web/admin: Improve WS-Fed algo selection logic (cherry-pick #20881 to version-2026.2)

[authentik-automation]

⚠️ This cherry-pick has conflicts that require manual resolution.

Cherry-pick of #20881 to version-2026.2 branch.

Original PR: #20881
Original Author: @PeshekDotDev
Cherry-picked commit: db5a154

Please resolve the conflicts in this PR before merging.

[netlify]

✅ Deploy Preview for authentik-integrations ready!

Name	Link
🔨 Latest commit	2e564b6
🔍 Latest deploy log	https://app.netlify.com/projects/authentik-integrations/deploys/69e7a28555230e00082c8f0c
😎 Deploy Preview	https://deploy-preview-21438--authentik-integrations.netlify.app
📱 Preview on mobile	Toggle QR Code... Use your smartphone camera to open QR code link.

---

To edit notification comments on pull requests, go to your Netlify project configuration.

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 93.46%. Comparing base (e5d873c) to head (2e564b6).
⚠️ Report is 1 commits behind head on version-2026.2.
✅ All tests successful. No failed tests found.

Additional details and impacted files

@@                Coverage Diff                 @@
##           version-2026.2   #21438      +/-   ##
==================================================
- Coverage           93.47%   93.46%   -0.01%     
==================================================
  Files                 981      981              
  Lines               55343    55343              
==================================================
- Hits                51731    51727       -4     
- Misses               3612     3616       +4     

Flag	Coverage Δ
conformance	37.26% <ø> (+<0.01%)	⬆️
e2e	43.01% <ø> (-0.01%)	⬇️
integration	22.24% <ø> (+<0.01%)	⬆️
unit	91.65% <ø> (+<0.01%)	⬆️
unit-migrate	91.70% <ø> (+1.94%)	⬆️

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

[github-actions]

authentik PR Installation instructions

Instructions for docker-compose

Add the following block to your .env file:

AUTHENTIK_IMAGE=ghcr.io/goauthentik/dev-server
AUTHENTIK_TAG=gh-2e564b67bcf0ca9dde0ab16e03545643e946a261
AUTHENTIK_OUTPOSTS__CONTAINER_IMAGE_BASE=ghcr.io/goauthentik/dev-%(type)s:gh-%(build_hash)s

Afterwards, run the upgrade commands from the latest release notes.

Instructions for Kubernetes

Add the following block to your values.yml file:

authentik:
    outposts:
        container_image_base: ghcr.io/goauthentik/dev-%(type)s:gh-%(build_hash)s
global:
    image:
        repository: ghcr.io/goauthentik/dev-server
        tag: gh-2e564b67bcf0ca9dde0ab16e03545643e946a261

Afterwards, run the upgrade commands from the latest release notes.

[kensternberg-authentik]

A bit of nitpicking, and one question about if signingKeyType is initialized correctly.

[kensternberg-authentik]

Since you touched it, maybe you can fix an issue here: isCurrentAlgorithmAvailable is recalculated on every loop, but doesn't use the variable that changes with each loop (hash). Consider moving the calculation for isCurrentAlgorithmAvailable out of the map() function. Since you only ever check the negation, you could rewrite in to something like currentAlgorithmNotAvailable.

[kensternberg-authentik]

This expression appears three different times, in three different Forms. If the default ever changes, someone's gonna miss one. I wonder if there's a way to extract this and put it somewhere safe.

[kensternberg-authentik]

Line 47 echoes Line 27. Is there a reason line 48 has no equivalent setter in loadInstance()?

[kensternberg-authentik]

Consider putting a typeguard function here. InputEvent is very generic; checking that the source really is an AkCryptoCertificateSearch might catch someone using this wrong.