER_PATH_SYSTEM_PREFIX + "/service-accounts"
@ -66,6 +63,21 @@ def default_token_key():
    return generate_id(int(CONFIG.y("default_token_length")))
 class UserTypes(models.TextChoices):
    """User types, both for grouping, licensing and permissions in the case
    of the internal_service_account"""
    DEFAULT = "default"
    EXTERNAL = "external"
    # User-created service accounts
    SERVICE_ACCOUNT = "service_account"
    # Special user type for internally managed and created service
    # accounts, such as outpost users
    INTERNAL_SERVICE_ACCOUNT = "internal_service_account"
 class Group(SerializerModel):
    """Custom Group model which supports a basic hierarchy"""
@ -149,6 +161,7 @@ class User(SerializerModel, GuardianUserMixin, AbstractUser):
    uuid = models.UUIDField(default=uuid4, editable=False, unique=True)
    name = models.TextField(help_text=_("User's display name."))
    path = models.TextField(default="users")
    type = models.TextField(choices=UserTypes.choices, default=UserTypes.DEFAULT)
    sources = models.ManyToManyField("Source", through="UserSourceConnection")
    ak_groups = models.ManyToManyField("Group", related_name="users")
--- a/authentik/core/signals.py
+++ b/authentik/core/signals.py
@ -1,6 +1,4 @@
 """authentik core signals"""
 from typing import TYPE_CHECKING
 from django.contrib.auth.signals import user_logged_in, user_logged_out
 from django.contrib.sessions.backends.cache import KEY_PREFIX
 from django.core.cache import cache
@ -10,16 +8,13 @@ from django.db.models.signals import post_save, pre_delete, pre_save
 from django.dispatch import receiver
 from django.http.request import HttpRequest
-from authentik.core.models import Application, AuthenticatedSession, BackchannelProvider
+from authentik.core.models import Application, AuthenticatedSession, BackchannelProvider, User
 # Arguments: user: User, password: str
 password_changed = Signal()
 # Arguments: credentials: dict[str, any], request: HttpRequest, stage: Stage
 login_failed = Signal()
 if TYPE_CHECKING:
    from authentik.core.models import User
@receiver(post_save, sender=Application)
 def post_save_application(sender: type[Model], instance, created: bool, **_):
@ -35,7 +30,7 @@ def post_save_application(sender: type[Model], instance, created: bool, **_):
@receiver(user_logged_in)
-def user_logged_in_session(sender, request: HttpRequest, user: "User", **_):
+def user_logged_in_session(sender, request: HttpRequest, user: User, **_):
    """Create an AuthenticatedSession from request"""
    session = AuthenticatedSession.from_request(request, user)
@ -44,7 +39,7 @@ def user_logged_in_session(sender, request: HttpRequest, user: "User", **_):
@receiver(user_logged_out)
-def user_logged_out_session(sender, request: HttpRequest, user: "User", **_):
+def user_logged_out_session(sender, request: HttpRequest, user: User, **_):
    """Delete AuthenticatedSession if it exists"""
    AuthenticatedSession.objects.filter(session_key=request.session.session_key).delete()
--- a/authentik/core/tests/test_users_api.py
+++ b/authentik/core/tests/test_users_api.py
@ -8,11 +8,11 @@ from django.urls.base import reverse
 from rest_framework.test import APITestCase
 from authentik.core.models import (
    USER_ATTRIBUTE_SA,
    USER_ATTRIBUTE_TOKEN_EXPIRING,
    AuthenticatedSession,
    Token,
    User,
    UserTypes,
 )
 from authentik.core.tests.utils import create_test_admin_user, create_test_flow, create_test_tenant
 from authentik.flows.models import FlowDesignation
@ -141,7 +141,8 @@ class TestUsersAPI(APITestCase):
        user_filter = User.objects.filter(
            username="test-sa",
-            attributes={USER_ATTRIBUTE_TOKEN_EXPIRING: True, USER_ATTRIBUTE_SA: True},
+            type=UserTypes.SERVICE_ACCOUNT,
            attributes={USER_ATTRIBUTE_TOKEN_EXPIRING: True},
        )
        self.assertTrue(user_filter.exists())
        user: User = user_filter.first()
@ -166,7 +167,8 @@ class TestUsersAPI(APITestCase):
        user_filter = User.objects.filter(
            username="test-sa",
-            attributes={USER_ATTRIBUTE_TOKEN_EXPIRING: False, USER_ATTRIBUTE_SA: True},
+            type=UserTypes.SERVICE_ACCOUNT,
            attributes={USER_ATTRIBUTE_TOKEN_EXPIRING: False},
        )
        self.assertTrue(user_filter.exists())
        user: User = user_filter.first()
@ -192,7 +194,8 @@ class TestUsersAPI(APITestCase):
        user_filter = User.objects.filter(
            username="test-sa",
-            attributes={USER_ATTRIBUTE_TOKEN_EXPIRING: True, USER_ATTRIBUTE_SA: True},
+            type=UserTypes.SERVICE_ACCOUNT,
            attributes={USER_ATTRIBUTE_TOKEN_EXPIRING: True},
        )
        self.assertTrue(user_filter.exists())
        user: User = user_filter.first()
@ -218,7 +221,8 @@ class TestUsersAPI(APITestCase):
        user_filter = User.objects.filter(
            username="test-sa",
-            attributes={USER_ATTRIBUTE_TOKEN_EXPIRING: True, USER_ATTRIBUTE_SA: True},
+            type=UserTypes.SERVICE_ACCOUNT,
            attributes={USER_ATTRIBUTE_TOKEN_EXPIRING: True},
        )
        self.assertTrue(user_filter.exists())
        user: User = user_filter.first()
--- a/authentik/enterprise/init.py
+++ b/authentik/enterprise/init.py
--- a/authentik/enterprise/api.py
+++ b/authentik/enterprise/api.py
@ -0,0 +1,150 @@
 """Enterprise API Views"""
 from datetime import datetime, timedelta
 from django.utils.timezone import now
 from drf_spectacular.types import OpenApiTypes
 from drf_spectacular.utils import extend_schema, inline_serializer
 from rest_framework.decorators import action
 from rest_framework.fields import BooleanField, CharField, DateTimeField, IntegerField
 from rest_framework.permissions import IsAdminUser, IsAuthenticated
 from rest_framework.request import Request
 from rest_framework.response import Response
 from rest_framework.serializers import ModelSerializer
 from rest_framework.viewsets import ModelViewSet
 from authentik.api.decorators import permission_required
 from authentik.core.api.used_by import UsedByMixin
 from authentik.core.api.utils import PassiveSerializer
 from authentik.core.models import User, UserTypes
 from authentik.enterprise.models import License, LicenseKey
 from authentik.root.install_id import get_install_id
 class LicenseSerializer(ModelSerializer):
    """License Serializer"""
    def validate_key(self, key: str) -> str:
        """Validate the license key (install_id and signature)"""
        LicenseKey.validate(key)
        return key
    class Meta:
        model = License
        fields = [
            "license_uuid",
            "name",
            "key",
            "expiry",
            "users",
            "external_users",
        ]
        extra_kwargs = {
            "name": {"read_only": True},
            "expiry": {"read_only": True},
            "users": {"read_only": True},
            "external_users": {"read_only": True},
        }
 class LicenseSummary(PassiveSerializer):
    """Serializer for license status"""
    users = IntegerField(required=True)
    external_users = IntegerField(required=True)
    valid = BooleanField()
    show_admin_warning = BooleanField()
    show_user_warning = BooleanField()
    read_only = BooleanField()
    latest_valid = DateTimeField()
    has_license = BooleanField()
 class LicenseForecastSerializer(PassiveSerializer):
    """Serializer for license forecast"""
    users = IntegerField(required=True)
    external_users = IntegerField(required=True)
 class LicenseViewSet(UsedByMixin, ModelViewSet):
    """License Viewset"""
    queryset = License.objects.all()
    serializer_class = LicenseSerializer
    search_fields = ["name"]
    ordering = ["name"]
    filterset_fields = ["name"]
    @permission_required(None, ["authentik_enterprise.view_license"])
    @extend_schema(
        request=OpenApiTypes.NONE,
        responses={
            200: inline_serializer("InstallIDSerializer", {"install_id": CharField(required=True)}),
        },
    )
    @action(detail=False, methods=["GET"], permission_classes=[IsAdminUser])
    def get_install_id(self, request: Request) -> Response:
        """Get install_id"""
        return Response(
            data={
                "install_id": get_install_id(),
            }
        )
    @extend_schema(
        request=OpenApiTypes.NONE,
        responses={
            200: LicenseSummary(),
        },
    )
    @action(detail=False, methods=["GET"], permission_classes=[IsAuthenticated])
    def summary(self, request: Request) -> Response:
        """Get the total license status"""
        total = LicenseKey.get_total()
        last_valid = LicenseKey.last_valid_date()
        # TODO: move this to a different place?
        show_admin_warning = last_valid < now() - timedelta(weeks=2)
        show_user_warning = last_valid < now() - timedelta(weeks=4)
        read_only = last_valid < now() - timedelta(weeks=6)
        latest_valid = datetime.fromtimestamp(total.exp)
        response = LicenseSummary(
            data={
                "users": total.users,
                "external_users": total.external_users,
                "valid": total.is_valid(),
                "show_admin_warning": show_admin_warning,
                "show_user_warning": show_user_warning,
                "read_only": read_only,
                "latest_valid": latest_valid,
                "has_license": License.objects.all().count() > 0,
            }
        )
        response.is_valid(raise_exception=True)
        return Response(response.data)
    @permission_required(None, ["authentik_enterprise.view_license"])
    @extend_schema(
        request=OpenApiTypes.NONE,
        responses={
            200: LicenseForecastSerializer(),
        },
    )
    @action(detail=False, methods=["GET"])
    def forecast(self, request: Request) -> Response:
        """Forecast how many users will be required in a year"""
        last_month = now() - timedelta(days=30)
        # Forecast for default users
        users_in_last_month = User.objects.filter(
            type=UserTypes.DEFAULT, date_joined__gte=last_month
        ).count()
        # Forecast for external users
        external_in_last_month = LicenseKey.get_external_user_count()
        forecast_for_months = 12
        response = LicenseForecastSerializer(
            data={
                "users": users_in_last_month * forecast_for_months,
                "external_users": external_in_last_month * forecast_for_months,
            }
        )
        response.is_valid(raise_exception=True)
        return Response(response.data)
--- a/authentik/enterprise/apps.py
+++ b/authentik/enterprise/apps.py
@ -9,3 +9,7 @@ class AuthentikEnterpriseConfig(ManagedAppConfig):
    label = "authentik_enterprise"
    verbose_name = "authentik Enterprise"
    default = True
    def reconcile_load_enterprise_signals(self):
        """Load enterprise signals"""
        self.import_module("authentik.enterprise.signals")
--- a/authentik/enterprise/migrations/0001_initial.py
+++ b/authentik/enterprise/migrations/0001_initial.py
@ -0,0 +1,52 @@
 # Generated by Django 4.1.10 on 2023-07-06 12:51
 import uuid
 from django.db import migrations, models
 import authentik.enterprise.models
 class Migration(migrations.Migration):
    initial = True
    dependencies = []
    operations = [
        migrations.CreateModel(
            name="License",
            fields=[
                (
                    "license_uuid",
                    models.UUIDField(
                        default=uuid.uuid4, editable=False, primary_key=True, serialize=False
                    ),
                ),
                ("key", models.TextField(unique=True)),
                ("name", models.TextField()),
                ("expiry", models.DateTimeField()),
                ("users", models.BigIntegerField()),
                ("external_users", models.BigIntegerField()),
            ],
        ),
        migrations.CreateModel(
            name="LicenseUsage",
            fields=[
                ("expiring", models.BooleanField(default=True)),
                ("expires", models.DateTimeField(default=authentik.enterprise.models.usage_expiry)),
                (
                    "usage_uuid",
                    models.UUIDField(
                        default=uuid.uuid4, editable=False, primary_key=True, serialize=False
                    ),
                ),
                ("user_count", models.BigIntegerField()),
                ("external_user_count", models.BigIntegerField()),
                ("within_limits", models.BooleanField()),
                ("record_date", models.DateTimeField(auto_now_add=True)),
            ],
            options={
                "abstract": False,
            },
        ),
    ]
--- a/authentik/enterprise/migrations/init.py
+++ b/authentik/enterprise/migrations/init.py
--- a/authentik/enterprise/models.py
+++ b/authentik/enterprise/models.py
@ -0,0 +1,185 @@
 """Enterprise models"""
 from base64 import b64decode
 from binascii import Error
 from dataclasses import dataclass, field
 from datetime import datetime, timedelta
 from enum import Enum
 from functools import lru_cache
 from time import mktime
 from uuid import uuid4
 from cryptography.exceptions import InvalidSignature
 from cryptography.x509 import Certificate, load_pem_x509_certificate
 from dacite import from_dict
 from django.db import models
 from django.db.models.query import QuerySet
 from django.utils.timezone import now
 from guardian.shortcuts import get_anonymous_user
 from jwt import PyJWTError, decode, get_unverified_header
 from rest_framework.exceptions import ValidationError
 from authentik.core.models import ExpiringModel, User, UserTypes
 from authentik.root.install_id import get_install_id
@lru_cache()
 def get_licensing_key() -> Certificate:
    """Get Root CA PEM"""
    with open("authentik/enterprise/public.pem", "rb") as _key:
        return load_pem_x509_certificate(_key.read())
 def get_license_aud() -> str:
    """Get the JWT audience field"""
    return f"enterprise.goauthentik.io/license/{get_install_id()}"
 class LicenseFlags(Enum):
    """License flags"""
@dataclass
 class LicenseKey:
    """License JWT claims"""
    aud: str
    exp: int
    name: str
    users: int
    external_users: int
    flags: list[LicenseFlags] = field(default_factory=list)
    @staticmethod
    def validate(jwt: str) -> "LicenseKey":
        """Validate the license from a given JWT"""
        try:
            headers = get_unverified_header(jwt)
        except PyJWTError:
            raise ValidationError("Unable to verify license")
        x5c: list[str] = headers.get("x5c", [])
        if len(x5c) < 1:
            raise ValidationError("Unable to verify license")
        try:
            our_cert = load_pem_x509_certificate(b64decode(x5c[0]))
            intermediate = load_pem_x509_certificate(b64decode(x5c[1]))
            our_cert.verify_directly_issued_by(intermediate)
            intermediate.verify_directly_issued_by(get_licensing_key())
        except (InvalidSignature, TypeError, ValueError, Error):
            raise ValidationError("Unable to verify license")
        try:
            body = from_dict(
                LicenseKey,
                decode(
                    jwt,
                    our_cert.public_key(),
                    algorithms=["ES521"],
                    audience=get_license_aud(),
                ),
            )
        except PyJWTError:
            raise ValidationError("Unable to verify license")
        return body
    @staticmethod
    def get_total() -> "LicenseKey":
        """Get a summarized version of all (not expired) licenses"""
        active_licenses = License.objects.filter(expiry__gte=now())
        total = LicenseKey(get_license_aud(), 0, "Summarized license", 0, 0)
        for lic in active_licenses:
            total.users += lic.users
            total.external_users += lic.external_users
            exp_ts = int(mktime(lic.expiry.timetuple()))
            if total.exp == 0:
                total.exp = exp_ts
            if exp_ts <= total.exp:
                total.exp = exp_ts
            total.flags.extend(lic.status.flags)
        return total
    @staticmethod
    def base_user_qs() -> QuerySet:
        """Base query set for all users"""
        return User.objects.all().exclude(pk=get_anonymous_user().pk)
    @staticmethod
    def get_default_user_count():
        """Get current default user count"""
        return LicenseKey.base_user_qs().filter(type=UserTypes.DEFAULT).count()
    @staticmethod
    def get_external_user_count():
        """Get current external user count"""
        # Count since start of the month
        last_month = now().replace(day=1)
        return (
            LicenseKey.base_user_qs()
            .filter(type=UserTypes.EXTERNAL, last_login__gte=last_month)
            .count()
        )
    def is_valid(self) -> bool:
        """Check if the given license body covers all users
        Only checks the current count, no historical data is checked"""
        default_users = self.get_default_user_count()
        if default_users > self.users:
            return False
        active_users = self.get_external_user_count()
        if active_users > self.external_users:
            return False
        return True
    def record_usage(self):
        """Capture the current validity status and metrics and save them"""
        LicenseUsage.objects.create(
            user_count=self.get_default_user_count(),
            external_user_count=self.get_external_user_count(),
            within_limits=self.is_valid(),
        )
    @staticmethod
    def last_valid_date() -> datetime:
        """Get the last date the license was valid"""
        usage: LicenseUsage = (
            LicenseUsage.filter_not_expired(within_limits=True).order_by("-record_date").first()
        )
        if not usage:
            return now()
        return usage.record_date
 class License(models.Model):
    """An authentik enterprise license"""
    license_uuid = models.UUIDField(primary_key=True, editable=False, default=uuid4)
    key = models.TextField(unique=True)
    name = models.TextField()
    expiry = models.DateTimeField()
    users = models.BigIntegerField()
    external_users = models.BigIntegerField()
    @property
    def status(self) -> LicenseKey:
        """Get parsed license status"""
        return LicenseKey.validate(self.key)
 def usage_expiry():
    """Keep license usage records for 3 months"""
    return now() + timedelta(days=30 * 3)
 class LicenseUsage(ExpiringModel):
    """a single license usage record"""
    expires = models.DateTimeField(default=usage_expiry)
    usage_uuid = models.UUIDField(primary_key=True, editable=False, default=uuid4)
    user_count = models.BigIntegerField()
    external_user_count = models.BigIntegerField()
    within_limits = models.BooleanField()
    record_date = models.DateTimeField(auto_now_add=True)
--- a/authentik/enterprise/policy.py
+++ b/authentik/enterprise/policy.py
@ -0,0 +1,46 @@
 """Enterprise license policies"""
 from typing import Optional
 from rest_framework.serializers import BaseSerializer
 from authentik.core.models import User, UserTypes
 from authentik.enterprise.models import LicenseKey
 from authentik.policies.models import Policy
 from authentik.policies.types import PolicyRequest, PolicyResult
 from authentik.policies.views import PolicyAccessView
 class EnterprisePolicy(Policy):
    """Check that a user is correctly licensed for the request"""
    @property
    def component(self) -> str:
        return ""
    @property
    def serializer(self) -> type[BaseSerializer]:
        raise NotImplementedError
    def passes(self, request: PolicyRequest) -> PolicyResult:
        if not LicenseKey.get_total().is_valid():
            return PolicyResult(False)
        if request.user.type != UserTypes.DEFAULT:
            return PolicyResult(False)
        return PolicyResult(True)
 class EnterprisePolicyAccessView(PolicyAccessView):
    """PolicyAccessView which also checks enterprise licensing"""
    def user_has_access(self, user: Optional[User] = None) -> PolicyResult:
        user = user or self.request.user
        request = PolicyRequest(user)
        request.http_request = self.request
        result = super().user_has_access(user)
        enterprise_result = EnterprisePolicy().passes(request)
        if not enterprise_result.passing:
            return enterprise_result
        return result
    def resolve_provider_application(self):
        raise NotImplementedError
--- a/authentik/enterprise/public.pem
+++ b/authentik/enterprise/public.pem
@ -0,0 +1,26 @@
 -----BEGIN CERTIFICATE-----
 MIIEdzCCA/6gAwIBAgIUQrj1jxn4q/BB38B2SwTrvGyrZLMwCgYIKoZIzj0EAwMw
 ge8xCzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpDYWxpZm9ybmlhMRYwFAYDVQQHEw1T
 YW4gRnJhbmNpc2NvMSQwIgYDVQQJExs1NDggTWFya2V0IFN0cmVldCBQbWIgNzAx
 NDgxDjAMBgNVBBETBTk0MTA0MSAwHgYDVQQKExdBdXRoZW50aWsgU2VjdXJpdHkg
 SW5jLjEcMBoGA1UECxMTRW50ZXJwcmlzZSBMaWNlbnNlczE9MDsGA1UEAxM0QXV0
 aGVudGlrIFNlY3VyaXR5IEluYy4gRW50ZXJwcmlzZSBMaWNlbnNpbmcgUm9vdCBY
 MTAgFw0yMzA3MDQxNzQ3NDBaGA8yMTIzMDYxMDE3NDgxMFowge8xCzAJBgNVBAYT
 AlVTMRMwEQYDVQQIEwpDYWxpZm9ybmlhMRYwFAYDVQQHEw1TYW4gRnJhbmNpc2Nv
 MSQwIgYDVQQJExs1NDggTWFya2V0IFN0cmVldCBQbWIgNzAxNDgxDjAMBgNVBBET
 BTk0MTA0MSAwHgYDVQQKExdBdXRoZW50aWsgU2VjdXJpdHkgSW5jLjEcMBoGA1UE
 CxMTRW50ZXJwcmlzZSBMaWNlbnNlczE9MDsGA1UEAxM0QXV0aGVudGlrIFNlY3Vy
 aXR5IEluYy4gRW50ZXJwcmlzZSBMaWNlbnNpbmcgUm9vdCBYMTB2MBAGByqGSM49
 AgEGBSuBBAAiA2IABNbPJH6nDbSshpDsDHBRL0UcZVXWCK30txqcMKU+YFmLB6iR
 PJiHjHA8Z+5aP4eNH6onA5xqykQf65tvbFBA1LB/6HqMArU/tYVVQx4+o9hRBxF5
 RrzXucUg2br+RX8aa6OCAVUwggFRMA4GA1UdDwEB/wQEAwIBBjAPBgNVHRMBAf8E
 BTADAQH/MB0GA1UdDgQWBBRHpR3/ptPgN0yHVfUjyJOEmsPZqTAfBgNVHSMEGDAW
 gBRHpR3/ptPgN0yHVfUjyJOEmsPZqTCBoAYIKwYBBQUHAQEEgZMwgZAwRwYIKwYB
 BQUHMAGGO2h0dHBzOi8vdmF1bHQuY3VzdG9tZXJzLmdvYXV0aGVudGlrLmlvL3Yx
 L2xpY2Vuc2luZy1jYS9vY3NwMEUGCCsGAQUFBzAChjlodHRwczovL3ZhdWx0LmN1
 c3RvbWVycy5nb2F1dGhlbnRpay5pby92MS9saWNlbnNpbmctY2EvY2EwSwYDVR0f
 BEQwQjBAoD6gPIY6aHR0cHM6Ly92YXVsdC5jdXN0b21lcnMuZ29hdXRoZW50aWsu
 aW8vdjEvbGljZW5zaW5nLWNhL2NybDAKBggqhkjOPQQDAwNnADBkAjB0+YA1yjEO
 g43CCYUJXz9m9CNIkjOPUI0jO4UtvSj8j067TKRbX6IL/29HxPtQoYACME8eZHBJ
 Ljcog0oeBgjr4wK8bobgknr5wrm70rrNNpbSAjDvTvXMQeAShGgsftEquQ==
 -----END CERTIFICATE-----
--- a/authentik/enterprise/settings.py
+++ b/authentik/enterprise/settings.py
@ -1 +1,12 @@
 """Enterprise additional settings"""
 from celery.schedules import crontab
 from authentik.lib.utils.time import fqdn_rand
 CELERY_BEAT_SCHEDULE = {
    "enterprise_calculate_license": {
        "task": "authentik.enterprise.tasks.calculate_license",
        "schedule": crontab(minute=fqdn_rand("calculate_license"), hour="*/8"),
        "options": {"queue": "authentik_scheduled"},
    }
 }
--- a/authentik/enterprise/signals.py
+++ b/authentik/enterprise/signals.py
@ -0,0 +1,18 @@
 """Enterprise signals"""
 from datetime import datetime
 from django.db.models.signals import pre_save
 from django.dispatch import receiver
 from django.utils.timezone import get_current_timezone
 from authentik.enterprise.models import License
@receiver(pre_save, sender=License)
 def pre_save_license(sender: type[License], instance: License, **_):
    """Extract data from license jwt and save it into model"""
    status = instance.status
    instance.name = status.name
    instance.users = status.users
    instance.external_users = status.external_users
    instance.expiry = datetime.fromtimestamp(status.exp, tz=get_current_timezone())
--- a/authentik/enterprise/tasks.py
+++ b/authentik/enterprise/tasks.py
@ -0,0 +1,10 @@
 """Enterprise tasks"""
 from authentik.enterprise.models import LicenseKey
 from authentik.root.celery import CELERY_APP
@CELERY_APP.task()
 def calculate_license():
    """Calculate licensing status"""
    total = LicenseKey.get_total()
    total.record_usage()
--- a/authentik/enterprise/tests/init.py
+++ b/authentik/enterprise/tests/init.py
--- a/authentik/enterprise/tests/test_license.py
+++ b/authentik/enterprise/tests/test_license.py
@ -0,0 +1,64 @@
 """Enterprise license tests"""
 from datetime import timedelta
 from time import mktime
 from unittest.mock import MagicMock, patch
 from django.test import TestCase
 from django.utils.timezone import now
 from rest_framework.exceptions import ValidationError
 from authentik.enterprise.models import License, LicenseKey
 from authentik.lib.generators import generate_id
 _exp = int(mktime((now() + timedelta(days=3000)).timetuple()))
 class TestEnterpriseLicense(TestCase):
    """Enterprise license tests"""
    @patch(
        "authentik.enterprise.models.LicenseKey.validate",
        MagicMock(
            return_value=LicenseKey(
                aud="",
                exp=_exp,
                name=generate_id(),
                users=100,
                external_users=100,
            )
        ),
    )
    def test_valid(self):
        """Check license verification"""
        lic = License.objects.create(key=generate_id())
        self.assertTrue(lic.status.is_valid())
        self.assertEqual(lic.users, 100)
    def test_invalid(self):
        """Test invalid license"""
        with self.assertRaises(ValidationError):
            License.objects.create(key=generate_id())
    @patch(
        "authentik.enterprise.models.LicenseKey.validate",
        MagicMock(
            return_value=LicenseKey(
                aud="",
                exp=_exp,
                name=generate_id(),
                users=100,
                external_users=100,
            )
        ),
    )
    def test_valid_multiple(self):
        """Check license verification"""
        lic = License.objects.create(key=generate_id())
        self.assertTrue(lic.status.is_valid())
        lic2 = License.objects.create(key=generate_id())
        self.assertTrue(lic2.status.is_valid())
        total = LicenseKey.get_total()
        self.assertEqual(total.users, 200)
        self.assertEqual(total.external_users, 200)
        self.assertEqual(total.exp, _exp)
        self.assertTrue(total.is_valid())
--- a/authentik/enterprise/urls.py
+++ b/authentik/enterprise/urls.py
@ -0,0 +1,7 @@
 """API URLs"""
 from authentik.enterprise.api import LicenseViewSet
 api_urlpatterns = [
    ("enterprise/license", LicenseViewSet),
 ]
--- a/authentik/lib/tests/test_http.py
+++ b/authentik/lib/tests/test_http.py
@ -1,7 +1,7 @@
 """Test HTTP Helpers"""
 from django.test import RequestFactory, TestCase
-from authentik.core.models import USER_ATTRIBUTE_CAN_OVERRIDE_IP, Token, TokenIntents
+from authentik.core.models import Token, TokenIntents, UserTypes
 from authentik.core.tests.utils import create_test_admin_user
 from authentik.lib.utils.http import OUTPOST_REMOTE_IP_HEADER, OUTPOST_TOKEN_HEADER, get_client_ip
 from authentik.lib.views import bad_request_message
@ -53,7 +53,7 @@ class TestHTTP(TestCase):
        )
        self.assertEqual(get_client_ip(request), "127.0.0.1")
        # Valid
-        self.user.attributes[USER_ATTRIBUTE_CAN_OVERRIDE_IP] = True
+        self.user.type = UserTypes.INTERNAL_SERVICE_ACCOUNT
        self.user.save()
        request = self.factory.get(
            "/",
--- a/authentik/lib/utils/http.py
+++ b/authentik/lib/utils/http.py
@ -33,9 +33,8 @@ def _get_client_ip_from_meta(meta: dict[str, Any]) -> str:
 def _get_outpost_override_ip(request: HttpRequest) -> Optional[str]:
    """Get the actual remote IP when set by an outpost. Only
-    allowed when the request is authenticated, by a user with USER_ATTRIBUTE_CAN_OVERRIDE_IP set
+    allowed when the request is authenticated, by an outpost internal service account"""
-    to outpost"""
+    from authentik.core.models import Token, TokenIntents, UserTypes
    from authentik.core.models import USER_ATTRIBUTE_CAN_OVERRIDE_IP, Token, TokenIntents
    if OUTPOST_REMOTE_IP_HEADER not in request.META or OUTPOST_TOKEN_HEADER not in request.META:
        return None
@ -51,7 +50,7 @@ def _get_outpost_override_ip(request: HttpRequest) -> Optional[str]:
        LOGGER.warning("Attempted remote-ip override without token", fake_ip=fake_ip)
        return None
    user = token.user
-    if not user.group_attributes(request).get(USER_ATTRIBUTE_CAN_OVERRIDE_IP, False):
+    if user.type != UserTypes.INTERNAL_SERVICE_ACCOUNT:
        LOGGER.warning(
            "Remote-IP override: user doesn't have permission",
            user=user,
--- a/authentik/outposts/models.py
+++ b/authentik/outposts/models.py
@ -20,13 +20,12 @@ from structlog.stdlib import get_logger
 from authentik import __version__, get_build_hash
 from authentik.blueprints.models import ManagedModel
 from authentik.core.models import (
    USER_ATTRIBUTE_CAN_OVERRIDE_IP,
    USER_ATTRIBUTE_SA,
    USER_PATH_SYSTEM_PREFIX,
    Provider,
    Token,
    TokenIntents,
    User,
    UserTypes,
 )
 from authentik.crypto.models import CertificateKeyPair
 from authentik.events.models import Event, EventAction
@ -346,8 +345,7 @@ class Outpost(SerializerModel, ManagedModel):
            user: User = User.objects.create(username=self.user_identifier)
            user.set_unusable_password()
            user_created = True
-        user.attributes[USER_ATTRIBUTE_SA] = True
+        user.type = UserTypes.INTERNAL_SERVICE_ACCOUNT
        user.attributes[USER_ATTRIBUTE_CAN_OVERRIDE_IP] = True
        user.name = f"Outpost {self.name} Service-Account"
        user.path = USER_PATH_OUTPOSTS
        user.save()
--- a/authentik/policies/engine.py
+++ b/authentik/policies/engine.py
@ -64,7 +64,7 @@ class PolicyEngine:
        self.use_cache = True
        self.__expected_result_count = 0
-    def _iter_bindings(self) -> Iterator[PolicyBinding]:
+    def iterate_bindings(self) -> Iterator[PolicyBinding]:
        """Make sure all Policies are their respective classes"""
        return (
            PolicyBinding.objects.filter(target=self.__pbm, enabled=True)
@ -88,7 +88,7 @@ class PolicyEngine:
            span: Span
            span.set_data("pbm", self.__pbm)
            span.set_data("request", self.request)
-            for binding in self._iter_bindings():
+            for binding in self.iterate_bindings():
                self.__expected_result_count += 1
                self._check_policy_type(binding)
--- a/authentik/providers/oauth2/tests/test_token_cc.py
+++ b/authentik/providers/oauth2/tests/test_token_cc.py
@ -6,7 +6,7 @@ from django.urls import reverse
 from jwt import decode
 from authentik.blueprints.tests import apply_blueprint
-from authentik.core.models import USER_ATTRIBUTE_SA, Application, Group, Token, TokenIntents
+from authentik.core.models import Application, Group, Token, TokenIntents, UserTypes
 from authentik.core.tests.utils import create_test_admin_user, create_test_cert, create_test_flow
 from authentik.policies.models import PolicyBinding
 from authentik.providers.oauth2.constants import (
@ -37,7 +37,7 @@ class TestTokenClientCredentials(OAuthTestCase):
        self.provider.property_mappings.set(ScopeMapping.objects.all())
        self.app = Application.objects.create(name="test", slug="test", provider=self.provider)
        self.user = create_test_admin_user("sa")
-        self.user.attributes[USER_ATTRIBUTE_SA] = True
+        self.user.type = UserTypes.SERVICE_ACCOUNT
        self.user.save()
        self.token = Token.objects.create(
            identifier="sa-token",
--- a/authentik/providers/scim/models.py
+++ b/authentik/providers/scim/models.py
@ -1,17 +1,11 @@
 """SCIM Provider models"""
 from django.db import models
-from django.db.models import Q, QuerySet
+from django.db.models import QuerySet
 from django.utils.translation import gettext_lazy as _
 from guardian.shortcuts import get_anonymous_user
 from rest_framework.serializers import Serializer
-from authentik.core.models import (
+from authentik.core.models import BackchannelProvider, Group, PropertyMapping, User, UserTypes
    USER_ATTRIBUTE_SA,
    BackchannelProvider,
    Group,
    PropertyMapping,
    User,
 )
 class SCIMProvider(BackchannelProvider):
@ -38,17 +32,8 @@ class SCIMProvider(BackchannelProvider):
        according to the provider's settings"""
        base = User.objects.all().exclude(pk=get_anonymous_user().pk)
        if self.exclude_users_service_account:
-            base = base.filter(
+            base = base.exclude(type=UserTypes.SERVICE_ACCOUNT).exclude(
-                Q(
+                type=UserTypes.INTERNAL_SERVICE_ACCOUNT
                    **{
                        f"attributes__{USER_ATTRIBUTE_SA}__isnull": True,
                    }
                )
                | Q(
                    **{
                        f"attributes__{USER_ATTRIBUTE_SA}": False,
                    }
                )
            )
        if self.filter_group:
            base = base.filter(ak_groups__in=[self.filter_group])
--- a/authentik/root/settings.py
+++ b/authentik/root/settings.py
@ -146,6 +146,7 @@ SPECTACULAR_SETTINGS = {
        "PromptTypeEnum": "authentik.stages.prompt.models.FieldTypes",
        "LDAPAPIAccessMode": "authentik.providers.ldap.models.APIAccessMode",
        "UserVerificationEnum": "authentik.stages.authenticator_webauthn.models.UserVerification",
        "UserTypeEnum": "authentik.core.models.UserTypes",
    },
    "ENUM_ADD_EXPLICIT_BLANK_NULL_CHOICE": False,
    "POSTPROCESSING_HOOKS": [
--- a/authentik/stages/prompt/stage.py
+++ b/authentik/stages/prompt/stage.py
@ -179,7 +179,7 @@ class ListPolicyEngine(PolicyEngine):
        self.__list = policies
        self.use_cache = False
-    def _iter_bindings(self) -> Iterator[PolicyBinding]:
+    def iterate_bindings(self) -> Iterator[PolicyBinding]:
        for policy in self.__list:
            yield PolicyBinding(
                policy=policy,
--- a/blueprints/schema.json
+++ b/blueprints/schema.json
@ -3980,6 +3980,16 @@
                            "type": "string",
                            "minLength": 1,
                            "title": "Path"
                        },
                        "type": {
                            "type": "string",
                            "enum": [
                                "default",
                                "external",
                                "service_account",
                                "internal_service_account"
                            ],
                            "title": "Type"
                        }
                    },
                    "required": [
@ -4171,6 +4181,16 @@
                            "type": "string",
                            "minLength": 1,
                            "title": "Path"
                        },
                        "type": {
                            "type": "string",
                            "enum": [
                                "default",
                                "external",
                                "service_account",
                                "internal_service_account"
                            ],
                            "title": "Type"
                        }
                    },
                    "required": [
@ -4366,6 +4386,16 @@
                            "type": "string",
                            "minLength": 1,
                            "title": "Path"
                        },
                        "type": {
                            "type": "string",
                            "enum": [
                                "default",
                                "external",
                                "service_account",
                                "internal_service_account"
                            ],
                            "title": "Type"
                        }
                    },
                    "required": [
@ -6522,6 +6552,16 @@
                            "type": "string",
                            "minLength": 1,
                            "title": "Path"
                        },
                        "type": {
                            "type": "string",
                            "enum": [
                                "default",
                                "external",
                                "service_account",
                                "internal_service_account"
                            ],
                            "title": "Type"
                        }
                    },
                    "required": [
@ -7257,6 +7297,16 @@
                            "type": "string",
                            "minLength": 1,
                            "title": "Path"
                        },
                        "type": {
                            "type": "string",
                            "enum": [
                                "default",
                                "external",
                                "service_account",
                                "internal_service_account"
                            ],
                            "title": "Type"
                        }
                    },
                    "required": [
@ -8334,6 +8384,16 @@
                    "minLength": 1,
                    "title": "Path"
                },
                "type": {
                    "type": "string",
                    "enum": [
                        "default",
                        "external",
                        "service_account",
                        "internal_service_account"
                    ],
                    "title": "Type"
                },
                "password": {
                    "type": "string",
                    "minLength": 1,
--- a/internal/outpost/ldap/search/direct/schema.go
+++ b/internal/outpost/ldap/search/direct/schema.go
@ -41,7 +41,7 @@ func (ds *DirectSearcher) SearchSubschema(req *search.Request) (ldap.ServerSearc
 							// Custom attributes
 							// Temporarily use 1.3.6.1.4.1.26027.1.1 as a base
 							// https://docs.oracle.com/cd/E19450-01/820-6169/working-with-object-identifiers.html#obtaining-a-base-oid
-							"( 1.3.6.1.4.1.26027.1.1.1 NAME 'goauthentik.io/ldap/user' SUP organizationalPerson STRUCTURAL MAY ( ak-active $ sAMAccountName $ goauthentikio-user-sources $ goauthentik.io/user/sources $ goauthentik.io/ldap/active $ goauthentik.io/ldap/superuser $ goauthentikio-user-override-ips $ goauthentikio-user-service-account ) )",
+							"( 1.3.6.1.4.1.26027.1.1.1 NAME 'goauthentik.io/ldap/user' SUP organizationalPerson STRUCTURAL MAY ( ak-active $ sAMAccountName $ goauthentikio-user-sources $ goauthentik.io/user/sources $ goauthentik.io/ldap/active $ goauthentik.io/ldap/superuser ) )",
 						},
 					},
 					{
@ -85,8 +85,6 @@ func (ds *DirectSearcher) SearchSubschema(req *search.Request) (ldap.ServerSearc
 							// https://docs.oracle.com/cd/E19450-01/820-6169/working-with-object-identifiers.html#obtaining-a-base-oid
 							"( 1.3.6.1.4.1.26027.1.1.2 NAME ( 'goauthentik.io/ldap/superuser' 'ak-superuser' ) SYNTAX '1.3.6.1.4.1.1466.115.121.1.7' SINGLE-VALUE )",
 							"( 1.3.6.1.4.1.26027.1.1.3 NAME ( 'goauthentik.io/ldap/active' 'ak-active' ) SYNTAX '1.3.6.1.4.1.1466.115.121.1.7' SINGLE-VALUE )",
 							"( 1.3.6.1.4.1.26027.1.1.4 NAME 'goauthentikio-user-override-ips' SYNTAX '1.3.6.1.4.1.1466.115.121.1.7' SINGLE-VALUE )",
 							"( 1.3.6.1.4.1.26027.1.1.5 NAME 'goauthentikio-user-service-account' SYNTAX '1.3.6.1.4.1.1466.115.121.1.7 SINGLE-VALUE' )",
 						},
 					},
 				},
--- a/locale/en/LC_MESSAGES/django.po
+++ b/locale/en/LC_MESSAGES/django.po
@ -8,7 +8,7 @@ msgid ""
 msgstr ""
 "Project-Id-Version: PACKAGE VERSION\n"
 "Report-Msgid-Bugs-To: \n"
-"POT-Creation-Date: 2023-07-11 18:34+0000\n"
+"POT-Creation-Date: 2023-07-16 13:59+0000\n"
 "PO-Revision-Date: YEAR-MO-DA HO:MI+ZONE\n"
 "Last-Translator: FULL NAME <EMAIL@ADDRESS>\n"
 "Language-Team: LANGUAGE <LL@li.org>\n"
@ -90,133 +90,133 @@ msgstr ""
 msgid "No empty segments in user path allowed."
 msgstr ""
-#: authentik/core/models.py:74
+#: authentik/core/models.py:86
 msgid "name"
 msgstr ""
-#: authentik/core/models.py:76
+#: authentik/core/models.py:88
 msgid "Users added to this group will be superusers."
 msgstr ""
-#: authentik/core/models.py:150
+#: authentik/core/models.py:162
 msgid "User's display name."
 msgstr ""
-#: authentik/core/models.py:243 authentik/providers/oauth2/models.py:294
+#: authentik/core/models.py:256 authentik/providers/oauth2/models.py:294
 msgid "User"
 msgstr ""
-#: authentik/core/models.py:244
+#: authentik/core/models.py:257
 msgid "Users"
 msgstr ""
-#: authentik/core/models.py:257
+#: authentik/core/models.py:270
 msgid ""
 "Flow used for authentication when the associated application is accessed by "
 "an un-authenticated user."
 msgstr ""
-#: authentik/core/models.py:267
+#: authentik/core/models.py:280
 msgid "Flow used when authorizing this provider."
 msgstr ""
-#: authentik/core/models.py:279
+#: authentik/core/models.py:292
 msgid ""
 "Accessed from applications; optional backchannel providers for protocols "
 "like LDAP and SCIM."
 msgstr ""
-#: authentik/core/models.py:334
+#: authentik/core/models.py:347
 msgid "Application's display Name."
 msgstr ""
-#: authentik/core/models.py:335
+#: authentik/core/models.py:348
 msgid "Internal application name, used in URLs."
 msgstr ""
-#: authentik/core/models.py:347
+#: authentik/core/models.py:360
 msgid "Open launch URL in a new browser tab or window."
 msgstr ""
-#: authentik/core/models.py:411
+#: authentik/core/models.py:424
 msgid "Application"
 msgstr ""
-#: authentik/core/models.py:412
+#: authentik/core/models.py:425
 msgid "Applications"
 msgstr ""
-#: authentik/core/models.py:418
+#: authentik/core/models.py:431
 msgid "Use the source-specific identifier"
 msgstr ""
-#: authentik/core/models.py:420
+#: authentik/core/models.py:433
 msgid ""
 "Link to a user with identical email address. Can have security implications "
 "when a source doesn't validate email addresses."
 msgstr ""
-#: authentik/core/models.py:424
+#: authentik/core/models.py:437
 msgid ""
 "Use the user's email address, but deny enrollment when the email address "
 "already exists."
 msgstr ""
-#: authentik/core/models.py:427
+#: authentik/core/models.py:440
 msgid ""
 "Link to a user with identical username. Can have security implications when "
 "a username is used with another source."
 msgstr ""
-#: authentik/core/models.py:431
+#: authentik/core/models.py:444
 msgid ""
 "Use the user's username, but deny enrollment when the username already "
 "exists."
 msgstr ""
-#: authentik/core/models.py:438
+#: authentik/core/models.py:451
 msgid "Source's display Name."
 msgstr ""
-#: authentik/core/models.py:439
+#: authentik/core/models.py:452
 msgid "Internal source name, used in URLs."
 msgstr ""
-#: authentik/core/models.py:458
+#: authentik/core/models.py:471
 msgid "Flow to use when authenticating existing users."
 msgstr ""
-#: authentik/core/models.py:467
+#: authentik/core/models.py:480
 msgid "Flow to use when enrolling new users."
 msgstr ""
-#: authentik/core/models.py:475
+#: authentik/core/models.py:488
 msgid ""
 "How the source determines if an existing user should be authenticated or a "
 "new user enrolled."
 msgstr ""
-#: authentik/core/models.py:647
+#: authentik/core/models.py:660
 msgid "Token"
 msgstr ""
-#: authentik/core/models.py:648
+#: authentik/core/models.py:661
 msgid "Tokens"
 msgstr ""
-#: authentik/core/models.py:689
+#: authentik/core/models.py:702
 msgid "Property Mapping"
 msgstr ""
-#: authentik/core/models.py:690
+#: authentik/core/models.py:703
 msgid "Property Mappings"
 msgstr ""
-#: authentik/core/models.py:725
+#: authentik/core/models.py:738
 msgid "Authenticated Session"
 msgstr ""
-#: authentik/core/models.py:726
+#: authentik/core/models.py:739
 msgid "Authenticated Sessions"
 msgstr ""
@ -585,65 +585,65 @@ msgstr ""
 msgid "Invalid kubeconfig"
 msgstr ""
-#: authentik/outposts/models.py:122
+#: authentik/outposts/models.py:121
 msgid ""
 "If enabled, use the local connection. Required Docker socket/Kubernetes "
 "Integration"
 msgstr ""
-#: authentik/outposts/models.py:152
+#: authentik/outposts/models.py:151
 msgid "Outpost Service-Connection"
 msgstr ""
-#: authentik/outposts/models.py:153
+#: authentik/outposts/models.py:152
 msgid "Outpost Service-Connections"
 msgstr ""
-#: authentik/outposts/models.py:161
+#: authentik/outposts/models.py:160
 msgid ""
 "Can be in the format of 'unix://<path>' when connecting to a local docker "
 "daemon, or 'https://<hostname>:2376' when connecting to a remote system."
 msgstr ""
-#: authentik/outposts/models.py:173
+#: authentik/outposts/models.py:172
 msgid ""
 "CA which the endpoint's Certificate is verified against. Can be left empty "
 "for no validation."
 msgstr ""
-#: authentik/outposts/models.py:185
+#: authentik/outposts/models.py:184
 msgid ""
 "Certificate/Key used for authentication. Can be left empty for no "
 "authentication."
 msgstr ""
-#: authentik/outposts/models.py:203
+#: authentik/outposts/models.py:202
 msgid "Docker Service-Connection"
 msgstr ""
-#: authentik/outposts/models.py:204
+#: authentik/outposts/models.py:203
 msgid "Docker Service-Connections"
 msgstr ""
-#: authentik/outposts/models.py:212
+#: authentik/outposts/models.py:211
 msgid ""
 "Paste your kubeconfig here. authentik will automatically use the currently "
 "selected context."
 msgstr ""
-#: authentik/outposts/models.py:218
+#: authentik/outposts/models.py:217
 msgid "Verify SSL Certificates of the Kubernetes API endpoint"
 msgstr ""
-#: authentik/outposts/models.py:235
+#: authentik/outposts/models.py:234
 msgid "Kubernetes Service-Connection"
 msgstr ""
-#: authentik/outposts/models.py:236
+#: authentik/outposts/models.py:235
 msgid "Kubernetes Service-Connections"
 msgstr ""
-#: authentik/outposts/models.py:252
+#: authentik/outposts/models.py:251
 msgid ""
 "Select Service-Connection authentik should use to manage this outpost. Leave "
 "empty if authentik should not handle the deployment."
@ -1373,31 +1373,31 @@ msgstr ""
 msgid "SAML Property Mappings"
 msgstr ""
-#: authentik/providers/scim/models.py:26
+#: authentik/providers/scim/models.py:20
 msgid "Base URL to SCIM requests, usually ends in /v2"
 msgstr ""
-#: authentik/providers/scim/models.py:27
+#: authentik/providers/scim/models.py:21
 msgid "Authentication token"
 msgstr ""
-#: authentik/providers/scim/models.py:33 authentik/sources/ldap/models.py:94
+#: authentik/providers/scim/models.py:27 authentik/sources/ldap/models.py:94
 msgid "Property mappings used for group creation/updating."
 msgstr ""
-#: authentik/providers/scim/models.py:75
+#: authentik/providers/scim/models.py:60
 msgid "SCIM Provider"
 msgstr ""
-#: authentik/providers/scim/models.py:76
+#: authentik/providers/scim/models.py:61
 msgid "SCIM Providers"
 msgstr ""
-#: authentik/providers/scim/models.py:96
+#: authentik/providers/scim/models.py:81
 msgid "SCIM Mapping"
 msgstr ""
-#: authentik/providers/scim/models.py:97
+#: authentik/providers/scim/models.py:82
 msgid "SCIM Mappings"
 msgstr ""
--- a/schema.yml
+++ b/schema.yml
@ -4604,6 +4604,20 @@ paths:
        description: A search term.
        schema:
          type: string
      - in: query
        name: type
        schema:
          type: string
          enum:
          - default
          - external
          - internal_service_account
          - service_account
        description: |-
          * `default` - Default
          * `external` - External
          * `service_account` - Service Account
          * `internal_service_account` - Internal Service Account
      - in: query
        name: username
        schema:
@ -4612,6 +4626,7 @@ paths:
        name: uuid
        schema:
          type: string
          format: uuid
      tags:
      - core
      security:
@ -5527,6 +5542,356 @@ paths:
              schema:
                $ref: '#/components/schemas/GenericError'
          description: ''
  /enterprise/license/:
    get:
      operationId: enterprise_license_list
      description: License Viewset
      parameters:
      - in: query
        name: name
        schema:
          type: string
      - name: ordering
        required: false
        in: query
        description: Which field to use when ordering the results.
        schema:
          type: string
      - name: page
        required: false
        in: query
        description: A page number within the paginated result set.
        schema:
          type: integer
      - name: page_size
        required: false
        in: query
        description: Number of results to return per page.
        schema:
          type: integer
      - name: search
        required: false
        in: query
        description: A search term.
        schema:
          type: string
      tags:
      - enterprise
      security:
      - authentik: []
      responses:
        '200':
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/PaginatedLicenseList'
          description: ''
        '400':
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/ValidationError'
          description: ''
        '403':
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/GenericError'
          description: ''
    post:
      operationId: enterprise_license_create
      description: License Viewset
      tags:
      - enterprise
      requestBody:
        content:
          application/json:
            schema:
              $ref: '#/components/schemas/LicenseRequest'
        required: true
      security:
      - authentik: []
      responses:
        '201':
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/License'
          description: ''
        '400':
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/ValidationError'
          description: ''
        '403':
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/GenericError'
          description: ''
  /enterprise/license/{license_uuid}/:
    get:
      operationId: enterprise_license_retrieve
      description: License Viewset
      parameters:
      - in: path
        name: license_uuid
        schema:
          type: string
          format: uuid
        description: A UUID string identifying this license.
        required: true
      tags:
      - enterprise
      security:
      - authentik: []
      responses:
        '200':
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/License'
          description: ''
        '400':
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/ValidationError'
          description: ''
        '403':
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/GenericError'
          description: ''
    put:
      operationId: enterprise_license_update
      description: License Viewset
      parameters:
      - in: path
        name: license_uuid
        schema:
          type: string
          format: uuid
        description: A UUID string identifying this license.
        required: true
      tags:
      - enterprise
      requestBody:
        content:
          application/json:
            schema:
              $ref: '#/components/schemas/LicenseRequest'
        required: true
      security:
      - authentik: []
      responses:
        '200':
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/License'
          description: ''
        '400':
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/ValidationError'
          description: ''
        '403':
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/GenericError'
          description: ''
    patch:
      operationId: enterprise_license_partial_update
      description: License Viewset
      parameters:
      - in: path
        name: license_uuid
        schema:
          type: string
          format: uuid
        description: A UUID string identifying this license.
        required: true
      tags:
      - enterprise
      requestBody:
        content:
          application/json:
            schema:
              $ref: '#/components/schemas/PatchedLicenseRequest'
      security:
      - authentik: []
      responses:
        '200':
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/License'
          description: ''
        '400':
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/ValidationError'
          description: ''
        '403':
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/GenericError'
          description: ''
    delete:
      operationId: enterprise_license_destroy
      description: License Viewset
      parameters:
      - in: path
        name: license_uuid
        schema:
          type: string
          format: uuid
        description: A UUID string identifying this license.
        required: true
      tags:
      - enterprise
      security:
      - authentik: []
      responses:
        '204':
          description: No response body
        '400':
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/ValidationError'
          description: ''
        '403':
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/GenericError'
          description: ''
  /enterprise/license/{license_uuid}/used_by/:
    get:
      operationId: enterprise_license_used_by_list
      description: Get a list of all objects that use this object
      parameters:
      - in: path
        name: license_uuid
        schema:
          type: string
          format: uuid
        description: A UUID string identifying this license.
        required: true
      tags:
      - enterprise
      security:
      - authentik: []
      responses:
        '200':
          content:
            application/json:
              schema:
                type: array
                items:
                  $ref: '#/components/schemas/UsedBy'
          description: ''
        '400':
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/ValidationError'
          description: ''
        '403':
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/GenericError'
          description: ''
  /enterprise/license/forecast/:
    get:
      operationId: enterprise_license_forecast_retrieve
      description: Forecast how many users will be required in a year
      tags:
      - enterprise
      security:
      - authentik: []
      responses:
        '200':
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/LicenseForecast'
          description: ''
        '400':
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/ValidationError'
          description: ''
        '403':
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/GenericError'
          description: ''
  /enterprise/license/get_install_id/:
    get:
      operationId: enterprise_license_get_install_id_retrieve
      description: Get install_id
      tags:
      - enterprise
      security:
      - authentik: []
      responses:
        '200':
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/InstallID'
          description: ''
        '400':
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/ValidationError'
          description: ''
        '403':
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/GenericError'
          description: ''
  /enterprise/license/summary/:
    get:
      operationId: enterprise_license_summary_retrieve
      description: Get the total license status
      tags:
      - enterprise
      security:
      - authentik: []
      responses:
        '200':
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/LicenseSummary'
          description: ''
        '400':
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/ValidationError'
          description: ''
        '403':
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/GenericError'
          description: ''
  /events/events/:
    get:
      operationId: events_events_list
@ -30468,6 +30833,13 @@ components:
          type: boolean
      required:
      - name
    InstallID:
      type: object
      properties:
        install_id:
          type: string
      required:
      - install_id
    IntentEnum:
      enum:
      - verification
@ -31336,6 +31708,86 @@ components:
        * `content_right` - CONTENT_RIGHT
        * `sidebar_left` - SIDEBAR_LEFT
        * `sidebar_right` - SIDEBAR_RIGHT
    License:
      type: object
      description: License Serializer
      properties:
        license_uuid:
          type: string
          format: uuid
          readOnly: true
        name:
          type: string
          readOnly: true
        key:
          type: string
        expiry:
          type: string
          format: date-time
          readOnly: true
        users:
          type: integer
          readOnly: true
        external_users:
          type: integer
          readOnly: true
      required:
      - expiry
      - external_users
      - key
      - license_uuid
      - name
      - users
    LicenseForecast:
      type: object
      description: Serializer for license forecast
      properties:
        users:
          type: integer
        external_users:
          type: integer
      required:
      - external_users
      - users
    LicenseRequest:
      type: object
      description: License Serializer
      properties:
        key:
          type: string
          minLength: 1
      required:
      - key
    LicenseSummary:
      type: object
      description: Serializer for license status
      properties:
        users:
          type: integer
        external_users:
          type: integer
        valid:
          type: boolean
        show_admin_warning:
          type: boolean
        show_user_warning:
          type: boolean
        read_only:
          type: boolean
        latest_valid:
          type: string
          format: date-time
        has_license:
          type: boolean
      required:
      - external_users
      - has_license
      - latest_valid
      - read_only
      - show_admin_warning
      - show_user_warning
      - users
      - valid
    Link:
      type: object
      description: Returns a single link
@ -33686,6 +34138,41 @@ components:
      required:
      - pagination
      - results
    PaginatedLicenseList:
      type: object
      properties:
        pagination:
          type: object
          properties:
            next:
              type: number
            previous:
              type: number
            count:
              type: number
            current:
              type: number
            total_pages:
              type: number
            start_index:
              type: number
            end_index:
              type: number
          required:
          - next
          - previous
          - count
          - current
          - total_pages
          - start_index
          - end_index
        results:
          type: array
          items:
            $ref: '#/components/schemas/License'
      required:
      - pagination
      - results
    PaginatedNotificationList:
      type: object
      properties:
@ -36850,6 +37337,13 @@ components:
            type: string
            format: uuid
          description: Property mappings used for group creation/updating.
    PatchedLicenseRequest:
      type: object
      description: License Serializer
      properties:
        key:
          type: string
          minLength: 1
    PatchedNotificationRequest:
      type: object
      description: Notification Serializer
@ -38033,6 +38527,8 @@ components:
        path:
          type: string
          minLength: 1
        type:
          $ref: '#/components/schemas/UserTypeEnum'
    PatchedUserSAMLSourceConnectionRequest:
      type: object
      description: SAML Source Serializer
@ -41430,6 +41926,8 @@ components:
          readOnly: true
        path:
          type: string
        type:
          $ref: '#/components/schemas/UserTypeEnum'
      required:
      - avatar
      - groups_obj
@ -41888,6 +42386,8 @@ components:
        path:
          type: string
          minLength: 1
        type:
          $ref: '#/components/schemas/UserTypeEnum'
      required:
      - name
      - username
@ -41971,6 +42471,8 @@ components:
          additionalProperties: {}
          description: Get user settings with tenant and group settings applied
          readOnly: true
        type:
          $ref: '#/components/schemas/UserTypeEnum'
      required:
      - avatar
      - groups
@ -42071,6 +42573,18 @@ components:
      - pk
      - source
      - user
    UserTypeEnum:
      enum:
      - default
      - external
      - service_account
      - internal_service_account
      type: string
      description: |-
        * `default` - Default
        * `external` - External
        * `service_account` - Service Account
        * `internal_service_account` - Internal Service Account
    UserVerificationEnum:
      enum:
      - required
--- a/tests/e2e/test_provider_ldap.py
+++ b/tests/e2e/test_provider_ldap.py
@ -256,8 +256,6 @@ class TestProviderLDAP(SeleniumTestCase):
                    "homeDirectory": f"/home/{o_user.username}",
                    "ak-active": True,
                    "ak-superuser": False,
                    "goauthentikio-user-override-ips": True,
                    "goauthentikio-user-service-account": True,
                },
                "type": "searchResEntry",
            },
@ -284,8 +282,6 @@ class TestProviderLDAP(SeleniumTestCase):
                    "homeDirectory": f"/home/{embedded_account.username}",
                    "ak-active": True,
                    "ak-superuser": False,
                    "goauthentikio-user-override-ips": True,
                    "goauthentikio-user-service-account": True,
                },
                "type": "searchResEntry",
            },
--- a/web/.prettierignore
+++ b/web/.prettierignore
@ -8,3 +8,4 @@ coverage
 poly.ts
 src/locale-codes.ts
 src/locales/
 storybook-static/
--- a/web/src/admin/AdminInterface.ts
+++ b/web/src/admin/AdminInterface.ts
@ -11,6 +11,7 @@ import { me } from "@goauthentik/common/users";
 import { WebsocketClient } from "@goauthentik/common/ws";
 import { Interface } from "@goauthentik/elements/Base";
 import "@goauthentik/elements/ak-locale-context";
 import "@goauthentik/elements/enterprise/EnterpriseStatusBanner";
 import "@goauthentik/elements/messages/MessageContainer";
 import "@goauthentik/elements/messages/MessageContainer";
 import "@goauthentik/elements/notifications/APIDrawer";
@ -30,7 +31,14 @@ import PFDrawer from "@patternfly/patternfly/components/Drawer/drawer.css";
 import PFPage from "@patternfly/patternfly/components/Page/page.css";
 import PFBase from "@patternfly/patternfly/patternfly-base.css";
-import { AdminApi, CoreApi, SessionUser, UiThemeEnum, Version } from "@goauthentik/api";
+import {
    AdminApi,
    CapabilitiesEnum,
    CoreApi,
    SessionUser,
    UiThemeEnum,
    Version,
 } from "@goauthentik/api";
@customElement("ak-interface-admin")
 export class AdminInterface extends Interface {
@ -67,7 +75,17 @@ export class AdminInterface extends Interface {
                .display-none {
                    display: none;
                }
                :host {
                    display: flex;
                    flex-direction: column;
                    height: 100%;
                }
                ak-locale-context {
                    display: flex;
                    flex-grow: 1;
                }
                .pf-c-page {
                    flex-grow: 1;
                    background-color: var(--pf-c-page--BackgroundColor) !important;
                }
                /* Global page background colour */
@ -113,7 +131,8 @@ export class AdminInterface extends Interface {
    render(): TemplateResult {
        return html` <ak-locale-context
-            ><div class="pf-c-page">
+            ><ak-enterprise-status interface="admin"></ak-enterprise-status>
            <div class="pf-c-page">
                <ak-sidebar
                    class="pf-c-page__sidebar ${this.sidebarOpen
                        ? "pf-m-expanded"
@ -308,6 +327,16 @@ export class AdminInterface extends Interface {
                    <span slot="label">${msg("Outpost Integrations")}</span>
                </ak-sidebar-item>
            </ak-sidebar-item>
            ${this.config?.capabilities.includes(CapabilitiesEnum.IsEnterprise)
                ? html`
                      <ak-sidebar-item>
                          <span slot="label">${msg("Enterprise")}</span>
                          <ak-sidebar-item path="/enterprise/licenses">
                              <span slot="label">${msg("Licenses")}</span>
                          </ak-sidebar-item>
                      </ak-sidebar-item>
                  `
                : html``}
        `;
    }
 }
--- a/web/src/admin/Routes.ts
+++ b/web/src/admin/Routes.ts
@ -136,4 +136,8 @@ export const ROUTES: Route[] = [
        await import("@goauthentik/admin/DebugPage");
        return html`<ak-admin-debug-page></ak-admin-debug-page>`;
    }),
    new Route(new RegExp("^/enterprise/licenses$"), async () => {
        await import("@goauthentik/admin/enterprise/EnterpriseLicenseListPage");
        return html`<ak-enterprise-license-list></ak-enterprise-license-list>`;
    }),
 ];
--- a/web/src/admin/admin-overview/cards/SystemStatusCard.ts
+++ b/web/src/admin/admin-overview/cards/SystemStatusCard.ts
@ -26,6 +26,7 @@ export class SystemStatusCard extends AdminStatusCard<System> {
            // First install, ensure the embedded outpost host is set
            // also run when outpost host does not contain http
            // (yes it's called host and requires a URL, i know)
            // TODO: Improve this in OOB flow
            await this.setOutpostHost();
            status = await new AdminApi(DEFAULT_CONFIG).adminSystemRetrieve();
        }
--- a/web/src/admin/enterprise/EnterpriseLicenseForm.ts
+++ b/web/src/admin/enterprise/EnterpriseLicenseForm.ts
@ -0,0 +1,64 @@
 import { DEFAULT_CONFIG } from "@goauthentik/common/api/config";
 import "@goauthentik/elements/CodeMirror";
 import "@goauthentik/elements/forms/HorizontalFormElement";
 import { ModelForm } from "@goauthentik/elements/forms/ModelForm";
 import { msg } from "@lit/localize";
 import { TemplateResult, html } from "lit";
 import { customElement, state } from "lit/decorators.js";
 import { EnterpriseApi, License } from "@goauthentik/api";
@customElement("ak-enterprise-license-form")
 export class EnterpriseLicenseForm extends ModelForm<License, string> {
    @state()
    installID?: string;
    loadInstance(pk: string): Promise<License> {
        return new EnterpriseApi(DEFAULT_CONFIG).enterpriseLicenseRetrieve({
            licenseUuid: pk,
        });
    }
    getSuccessMessage(): string {
        if (this.instance) {
            return msg("Successfully updated license.");
        } else {
            return msg("Successfully created license.");
        }
    }
    async load(): Promise<void> {
        this.installID = (
            await new EnterpriseApi(DEFAULT_CONFIG).enterpriseLicenseGetInstallIdRetrieve()
        ).installId;
    }
    async send(data: License): Promise<License> {
        if (this.instance) {
            return new EnterpriseApi(DEFAULT_CONFIG).enterpriseLicensePartialUpdate({
                licenseUuid: this.instance.licenseUuid || "",
                patchedLicenseRequest: data,
            });
        } else {
            return new EnterpriseApi(DEFAULT_CONFIG).enterpriseLicenseCreate({
                licenseRequest: data,
            });
        }
    }
    renderForm(): TemplateResult {
        return html`<form class="pf-c-form pf-m-horizontal">
            <ak-form-element-horizontal label=${msg("Install ID")}>
                <input class="pf-c-form-control" readonly type="text" value="${this.installID}" />
            </ak-form-element-horizontal>
            <ak-form-element-horizontal
                name="key"
                ?writeOnly=${this.instance !== undefined}
                label=${msg("License key")}
            >
                <textarea class="pf-c-form-control"></textarea>
            </ak-form-element-horizontal>
        </form>`;
    }
 }
--- a/web/src/admin/enterprise/EnterpriseLicenseListPage.ts
+++ b/web/src/admin/enterprise/EnterpriseLicenseListPage.ts
@ -0,0 +1,222 @@
 import "@goauthentik/admin/enterprise/EnterpriseLicenseForm";
 import { DEFAULT_CONFIG } from "@goauthentik/common/api/config";
 import { uiConfig } from "@goauthentik/common/ui/config";
 import { PFColor } from "@goauthentik/elements/Label";
 import "@goauthentik/elements/Spinner";
 import "@goauthentik/elements/buttons/SpinnerButton";
 import "@goauthentik/elements/cards/AggregateCard";
 import "@goauthentik/elements/forms/DeleteBulkForm";
 import "@goauthentik/elements/forms/ModalForm";
 import { PaginatedResponse } from "@goauthentik/elements/table/Table";
 import { TableColumn } from "@goauthentik/elements/table/Table";
 import { TablePage } from "@goauthentik/elements/table/TablePage";
 import { msg } from "@lit/localize";
 import { CSSResult, TemplateResult, css, html } from "lit";
 import { customElement, property, state } from "lit/decorators.js";
 import PFBanner from "@patternfly/patternfly/components/Banner/banner.css";
 import PFButton from "@patternfly/patternfly/components/Button/button.css";
 import PFCard from "@patternfly/patternfly/components/Card/card.css";
 import PFDescriptionList from "@patternfly/patternfly/components/DescriptionList/description-list.css";
 import PFFormControl from "@patternfly/patternfly/components/FormControl/form-control.css";
 import PFGrid from "@patternfly/patternfly/layouts/Grid/grid.css";
 import { EnterpriseApi, License, LicenseForecast, LicenseSummary } from "@goauthentik/api";
@customElement("ak-enterprise-license-list")
 export class EnterpriseLicenseListPage extends TablePage<License> {
    checkbox = true;
    searchEnabled(): boolean {
        return true;
    }
    pageTitle(): string {
        return msg("Licenses");
    }
    pageDescription(): string {
        return msg("Manage enterprise licenses");
    }
    pageIcon(): string {
        return "pf-icon pf-icon-key";
    }
    @property()
    order = "name";
    @state()
    forecast?: LicenseForecast;
    @state()
    summary?: LicenseSummary;
    @state()
    installID?: string;
    static get styles(): CSSResult[] {
        return super.styles.concat(
            PFDescriptionList,
            PFGrid,
            PFBanner,
            PFFormControl,
            PFButton,
            PFCard,
            css`
                .pf-m-no-padding-bottom {
                    padding-bottom: 0;
                }
            `,
        );
    }
    async apiEndpoint(page: number): Promise<PaginatedResponse<License>> {
        this.forecast = await new EnterpriseApi(DEFAULT_CONFIG).enterpriseLicenseForecastRetrieve();
        this.summary = await new EnterpriseApi(DEFAULT_CONFIG).enterpriseLicenseSummaryRetrieve();
        this.installID = (
            await new EnterpriseApi(DEFAULT_CONFIG).enterpriseLicenseGetInstallIdRetrieve()
        ).installId;
        return new EnterpriseApi(DEFAULT_CONFIG).enterpriseLicenseList({
            ordering: this.order,
            page: page,
            pageSize: (await uiConfig()).pagination.perPage,
            search: this.search || "",
        });
    }
    columns(): TableColumn[] {
        return [
            new TableColumn(msg("Name"), "name"),
            new TableColumn(msg("Users")),
            new TableColumn(msg("Expiry date")),
            new TableColumn(msg("Actions")),
        ];
    }
    renderToolbarSelected(): TemplateResult {
        const disabled = this.selectedElements.length < 1;
        return html`<ak-forms-delete-bulk
            objectLabel=${msg("License(s)")}
            .objects=${this.selectedElements}
            .metadata=${(item: License) => {
                return [
                    { key: msg("Name"), value: item.name },
                    { key: msg("Expiry"), value: item.expiry?.toLocaleString() },
                ];
            }}
            .usedBy=${(item: License) => {
                return new EnterpriseApi(DEFAULT_CONFIG).enterpriseLicenseUsedByList({
                    licenseUuid: item.licenseUuid,
                });
            }}
            .delete=${(item: License) => {
                return new EnterpriseApi(DEFAULT_CONFIG).enterpriseLicenseDestroy({
                    licenseUuid: item.licenseUuid,
                });
            }}
        >
            <button ?disabled=${disabled} slot="trigger" class="pf-c-button pf-m-danger">
                ${msg("Delete")}
            </button>
        </ak-forms-delete-bulk>`;
    }
    renderSectionBefore(): TemplateResult {
        return html`
            <div class="pf-c-banner pf-m-info">
                ${msg("Enterprise is in preview.")}
                <a href="mailto:hello@goauthentik.io">${msg("Send us feedback!")}</a>
            </div>
            <section class="pf-c-page__main-section pf-m-no-padding-bottom">
                <div
                    class="pf-l-grid pf-m-gutter pf-m-all-6-col-on-sm pf-m-all-4-col-on-md pf-m-all-3-col-on-lg pf-m-all-3-col-on-xl"
                >
                    <div class="pf-l-grid__item pf-c-card">
                        <div class="pf-c-card__title">${msg("How to get a license")}</div>
                        <div class="pf-c-card__body">
                            ${this.installID
                                ? html` <a
                                      target="_blank"
                                      href=${`https://customers.goauthentik.io/from_authentik/purchase/?install_id=${this.installID}`}
                                      class="pf-c-button pf-m-primary pf-m-block"
                                      >${msg("Go to the customer portal")}</a
                                  >`
                                : html`<ak-spinner></ak-spinner>`}
                        </div>
                    </div>
                    <div class="pf-l-grid__item pf-c-card">
                        <ak-aggregate-card
                            icon="pf-icon pf-icon-user"
                            header=${msg("Forecasted default users")}
                            subtext=${msg("Estimated user count one year from now")}
                        >
                            ${this.forecast?.users}
                        </ak-aggregate-card>
                    </div>
                    <div class="pf-l-grid__item pf-c-card">
                        <ak-aggregate-card
                            icon="pf-icon pf-icon-user"
                            header=${msg("Forecasted external users")}
                            subtext=${msg("Estimated external user count one year from now")}
                        >
                            ${this.forecast?.externalUsers}
                        </ak-aggregate-card>
                    </div>
                    <div class="pf-l-grid__item pf-c-card">
                        <ak-aggregate-card
                            icon="pf-icon pf-icon-user"
                            header=${msg("Expiry")}
                            subtext=${msg("Cumulative license expiry")}
                        >
                            ${this.summary?.hasLicense
                                ? this.summary.latestValid.toLocaleString()
                                : "-"}
                        </ak-aggregate-card>
                    </div>
                </div>
            </section>
        `;
    }
    row(item: License): TemplateResult[] {
        let color = PFColor.Green;
        if (item.expiry) {
            const now = new Date();
            const inAMonth = new Date();
            inAMonth.setDate(inAMonth.getDate() + 30);
            if (item.expiry <= inAMonth) {
                color = PFColor.Orange;
            }
            if (item.expiry <= now) {
                color = PFColor.Red;
            }
        }
        return [
            html`<div>${item.name}</div>`,
            html`<div>
                <small>0 / ${item.users}</small>
                <small>0 / ${item.externalUsers}</small>
            </div>`,
            html`<ak-label color=${color}> ${item.expiry?.toLocaleString()} </ak-label>`,
            html`<ak-forms-modal>
                <span slot="submit"> ${msg("Update")} </span>
                <span slot="header"> ${msg("Update License")} </span>
                <ak-enterprise-license-form slot="form" .instancePk=${item.licenseUuid}>
                </ak-enterprise-license-form>
                <button slot="trigger" class="pf-c-button pf-m-plain">
                    <i class="fas fa-edit"></i>
                </button>
            </ak-forms-modal>`,
        ];
    }
    renderObjectCreate(): TemplateResult {
        return html`
            <ak-forms-modal>
                <span slot="submit"> ${msg("Create")} </span>
                <span slot="header"> ${msg("Create License")} </span>
                <ak-enterprise-license-form slot="form"> </ak-enterprise-license-form>
                <button slot="trigger" class="pf-c-button pf-m-primary">${msg("Create")}</button>
            </ak-forms-modal>
        `;
    }
 }
--- a/web/src/admin/users/UserForm.ts
+++ b/web/src/admin/users/UserForm.ts
@ -1,9 +1,11 @@
 import "@goauthentik/admin/users/GroupSelectModal";
 import { UserTypeEnum } from "@goauthentik/api/dist/models/UserTypeEnum";
 import { DEFAULT_CONFIG } from "@goauthentik/common/api/config";
 import { first } from "@goauthentik/common/utils";
 import "@goauthentik/elements/CodeMirror";
 import "@goauthentik/elements/forms/HorizontalFormElement";
 import { ModelForm } from "@goauthentik/elements/forms/ModelForm";
 import "@goauthentik/elements/forms/Radio";
 import YAML from "yaml";
 import { msg } from "@lit/localize";
@ -75,6 +77,31 @@ export class UserForm extends ModelForm<User, number> {
                />
                <p class="pf-c-form__helper-text">${msg("User's display name.")}</p>
            </ak-form-element-horizontal>
            <ak-form-element-horizontal label=${msg("User type")} ?required=${true} name="type">
                <ak-radio
                    .options=${[
                        // TODO: Add better copy
                        {
                            label: "Default",
                            value: UserTypeEnum.Default,
                            default: true,
                            description: html`${msg("Default user")}`,
                        },
                        {
                            label: "External",
                            value: UserTypeEnum.External,
                            description: html`${msg("External user")}`,
                        },
                        {
                            label: "Service account",
                            value: UserTypeEnum.ServiceAccount,
                            description: html`${msg("Service account")}`,
                        },
                    ]}
                    .value=${this.instance?.type}
                >
                </ak-radio>
            </ak-form-element-horizontal>
            <ak-form-element-horizontal label=${msg("Email")} name="email">
                <input
                    type="email"
--- a/web/src/elements/cards/AggregateCard.ts
+++ b/web/src/elements/cards/AggregateCard.ts
@ -19,6 +19,9 @@ export class AggregateCard extends AKElement {
    @property()
    headerLink?: string;
    @property()
    subtext?: string;
    @property({ type: Boolean })
    isCenter = true;
@ -79,6 +82,7 @@ export class AggregateCard extends AKElement {
            </div>
            <div class="pf-c-card__body ${this.isCenter ? "center-value" : ""}">
                ${this.renderInner()}
                ${this.subtext ? html`<p class="subtext">${this.subtext}</p>` : html``}
            </div>
        </div>`;
    }
--- a/web/src/elements/enterprise/EnterpriseStatusBanner.ts
+++ b/web/src/elements/enterprise/EnterpriseStatusBanner.ts
@ -0,0 +1,52 @@
 import { DEFAULT_CONFIG } from "@goauthentik/common/api/config";
 import { AKElement } from "@goauthentik/elements/Base";
 import { msg } from "@lit/localize";
 import { CSSResult, TemplateResult, html } from "lit";
 import { customElement, property, state } from "lit/decorators.js";
 import PFBanner from "@patternfly/patternfly/components/Banner/banner.css";
 import { EnterpriseApi, LicenseSummary } from "@goauthentik/api";
@customElement("ak-enterprise-status")
 export class EnterpriseStatusBanner extends AKElement {
    @state()
    summary?: LicenseSummary;
    @property()
    interface: "admin" | "user" | "" = "";
    static get styles(): CSSResult[] {
        return [PFBanner];
    }
    firstUpdated(): void {
        new EnterpriseApi(DEFAULT_CONFIG).enterpriseLicenseSummaryRetrieve().then((b) => {
            this.summary = b;
        });
    }
    renderBanner(): TemplateResult {
        return html`<div class="pf-c-banner ${this.summary?.readOnly ? "pf-m-red" : "pf-m-orange"}">
            ${msg("Warning: The current user count has exceeded the configured licenses.")}
            <a href="/if/admin/#/enterprise/licenses"> ${msg("Click here for more info.")} </a>
        </div>`;
    }
    render(): TemplateResult {
        switch (this.interface.toLowerCase()) {
            case "admin":
                if (this.summary?.showAdminWarning || this.summary?.readOnly) {
                    return this.renderBanner();
                }
                break;
            case "user":
                if (this.summary?.showUserWarning || this.summary?.readOnly) {
                    return this.renderBanner();
                }
                break;
        }
        return html``;
    }
 }
--- a/web/src/elements/table/TablePage.ts
+++ b/web/src/elements/table/TablePage.ts
@ -28,6 +28,16 @@ export abstract class TablePage<T> extends Table<T> {
        return html``;
    }
    // Optionally render section above the table
    renderSectionBefore(): TemplateResult {
        return html``;
    }
    // Optionally render section below the table
    renderSectionAfter(): TemplateResult {
        return html``;
    }
    renderEmpty(inner?: TemplateResult): TemplateResult {
        return super.renderEmpty(html`
            ${inner
@ -75,6 +85,7 @@ export abstract class TablePage<T> extends Table<T> {
                description=${ifDefined(this.pageDescription())}
            >
            </ak-page-header>
            ${this.renderSectionBefore()}
            <section class="pf-c-page__main-section pf-m-no-padding-mobile">
                <div class="pf-c-sidebar pf-m-gutter">
                    <div class="pf-c-sidebar__main">
@ -85,6 +96,7 @@ export abstract class TablePage<T> extends Table<T> {
                        ${this.renderSidebarAfter()}
                    </div>
                </div>
-            </section>`;
+            </section>
            ${this.renderSectionAfter()}`;
    }
 }
--- a/web/src/user/UserInterface.ts
+++ b/web/src/user/UserInterface.ts
@ -11,6 +11,8 @@ import { first } from "@goauthentik/common/utils";
 import { WebsocketClient } from "@goauthentik/common/ws";
 import { Interface } from "@goauthentik/elements/Base";
 import "@goauthentik/elements/ak-locale-context";
 import "@goauthentik/elements/buttons/ActionButton";
 import "@goauthentik/elements/enterprise/EnterpriseStatusBanner";
 import "@goauthentik/elements/messages/MessageContainer";
 import "@goauthentik/elements/notifications/APIDrawer";
 import "@goauthentik/elements/notifications/NotificationDrawer";
@ -35,7 +37,7 @@ import PFPage from "@patternfly/patternfly/components/Page/page.css";
 import PFBase from "@patternfly/patternfly/patternfly-base.css";
 import PFDisplay from "@patternfly/patternfly/utilities/Display/display.css";
-import { EventsApi, SessionUser } from "@goauthentik/api";
+import { CoreApi, EventsApi, SessionUser } from "@goauthentik/api";
@customElement("ak-interface-user")
 export class UserInterface extends Interface {
@ -148,6 +150,7 @@ export class UserInterface extends Interface {
                userDisplay = this.me.user.username;
        }
        return html` <ak-locale-context>
            <ak-enterprise-status interface="user"></ak-enterprise-status>
            <div class="pf-c-page">
                <div class="background-wrapper" style="${this.uiConfig.theme.background}"></div>
                <header class="pf-c-page__header">
@ -243,16 +246,21 @@ export class UserInterface extends Interface {
                                : html``}
                        </div>
                        ${this.me.original
-                            ? html`<div class="pf-c-page__header-tools">
+                            ? html`&nbsp;
                                  <div class="pf-c-page__header-tools">
                                      <div class="pf-c-page__header-tools-group">
-                                      <a
+                                          <ak-action-button
-                                          class="pf-c-button pf-m-warning pf-m-small"
+                                              class="pf-m-warning pf-m-small"
-                                          href=${`/-/impersonation/end/?back=${encodeURIComponent(
+                                              .apiRequest=${() => {
-                                              `${window.location.pathname}#${window.location.hash}`,
+                                                  return new CoreApi(DEFAULT_CONFIG)
-                                          )}`}
+                                                      .coreUsersImpersonateEndRetrieve()
                                                      .then(() => {
                                                          window.location.reload();
                                                      });
                                              }}
                                          >
                                              ${msg("Stop impersonation")}
-                                      </a>
+                                          </ak-action-button>
                                      </div>
                                  </div>`
                            : html``}
--- a/web/xliff/de.xlf
+++ b/web/xliff/de.xlf
@ -5747,6 +5747,84 @@ Bindings to groups/users are checked against the user of the event.</source>
 </trans-unit>
 <trans-unit id="s1889ba2eaeec2f1e">
  <source>When enabled, code-based multi-factor authentication can be used by appending a semicolon and the TOTP code to the password. This should only be enabled if all users that will bind to this provider have a TOTP device configured, as otherwise a password may incorrectly be rejected if it contains a semicolon.</source>
 </trans-unit>
 <trans-unit id="s9f9492d30a96b9c6">
  <source>User type</source>
 </trans-unit>
 <trans-unit id="s0b9a40b7b2853c7d">
  <source>Default user</source>
 </trans-unit>
 <trans-unit id="s35b9fa270f45b391">
  <source>External user</source>
 </trans-unit>
 <trans-unit id="s1a635369edaf4dc3">
  <source>Service account</source>
 </trans-unit>
 <trans-unit id="s0e427111d750cc02">
  <source>Successfully updated license.</source>
 </trans-unit>
 <trans-unit id="s06ae64e621f302eb">
  <source>Successfully created license.</source>
 </trans-unit>
 <trans-unit id="s2905c425adae99bd">
  <source>Install ID</source>
 </trans-unit>
 <trans-unit id="sb18ec434a8a3aafb">
  <source>License key</source>
 </trans-unit>
 <trans-unit id="s2e109263b73c12d5">
  <source>Licenses</source>
 </trans-unit>
 <trans-unit id="sf8f9f3032e891e16">
  <source>TODO Copy</source>
 </trans-unit>
 <trans-unit id="sd49099e9522635f4">
  <source>License(s)</source>
 </trans-unit>
 <trans-unit id="s3be1d90ffa46b7f1">
  <source>Enterprise is in preview.</source>
 </trans-unit>
 <trans-unit id="s34dca481f039c226">
  <source>How to get a license</source>
 </trans-unit>
 <trans-unit id="s948364901c166232">
  <source>Copy the installation ID</source>
 </trans-unit>
 <trans-unit id="s75c167446b237e0f">
  <source>Then open the customer portal</source>
 </trans-unit>
 <trans-unit id="s9748dd3bd53d27a4">
  <source>Forecasted default users</source>
 </trans-unit>
 <trans-unit id="s6b18f594d94c2374">
  <source>Estimated user count one year from now</source>
 </trans-unit>
 <trans-unit id="s69f246d164be88d0">
  <source>Forecasted external users</source>
 </trans-unit>
 <trans-unit id="s878fc2eaf94642db">
  <source>Estimated external user count one year from now</source>
 </trans-unit>
 <trans-unit id="sd22bd01bdf28c548">
  <source>Cumulative license expiry</source>
 </trans-unit>
 <trans-unit id="sdeb6cee42435dd07">
  <source>Update License</source>
 </trans-unit>
 <trans-unit id="s99afa741c259d70e">
  <source>Create License</source>
 </trans-unit>
 <trans-unit id="s7df5b92a3f93544f">
  <source>Warning: The current user count has exceeded the configured licenses.</source>
 </trans-unit>
 <trans-unit id="s0141f42936495787">
  <source>Click here for more info.</source>
 </trans-unit>
 <trans-unit id="s7be2df39f727faa2">
  <source>Enterprise</source>
 </trans-unit>
 <trans-unit id="s9ce7cc01fb9b5b53">
  <source>Manage enterprise licenses</source>
 </trans-unit>
    </body>
  </file>
--- a/web/xliff/en.xlf
+++ b/web/xliff/en.xlf
@ -6063,6 +6063,84 @@ Bindings to groups/users are checked against the user of the event.</source>
 </trans-unit>
 <trans-unit id="s1889ba2eaeec2f1e">
  <source>When enabled, code-based multi-factor authentication can be used by appending a semicolon and the TOTP code to the password. This should only be enabled if all users that will bind to this provider have a TOTP device configured, as otherwise a password may incorrectly be rejected if it contains a semicolon.</source>
 </trans-unit>
 <trans-unit id="s9f9492d30a96b9c6">
  <source>User type</source>
 </trans-unit>
 <trans-unit id="s0b9a40b7b2853c7d">
  <source>Default user</source>
 </trans-unit>
 <trans-unit id="s35b9fa270f45b391">
  <source>External user</source>
 </trans-unit>
 <trans-unit id="s1a635369edaf4dc3">
  <source>Service account</source>
 </trans-unit>
 <trans-unit id="s0e427111d750cc02">
  <source>Successfully updated license.</source>
 </trans-unit>
 <trans-unit id="s06ae64e621f302eb">
  <source>Successfully created license.</source>
 </trans-unit>
 <trans-unit id="s2905c425adae99bd">
  <source>Install ID</source>
 </trans-unit>
 <trans-unit id="sb18ec434a8a3aafb">
  <source>License key</source>
 </trans-unit>
 <trans-unit id="s2e109263b73c12d5">
  <source>Licenses</source>
 </trans-unit>
 <trans-unit id="sf8f9f3032e891e16">
  <source>TODO Copy</source>
 </trans-unit>
 <trans-unit id="sd49099e9522635f4">
  <source>License(s)</source>
 </trans-unit>
 <trans-unit id="s3be1d90ffa46b7f1">
  <source>Enterprise is in preview.</source>
 </trans-unit>
 <trans-unit id="s34dca481f039c226">
  <source>How to get a license</source>
 </trans-unit>
 <trans-unit id="s948364901c166232">
  <source>Copy the installation ID</source>
 </trans-unit>
 <trans-unit id="s75c167446b237e0f">
  <source>Then open the customer portal</source>
 </trans-unit>
 <trans-unit id="s9748dd3bd53d27a4">
  <source>Forecasted default users</source>
 </trans-unit>
 <trans-unit id="s6b18f594d94c2374">
  <source>Estimated user count one year from now</source>
 </trans-unit>
 <trans-unit id="s69f246d164be88d0">
  <source>Forecasted external users</source>
 </trans-unit>
 <trans-unit id="s878fc2eaf94642db">
  <source>Estimated external user count one year from now</source>
 </trans-unit>
 <trans-unit id="sd22bd01bdf28c548">
  <source>Cumulative license expiry</source>
 </trans-unit>
 <trans-unit id="sdeb6cee42435dd07">
  <source>Update License</source>
 </trans-unit>
 <trans-unit id="s99afa741c259d70e">
  <source>Create License</source>
 </trans-unit>
 <trans-unit id="s7df5b92a3f93544f">
  <source>Warning: The current user count has exceeded the configured licenses.</source>
 </trans-unit>
 <trans-unit id="s0141f42936495787">
  <source>Click here for more info.</source>
 </trans-unit>
 <trans-unit id="s7be2df39f727faa2">
  <source>Enterprise</source>
 </trans-unit>
 <trans-unit id="s9ce7cc01fb9b5b53">
  <source>Manage enterprise licenses</source>
 </trans-unit>
    </body>
  </file>
--- a/web/xliff/es.xlf
+++ b/web/xliff/es.xlf
@ -5655,6 +5655,84 @@ Bindings to groups/users are checked against the user of the event.</source>
 </trans-unit>
 <trans-unit id="s1889ba2eaeec2f1e">
  <source>When enabled, code-based multi-factor authentication can be used by appending a semicolon and the TOTP code to the password. This should only be enabled if all users that will bind to this provider have a TOTP device configured, as otherwise a password may incorrectly be rejected if it contains a semicolon.</source>
 </trans-unit>
 <trans-unit id="s9f9492d30a96b9c6">
  <source>User type</source>
 </trans-unit>
 <trans-unit id="s0b9a40b7b2853c7d">
  <source>Default user</source>
 </trans-unit>
 <trans-unit id="s35b9fa270f45b391">
  <source>External user</source>
 </trans-unit>
 <trans-unit id="s1a635369edaf4dc3">
  <source>Service account</source>
 </trans-unit>
 <trans-unit id="s0e427111d750cc02">
  <source>Successfully updated license.</source>
 </trans-unit>
 <trans-unit id="s06ae64e621f302eb">
  <source>Successfully created license.</source>
 </trans-unit>
 <trans-unit id="s2905c425adae99bd">
  <source>Install ID</source>
 </trans-unit>
 <trans-unit id="sb18ec434a8a3aafb">
  <source>License key</source>
 </trans-unit>
 <trans-unit id="s2e109263b73c12d5">
  <source>Licenses</source>
 </trans-unit>
 <trans-unit id="sf8f9f3032e891e16">
  <source>TODO Copy</source>
 </trans-unit>
 <trans-unit id="sd49099e9522635f4">
  <source>License(s)</source>
 </trans-unit>
 <trans-unit id="s3be1d90ffa46b7f1">
  <source>Enterprise is in preview.</source>
 </trans-unit>
 <trans-unit id="s34dca481f039c226">
  <source>How to get a license</source>
 </trans-unit>
 <trans-unit id="s948364901c166232">
  <source>Copy the installation ID</source>
 </trans-unit>
 <trans-unit id="s75c167446b237e0f">
  <source>Then open the customer portal</source>
 </trans-unit>
 <trans-unit id="s9748dd3bd53d27a4">
  <source>Forecasted default users</source>
 </trans-unit>
 <trans-unit id="s6b18f594d94c2374">
  <source>Estimated user count one year from now</source>
 </trans-unit>
 <trans-unit id="s69f246d164be88d0">
  <source>Forecasted external users</source>
 </trans-unit>
 <trans-unit id="s878fc2eaf94642db">
  <source>Estimated external user count one year from now</source>
 </trans-unit>
 <trans-unit id="sd22bd01bdf28c548">
  <source>Cumulative license expiry</source>
 </trans-unit>
 <trans-unit id="sdeb6cee42435dd07">
  <source>Update License</source>
 </trans-unit>
 <trans-unit id="s99afa741c259d70e">
  <source>Create License</source>
 </trans-unit>
 <trans-unit id="s7df5b92a3f93544f">
  <source>Warning: The current user count has exceeded the configured licenses.</source>
 </trans-unit>
 <trans-unit id="s0141f42936495787">
  <source>Click here for more info.</source>
 </trans-unit>
 <trans-unit id="s7be2df39f727faa2">
  <source>Enterprise</source>
 </trans-unit>
 <trans-unit id="s9ce7cc01fb9b5b53">
  <source>Manage enterprise licenses</source>
 </trans-unit>
    </body>
  </file>
--- a/web/xliff/fr_FR.xlf
+++ b/web/xliff/fr_FR.xlf
@ -5762,6 +5762,84 @@ Bindings to groups/users are checked against the user of the event.</source>
 </trans-unit>
 <trans-unit id="s1889ba2eaeec2f1e">
  <source>When enabled, code-based multi-factor authentication can be used by appending a semicolon and the TOTP code to the password. This should only be enabled if all users that will bind to this provider have a TOTP device configured, as otherwise a password may incorrectly be rejected if it contains a semicolon.</source>
 </trans-unit>
 <trans-unit id="s9f9492d30a96b9c6">
  <source>User type</source>
 </trans-unit>
 <trans-unit id="s0b9a40b7b2853c7d">
  <source>Default user</source>
 </trans-unit>
 <trans-unit id="s35b9fa270f45b391">
  <source>External user</source>
 </trans-unit>
 <trans-unit id="s1a635369edaf4dc3">
  <source>Service account</source>
 </trans-unit>
 <trans-unit id="s0e427111d750cc02">
  <source>Successfully updated license.</source>
 </trans-unit>
 <trans-unit id="s06ae64e621f302eb">
  <source>Successfully created license.</source>
 </trans-unit>
 <trans-unit id="s2905c425adae99bd">
  <source>Install ID</source>
 </trans-unit>
 <trans-unit id="sb18ec434a8a3aafb">
  <source>License key</source>
 </trans-unit>
 <trans-unit id="s2e109263b73c12d5">
  <source>Licenses</source>
 </trans-unit>
 <trans-unit id="sf8f9f3032e891e16">
  <source>TODO Copy</source>
 </trans-unit>
 <trans-unit id="sd49099e9522635f4">
  <source>License(s)</source>
 </trans-unit>
 <trans-unit id="s3be1d90ffa46b7f1">
  <source>Enterprise is in preview.</source>
 </trans-unit>
 <trans-unit id="s34dca481f039c226">
  <source>How to get a license</source>
 </trans-unit>
 <trans-unit id="s948364901c166232">
  <source>Copy the installation ID</source>
 </trans-unit>
 <trans-unit id="s75c167446b237e0f">
  <source>Then open the customer portal</source>
 </trans-unit>
 <trans-unit id="s9748dd3bd53d27a4">
  <source>Forecasted default users</source>
 </trans-unit>
 <trans-unit id="s6b18f594d94c2374">
  <source>Estimated user count one year from now</source>
 </trans-unit>
 <trans-unit id="s69f246d164be88d0">
  <source>Forecasted external users</source>
 </trans-unit>
 <trans-unit id="s878fc2eaf94642db">
  <source>Estimated external user count one year from now</source>
 </trans-unit>
 <trans-unit id="sd22bd01bdf28c548">
  <source>Cumulative license expiry</source>
 </trans-unit>
 <trans-unit id="sdeb6cee42435dd07">
  <source>Update License</source>
 </trans-unit>
 <trans-unit id="s99afa741c259d70e">
  <source>Create License</source>
 </trans-unit>
 <trans-unit id="s7df5b92a3f93544f">
  <source>Warning: The current user count has exceeded the configured licenses.</source>
 </trans-unit>
 <trans-unit id="s0141f42936495787">
  <source>Click here for more info.</source>
 </trans-unit>
 <trans-unit id="s7be2df39f727faa2">
  <source>Enterprise</source>
 </trans-unit>
 <trans-unit id="s9ce7cc01fb9b5b53">
  <source>Manage enterprise licenses</source>
 </trans-unit>
    </body>
  </file>
--- a/web/xliff/pl.xlf
+++ b/web/xliff/pl.xlf
@ -5894,6 +5894,84 @@ Bindings to groups/users are checked against the user of the event.</source>
 </trans-unit>
 <trans-unit id="s1889ba2eaeec2f1e">
  <source>When enabled, code-based multi-factor authentication can be used by appending a semicolon and the TOTP code to the password. This should only be enabled if all users that will bind to this provider have a TOTP device configured, as otherwise a password may incorrectly be rejected if it contains a semicolon.</source>
 </trans-unit>
 <trans-unit id="s9f9492d30a96b9c6">
  <source>User type</source>
 </trans-unit>
 <trans-unit id="s0b9a40b7b2853c7d">
  <source>Default user</source>
 </trans-unit>
 <trans-unit id="s35b9fa270f45b391">
  <source>External user</source>
 </trans-unit>
 <trans-unit id="s1a635369edaf4dc3">
  <source>Service account</source>
 </trans-unit>
 <trans-unit id="s0e427111d750cc02">
  <source>Successfully updated license.</source>
 </trans-unit>
 <trans-unit id="s06ae64e621f302eb">
  <source>Successfully created license.</source>
 </trans-unit>
 <trans-unit id="s2905c425adae99bd">
  <source>Install ID</source>
 </trans-unit>
 <trans-unit id="sb18ec434a8a3aafb">
  <source>License key</source>
 </trans-unit>
 <trans-unit id="s2e109263b73c12d5">
  <source>Licenses</source>
 </trans-unit>
 <trans-unit id="sf8f9f3032e891e16">
  <source>TODO Copy</source>
 </trans-unit>
 <trans-unit id="sd49099e9522635f4">
  <source>License(s)</source>
 </trans-unit>
 <trans-unit id="s3be1d90ffa46b7f1">
  <source>Enterprise is in preview.</source>
 </trans-unit>
 <trans-unit id="s34dca481f039c226">
  <source>How to get a license</source>
 </trans-unit>
 <trans-unit id="s948364901c166232">
  <source>Copy the installation ID</source>
 </trans-unit>
 <trans-unit id="s75c167446b237e0f">
  <source>Then open the customer portal</source>
 </trans-unit>
 <trans-unit id="s9748dd3bd53d27a4">
  <source>Forecasted default users</source>
 </trans-unit>
 <trans-unit id="s6b18f594d94c2374">
  <source>Estimated user count one year from now</source>
 </trans-unit>
 <trans-unit id="s69f246d164be88d0">
  <source>Forecasted external users</source>
 </trans-unit>
 <trans-unit id="s878fc2eaf94642db">
  <source>Estimated external user count one year from now</source>
 </trans-unit>
 <trans-unit id="sd22bd01bdf28c548">
  <source>Cumulative license expiry</source>
 </trans-unit>
 <trans-unit id="sdeb6cee42435dd07">
  <source>Update License</source>
 </trans-unit>
 <trans-unit id="s99afa741c259d70e">
  <source>Create License</source>
 </trans-unit>
 <trans-unit id="s7df5b92a3f93544f">
  <source>Warning: The current user count has exceeded the configured licenses.</source>
 </trans-unit>
 <trans-unit id="s0141f42936495787">
  <source>Click here for more info.</source>
 </trans-unit>
 <trans-unit id="s7be2df39f727faa2">
  <source>Enterprise</source>
 </trans-unit>
 <trans-unit id="s9ce7cc01fb9b5b53">
  <source>Manage enterprise licenses</source>
 </trans-unit>
    </body>
  </file>
--- a/web/xliff/pseudo-LOCALE.xlf
+++ b/web/xliff/pseudo-LOCALE.xlf
@ -5998,6 +5998,84 @@ Bindings to groups/users are checked against the user of the event.</source>
 </trans-unit>
 <trans-unit id="s1889ba2eaeec2f1e">
  <source>When enabled, code-based multi-factor authentication can be used by appending a semicolon and the TOTP code to the password. This should only be enabled if all users that will bind to this provider have a TOTP device configured, as otherwise a password may incorrectly be rejected if it contains a semicolon.</source>
 </trans-unit>
 <trans-unit id="s9f9492d30a96b9c6">
  <source>User type</source>
 </trans-unit>
 <trans-unit id="s0b9a40b7b2853c7d">
  <source>Default user</source>
 </trans-unit>
 <trans-unit id="s35b9fa270f45b391">
  <source>External user</source>
 </trans-unit>
 <trans-unit id="s1a635369edaf4dc3">
  <source>Service account</source>
 </trans-unit>
 <trans-unit id="s0e427111d750cc02">
  <source>Successfully updated license.</source>
 </trans-unit>
 <trans-unit id="s06ae64e621f302eb">
  <source>Successfully created license.</source>
 </trans-unit>
 <trans-unit id="s2905c425adae99bd">
  <source>Install ID</source>
 </trans-unit>
 <trans-unit id="sb18ec434a8a3aafb">
  <source>License key</source>
 </trans-unit>
 <trans-unit id="s2e109263b73c12d5">
  <source>Licenses</source>
 </trans-unit>
 <trans-unit id="sf8f9f3032e891e16">
  <source>TODO Copy</source>
 </trans-unit>
 <trans-unit id="sd49099e9522635f4">
  <source>License(s)</source>
 </trans-unit>
 <trans-unit id="s3be1d90ffa46b7f1">
  <source>Enterprise is in preview.</source>
 </trans-unit>
 <trans-unit id="s34dca481f039c226">
  <source>How to get a license</source>
 </trans-unit>
 <trans-unit id="s948364901c166232">
  <source>Copy the installation ID</source>
 </trans-unit>
 <trans-unit id="s75c167446b237e0f">
  <source>Then open the customer portal</source>
 </trans-unit>
 <trans-unit id="s9748dd3bd53d27a4">
  <source>Forecasted default users</source>
 </trans-unit>
 <trans-unit id="s6b18f594d94c2374">
  <source>Estimated user count one year from now</source>
 </trans-unit>
 <trans-unit id="s69f246d164be88d0">
  <source>Forecasted external users</source>
 </trans-unit>
 <trans-unit id="s878fc2eaf94642db">
  <source>Estimated external user count one year from now</source>
 </trans-unit>
 <trans-unit id="sd22bd01bdf28c548">
  <source>Cumulative license expiry</source>
 </trans-unit>
 <trans-unit id="sdeb6cee42435dd07">
  <source>Update License</source>
 </trans-unit>
 <trans-unit id="s99afa741c259d70e">
  <source>Create License</source>
 </trans-unit>
 <trans-unit id="s7df5b92a3f93544f">
  <source>Warning: The current user count has exceeded the configured licenses.</source>
 </trans-unit>
 <trans-unit id="s0141f42936495787">
  <source>Click here for more info.</source>
 </trans-unit>
 <trans-unit id="s7be2df39f727faa2">
  <source>Enterprise</source>
 </trans-unit>
 <trans-unit id="s9ce7cc01fb9b5b53">
  <source>Manage enterprise licenses</source>
 </trans-unit>
    </body>
  </file>
--- a/web/xliff/tr.xlf
+++ b/web/xliff/tr.xlf
@ -5645,6 +5645,84 @@ Bindings to groups/users are checked against the user of the event.</source>
 </trans-unit>
 <trans-unit id="s1889ba2eaeec2f1e">
  <source>When enabled, code-based multi-factor authentication can be used by appending a semicolon and the TOTP code to the password. This should only be enabled if all users that will bind to this provider have a TOTP device configured, as otherwise a password may incorrectly be rejected if it contains a semicolon.</source>
 </trans-unit>
 <trans-unit id="s9f9492d30a96b9c6">
  <source>User type</source>
 </trans-unit>
 <trans-unit id="s0b9a40b7b2853c7d">
  <source>Default user</source>
 </trans-unit>
 <trans-unit id="s35b9fa270f45b391">
  <source>External user</source>
 </trans-unit>
 <trans-unit id="s1a635369edaf4dc3">
  <source>Service account</source>
 </trans-unit>
 <trans-unit id="s0e427111d750cc02">
  <source>Successfully updated license.</source>
 </trans-unit>
 <trans-unit id="s06ae64e621f302eb">
  <source>Successfully created license.</source>
 </trans-unit>
 <trans-unit id="s2905c425adae99bd">
  <source>Install ID</source>
 </trans-unit>
 <trans-unit id="sb18ec434a8a3aafb">
  <source>License key</source>
 </trans-unit>
 <trans-unit id="s2e109263b73c12d5">
  <source>Licenses</source>
 </trans-unit>
 <trans-unit id="sf8f9f3032e891e16">
  <source>TODO Copy</source>
 </trans-unit>
 <trans-unit id="sd49099e9522635f4">
  <source>License(s)</source>
 </trans-unit>
 <trans-unit id="s3be1d90ffa46b7f1">
  <source>Enterprise is in preview.</source>
 </trans-unit>
 <trans-unit id="s34dca481f039c226">
  <source>How to get a license</source>
 </trans-unit>
 <trans-unit id="s948364901c166232">
  <source>Copy the installation ID</source>
 </trans-unit>
 <trans-unit id="s75c167446b237e0f">
  <source>Then open the customer portal</source>
 </trans-unit>
 <trans-unit id="s9748dd3bd53d27a4">
  <source>Forecasted default users</source>
 </trans-unit>
 <trans-unit id="s6b18f594d94c2374">
  <source>Estimated user count one year from now</source>
 </trans-unit>
 <trans-unit id="s69f246d164be88d0">
  <source>Forecasted external users</source>
 </trans-unit>
 <trans-unit id="s878fc2eaf94642db">
  <source>Estimated external user count one year from now</source>
 </trans-unit>
 <trans-unit id="sd22bd01bdf28c548">
  <source>Cumulative license expiry</source>
 </trans-unit>
 <trans-unit id="sdeb6cee42435dd07">
  <source>Update License</source>
 </trans-unit>
 <trans-unit id="s99afa741c259d70e">
  <source>Create License</source>
 </trans-unit>
 <trans-unit id="s7df5b92a3f93544f">
  <source>Warning: The current user count has exceeded the configured licenses.</source>
 </trans-unit>
 <trans-unit id="s0141f42936495787">
  <source>Click here for more info.</source>
 </trans-unit>
 <trans-unit id="s7be2df39f727faa2">
  <source>Enterprise</source>
 </trans-unit>
 <trans-unit id="s9ce7cc01fb9b5b53">
  <source>Manage enterprise licenses</source>
 </trans-unit>
    </body>
  </file>
--- a/web/xliff/zh-Hans.xlf
+++ b/web/xliff/zh-Hans.xlf
@ -7580,6 +7580,84 @@ Bindings to groups/users are checked against the user of the event.</source>
 <trans-unit id="s1889ba2eaeec2f1e">
  <source>When enabled, code-based multi-factor authentication can be used by appending a semicolon and the TOTP code to the password. This should only be enabled if all users that will bind to this provider have a TOTP device configured, as otherwise a password may incorrectly be rejected if it contains a semicolon.</source>
  <target>启用时，可以通过在密码后添加分号和 TOTP 代码来使用基于代码的多因素身份验证。仅在所有绑定到此提供程序的用户都已配置 TOTP 设备的情况下才应该启用，否则密码可能会因为包含分号而被错误地拒绝。</target>
 </trans-unit>
 <trans-unit id="s9f9492d30a96b9c6">
  <source>User type</source>
 </trans-unit>
 <trans-unit id="s0b9a40b7b2853c7d">
  <source>Default user</source>
 </trans-unit>
 <trans-unit id="s35b9fa270f45b391">
  <source>External user</source>
 </trans-unit>
 <trans-unit id="s1a635369edaf4dc3">
  <source>Service account</source>
 </trans-unit>
 <trans-unit id="s0e427111d750cc02">
  <source>Successfully updated license.</source>
 </trans-unit>
 <trans-unit id="s06ae64e621f302eb">
  <source>Successfully created license.</source>
 </trans-unit>
 <trans-unit id="s2905c425adae99bd">
  <source>Install ID</source>
 </trans-unit>
 <trans-unit id="sb18ec434a8a3aafb">
  <source>License key</source>
 </trans-unit>
 <trans-unit id="s2e109263b73c12d5">
  <source>Licenses</source>
 </trans-unit>
 <trans-unit id="sf8f9f3032e891e16">
  <source>TODO Copy</source>
 </trans-unit>
 <trans-unit id="sd49099e9522635f4">
  <source>License(s)</source>
 </trans-unit>
 <trans-unit id="s3be1d90ffa46b7f1">
  <source>Enterprise is in preview.</source>
 </trans-unit>
 <trans-unit id="s34dca481f039c226">
  <source>How to get a license</source>
 </trans-unit>
 <trans-unit id="s948364901c166232">
  <source>Copy the installation ID</source>
 </trans-unit>
 <trans-unit id="s75c167446b237e0f">
  <source>Then open the customer portal</source>
 </trans-unit>
 <trans-unit id="s9748dd3bd53d27a4">
  <source>Forecasted default users</source>
 </trans-unit>
 <trans-unit id="s6b18f594d94c2374">
  <source>Estimated user count one year from now</source>
 </trans-unit>
 <trans-unit id="s69f246d164be88d0">
  <source>Forecasted external users</source>
 </trans-unit>
 <trans-unit id="s878fc2eaf94642db">
  <source>Estimated external user count one year from now</source>
 </trans-unit>
 <trans-unit id="sd22bd01bdf28c548">
  <source>Cumulative license expiry</source>
 </trans-unit>
 <trans-unit id="sdeb6cee42435dd07">
  <source>Update License</source>
 </trans-unit>
 <trans-unit id="s99afa741c259d70e">
  <source>Create License</source>
 </trans-unit>
 <trans-unit id="s7df5b92a3f93544f">
  <source>Warning: The current user count has exceeded the configured licenses.</source>
 </trans-unit>
 <trans-unit id="s0141f42936495787">
  <source>Click here for more info.</source>
 </trans-unit>
 <trans-unit id="s7be2df39f727faa2">
  <source>Enterprise</source>
 </trans-unit>
 <trans-unit id="s9ce7cc01fb9b5b53">
  <source>Manage enterprise licenses</source>
 </trans-unit>
    </body>
  </file>
--- a/web/xliff/zh-Hant.xlf
+++ b/web/xliff/zh-Hant.xlf
@ -5700,6 +5700,84 @@ Bindings to groups/users are checked against the user of the event.</source>
 </trans-unit>
 <trans-unit id="s1889ba2eaeec2f1e">
  <source>When enabled, code-based multi-factor authentication can be used by appending a semicolon and the TOTP code to the password. This should only be enabled if all users that will bind to this provider have a TOTP device configured, as otherwise a password may incorrectly be rejected if it contains a semicolon.</source>
 </trans-unit>
 <trans-unit id="s9f9492d30a96b9c6">
  <source>User type</source>
 </trans-unit>
 <trans-unit id="s0b9a40b7b2853c7d">
  <source>Default user</source>
 </trans-unit>
 <trans-unit id="s35b9fa270f45b391">
  <source>External user</source>
 </trans-unit>
 <trans-unit id="s1a635369edaf4dc3">
  <source>Service account</source>
 </trans-unit>
 <trans-unit id="s0e427111d750cc02">
  <source>Successfully updated license.</source>
 </trans-unit>
 <trans-unit id="s06ae64e621f302eb">
  <source>Successfully created license.</source>
 </trans-unit>
 <trans-unit id="s2905c425adae99bd">
  <source>Install ID</source>
 </trans-unit>
 <trans-unit id="sb18ec434a8a3aafb">
  <source>License key</source>
 </trans-unit>
 <trans-unit id="s2e109263b73c12d5">
  <source>Licenses</source>
 </trans-unit>
 <trans-unit id="sf8f9f3032e891e16">
  <source>TODO Copy</source>
 </trans-unit>
 <trans-unit id="sd49099e9522635f4">
  <source>License(s)</source>
 </trans-unit>
 <trans-unit id="s3be1d90ffa46b7f1">
  <source>Enterprise is in preview.</source>
 </trans-unit>
 <trans-unit id="s34dca481f039c226">
  <source>How to get a license</source>
 </trans-unit>
 <trans-unit id="s948364901c166232">
  <source>Copy the installation ID</source>
 </trans-unit>
 <trans-unit id="s75c167446b237e0f">
  <source>Then open the customer portal</source>
 </trans-unit>
 <trans-unit id="s9748dd3bd53d27a4">
  <source>Forecasted default users</source>
 </trans-unit>
 <trans-unit id="s6b18f594d94c2374">
  <source>Estimated user count one year from now</source>
 </trans-unit>
 <trans-unit id="s69f246d164be88d0">
  <source>Forecasted external users</source>
 </trans-unit>
 <trans-unit id="s878fc2eaf94642db">
  <source>Estimated external user count one year from now</source>
 </trans-unit>
 <trans-unit id="sd22bd01bdf28c548">
  <source>Cumulative license expiry</source>
 </trans-unit>
 <trans-unit id="sdeb6cee42435dd07">
  <source>Update License</source>
 </trans-unit>
 <trans-unit id="s99afa741c259d70e">
  <source>Create License</source>
 </trans-unit>
 <trans-unit id="s7df5b92a3f93544f">
  <source>Warning: The current user count has exceeded the configured licenses.</source>
 </trans-unit>
 <trans-unit id="s0141f42936495787">
  <source>Click here for more info.</source>
 </trans-unit>
 <trans-unit id="s7be2df39f727faa2">
  <source>Enterprise</source>
 </trans-unit>
 <trans-unit id="s9ce7cc01fb9b5b53">
  <source>Manage enterprise licenses</source>
 </trans-unit>
    </body>
  </file>
--- a/web/xliff/zh_TW.xlf
+++ b/web/xliff/zh_TW.xlf
@ -5699,6 +5699,84 @@ Bindings to groups/users are checked against the user of the event.</source>
 </trans-unit>
 <trans-unit id="s1889ba2eaeec2f1e">
  <source>When enabled, code-based multi-factor authentication can be used by appending a semicolon and the TOTP code to the password. This should only be enabled if all users that will bind to this provider have a TOTP device configured, as otherwise a password may incorrectly be rejected if it contains a semicolon.</source>
 </trans-unit>
 <trans-unit id="s9f9492d30a96b9c6">
  <source>User type</source>
 </trans-unit>
 <trans-unit id="s0b9a40b7b2853c7d">
  <source>Default user</source>
 </trans-unit>
 <trans-unit id="s35b9fa270f45b391">
  <source>External user</source>
 </trans-unit>
 <trans-unit id="s1a635369edaf4dc3">
  <source>Service account</source>
 </trans-unit>
 <trans-unit id="s0e427111d750cc02">
  <source>Successfully updated license.</source>
 </trans-unit>
 <trans-unit id="s06ae64e621f302eb">
  <source>Successfully created license.</source>
 </trans-unit>
 <trans-unit id="s2905c425adae99bd">
  <source>Install ID</source>
 </trans-unit>
 <trans-unit id="sb18ec434a8a3aafb">
  <source>License key</source>
 </trans-unit>
 <trans-unit id="s2e109263b73c12d5">
  <source>Licenses</source>
 </trans-unit>
 <trans-unit id="sf8f9f3032e891e16">
  <source>TODO Copy</source>
 </trans-unit>
 <trans-unit id="sd49099e9522635f4">
  <source>License(s)</source>
 </trans-unit>
 <trans-unit id="s3be1d90ffa46b7f1">
  <source>Enterprise is in preview.</source>
 </trans-unit>
 <trans-unit id="s34dca481f039c226">
  <source>How to get a license</source>
 </trans-unit>
 <trans-unit id="s948364901c166232">
  <source>Copy the installation ID</source>
 </trans-unit>
 <trans-unit id="s75c167446b237e0f">
  <source>Then open the customer portal</source>
 </trans-unit>
 <trans-unit id="s9748dd3bd53d27a4">
  <source>Forecasted default users</source>
 </trans-unit>
 <trans-unit id="s6b18f594d94c2374">
  <source>Estimated user count one year from now</source>
 </trans-unit>
 <trans-unit id="s69f246d164be88d0">
  <source>Forecasted external users</source>
 </trans-unit>
 <trans-unit id="s878fc2eaf94642db">
  <source>Estimated external user count one year from now</source>
 </trans-unit>
 <trans-unit id="sd22bd01bdf28c548">
  <source>Cumulative license expiry</source>
 </trans-unit>
 <trans-unit id="sdeb6cee42435dd07">
  <source>Update License</source>
 </trans-unit>
 <trans-unit id="s99afa741c259d70e">
  <source>Create License</source>
 </trans-unit>
 <trans-unit id="s7df5b92a3f93544f">
  <source>Warning: The current user count has exceeded the configured licenses.</source>
 </trans-unit>
 <trans-unit id="s0141f42936495787">
  <source>Click here for more info.</source>
 </trans-unit>
 <trans-unit id="s7be2df39f727faa2">
  <source>Enterprise</source>
 </trans-unit>
 <trans-unit id="s9ce7cc01fb9b5b53">
  <source>Manage enterprise licenses</source>
 </trans-unit>
    </body>
  </file>