--- title: Release 2021.6 slug: "2021.6" --- ## Headline Changes - Duo two-factor support You can now add the new `authenticator_duo` stage to configure Duo authenticators. Duo has also been added as device class to the `authenticator_validation` stage. Currently, only Duo push notifications are supported. Because no additional input is required, Duo also works with the LDAP Outpost. - Multi-tenancy This version adds soft multi-tenancy. This means you can configure different branding settings and different default flows per domain. This also changes how a default flow is determined. Previously, for defaults flow, authentik would pick the first flow that - matches the required designation - comes first sorted by slug - is allowed by policies Now, authentik first checks if the current tenant has a default flow configured for the selected designation. If not, it behaves the same as before, meaning that if you want to select a default flow based on policy, you can just leave the tenant default empty. - Domain-level authorization with proxy providers Instead of simply being able to toggle between forward auth and proxy mode, you can now enable forward auth for an entire domain. This has the downside that you can't do per-application authorization, but also simplifies configuration as you don't have to create each application in authentik. - API Schema now uses OpenAPI v3 The API endpoints are mostly the same, however all the clients are now built from an OpenAPI v3 schema. You can retrieve the schema from `authentik.company.tld/api/v2beta/schema/` - On Kubernetes installs without a /media PVC, you can now set URLs instead of uploading files. - Expanded prometheus metrics for PolicyEngine and FlowPlanner ## Minor changes - You can now specify which sources should be shown on an Identification stage. - Add UI for the reputation of IPs and usernames for reputation policies. - Fix proxy outpost not being able to redeem tokens when using with an un-trusted SSL Certificate - Add UI to check access of any application for any user ## Fixed in 2021.6.1-rc5 - flows: fix configuration URL being set when no flow is configure - stages/authenticator_totp: set TOTP issuer based on slug'd tenant title - stages/authenticator_webauthn: use tenant title as RP_NAME - stages/identification: add UPN - stages/password: add constants for password backends - web: fix flow download link ## Fixed in 2021.6.1-rc6 - ci: build and push stable tag when rc not in release name - core: delete real session when AuthenticatedSession is deleted - core: fix impersonation not working with inactive users - core: fix upload api not checking clear properly - core: revert check_access API to get to prevent CSRF errors - events: add tenant to event - events: catch unhandled exceptions from request as event, add button to open github issue - flows: fix error clearing flow background when no files have been uploaded - outpost: fix syntax error when creating an outpost with connection - outposts: fix integrity error with tokens - outposts/ldap: improve responses for unsuccessful binds - policies/reputation: fix race condition in tests - provider/proxy: mark forward_auth flag as deprecated - providers/saml: improve error handling for signature errors - root: fix build_hash being set incorrectly for tagged versions - sources/saml: check sessions before deleting user - stages/authenticator_duo: don't create default duo stage - stages/authenticator_validate: add tests for authenticator validation - stages/identification: fix challenges not being annotated correctly and API client not loading data correctly - web: add capabilities to sentry event - web: migrate banner to sidebar - web/admin: fix user enable/disable modal not matching other modals - web/admin: select service connection by default when only one exists - web/flows: fix expiry not shown on consent stage when loading - web/flows: fix IdentificationStage's label not matching fields - web/flows: improve display of allowed fields for identification stage - website/docs: add docs for outpost configuration ## Upgrading This release does not introduce any new requirements. ### docker-compose Download the docker-compose file for 2021.6 from [here](https://raw.githubusercontent.com/goauthentik/authentik/version-2021.6/docker-compose.yml). Afterwards, simply run `docker-compose up -d`. ### Kubernetes Upgrade to the latest chart version to get the new images.