diff --git a/abra.sh b/abra.sh
index 2bb2a0f..c3d9847 100644
--- a/abra.sh
+++ b/abra.sh
@@ -5,17 +5,17 @@ export FLOW_INVALIDATION_VERSION=v2
 export FLOW_RECOVERY_VERSION=v1
 export FLOW_TRANSLATION_VERSION=v3
 export SYSTEM_BRAND_VERSION=v4
-export NEXTCLOUD_CONFIG_VERSION=v1
-export WORDPRESS_CONFIG_VERSION=v2
-export MATRIX_CONFIG_VERSION=v1
-export WEKAN_CONFIG_VERSION=v3
-export VIKUNJA_CONFIG_VERSION=v1
-export OUTLINE_CONFIG_VERSION=v2
-export KIMAI_CONFIG_VERSION=v1
-export ZAMMAD_CONFIG_VERSION=v2
-export RALLLY_CONFIG_VERSION=v2
-export HEDGEDOC_CONFIG_VERSION=v1
-export MONITORING_CONFIG_VERSION=v2
+export NEXTCLOUD_CONFIG_VERSION=v2
+export WORDPRESS_CONFIG_VERSION=v3
+export MATRIX_CONFIG_VERSION=v2
+export WEKAN_CONFIG_VERSION=v4
+export VIKUNJA_CONFIG_VERSION=v2
+export OUTLINE_CONFIG_VERSION=v3
+export KIMAI_CONFIG_VERSION=v2
+export ZAMMAD_CONFIG_VERSION=v3
+export RALLLY_CONFIG_VERSION=v3
+export HEDGEDOC_CONFIG_VERSION=v2
+export MONITORING_CONFIG_VERSION=v3
 export DB_ENTRYPOINT_VERSION=v1
 export PG_BACKUP_VERSION=v2
 
diff --git a/hedgedoc.yaml.tmpl b/hedgedoc.yaml.tmpl
index 33bf308..eafa124 100644
--- a/hedgedoc.yaml.tmpl
+++ b/hedgedoc.yaml.tmpl
@@ -8,7 +8,9 @@ entries:
 
 - attrs:
     access_code_validity: minutes=1
+    authentication_flow: !Find [authentik_flows.flow, [slug, default-authentication-flow]]
     authorization_flow: !Find [authentik_flows.flow, [slug, default-provider-authorization-implicit-consent]]
+    invalidation_flow: !Find [authentik_flows.flow, [slug, default-provider-invalidation-flow]]
     client_id: {{ secret  "hedgedoc_id" }}
     client_secret: {{ secret  "hedgedoc_secret" }}
     client_type: confidential
diff --git a/kimai.yaml.tmpl b/kimai.yaml.tmpl
index 59e2e9f..ccc016d 100644
--- a/kimai.yaml.tmpl
+++ b/kimai.yaml.tmpl
@@ -12,6 +12,7 @@ entries:
     audience: https://{{ env  "KIMAI_DOMAIN" }}/auth/saml
     authentication_flow: !Find [authentik_flows.flow, [slug, default-authentication-flow]]
     authorization_flow: !Find [authentik_flows.flow, [slug, default-provider-authorization-implicit-consent]]
+    invalidation_flow: !Find [authentik_flows.flow, [slug, default-provider-invalidation-flow]]
     digest_algorithm: http://www.w3.org/2001/04/xmlenc#sha256
     issuer: https://{{ env  "DOMAIN" }}
     name: Kimai
@@ -24,6 +25,7 @@ entries:
     - !Find [authentik_providers_saml.samlpropertymapping, [name, "authentik default SAML Mapping: Groups"]]
     - !Find [authentik_providers_saml.samlpropertymapping, [name, "authentik default SAML Mapping: UPN"]]
     session_valid_not_on_or_after: minutes=86400
+    sign_assertion: true
     signature_algorithm: http://www.w3.org/2001/04/xmldsig-more#rsa-sha256
     signing_kp: !Find [authentik_crypto.certificatekeypair, [name, authentik Self-signed Certificate]]
     sp_binding: post
@@ -45,4 +47,4 @@ entries:
   identifiers:
     name: Kimai
   model: authentik_core.application
-  state: present
\ No newline at end of file
+  state: present
diff --git a/matrix.yaml.tmpl b/matrix.yaml.tmpl
index 5ef8247..aa4e2ae 100644
--- a/matrix.yaml.tmpl
+++ b/matrix.yaml.tmpl
@@ -8,7 +8,9 @@ entries:
 
 - attrs:
     access_code_validity: minutes=1
+    authentication_flow: !Find [authentik_flows.flow, [slug, default-authentication-flow]]
     authorization_flow: !Find [authentik_flows.flow, [slug, default-provider-authorization-implicit-consent]]
+    invalidation_flow: !Find [authentik_flows.flow, [slug, default-provider-invalidation-flow]]
     client_id: {{ secret  "matrix_id" }}
     client_secret: {{ secret  "matrix_secret" }}
     client_type: confidential
diff --git a/monitoring.yaml.tmpl b/monitoring.yaml.tmpl
index e0c6b1e..7c1942b 100644
--- a/monitoring.yaml.tmpl
+++ b/monitoring.yaml.tmpl
@@ -8,7 +8,9 @@ entries:
 
 - attrs:
     access_code_validity: minutes=1
+    authentication_flow: !Find [authentik_flows.flow, [slug, default-authentication-flow]]
     authorization_flow: !Find [authentik_flows.flow, [slug, default-provider-authorization-implicit-consent]]
+    invalidation_flow: !Find [authentik_flows.flow, [slug, default-provider-invalidation-flow]]
     client_id: {{ secret  "monitoring_id" }}
     client_secret: {{ secret  "monitoring_secret" }}
     client_type: confidential
diff --git a/nextcloud.yaml.tmpl b/nextcloud.yaml.tmpl
index dfb764f..af62a9e 100644
--- a/nextcloud.yaml.tmpl
+++ b/nextcloud.yaml.tmpl
@@ -20,7 +20,9 @@ entries:
 
 - attrs:
     access_code_validity: minutes=1
+    authentication_flow: !Find [authentik_flows.flow, [slug, default-authentication-flow]]
     authorization_flow: !Find [authentik_flows.flow, [slug, default-provider-authorization-implicit-consent]]
+    invalidation_flow: !Find [authentik_flows.flow, [slug, default-provider-invalidation-flow]]
     client_id: {{ secret  "nextcloud_id" }}
     client_secret: {{ secret  "nextcloud_secret" }}
     client_type: confidential
diff --git a/outline.yaml.tmpl b/outline.yaml.tmpl
index f36d048..ec72b2e 100644
--- a/outline.yaml.tmpl
+++ b/outline.yaml.tmpl
@@ -8,7 +8,9 @@ entries:
 
 - attrs:
     access_code_validity: minutes=1
+    authentication_flow: !Find [authentik_flows.flow, [slug, default-authentication-flow]]
     authorization_flow: !Find [authentik_flows.flow, [slug, default-provider-authorization-implicit-consent]]
+    invalidation_flow: !Find [authentik_flows.flow, [slug, default-provider-invalidation-flow]]
     client_id: {{ secret  "outline_id" }}
     client_secret: {{ secret  "outline_secret" }}
     client_type: confidential
diff --git a/rallly.yaml.tmpl b/rallly.yaml.tmpl
index f4bce17..8e26c40 100644
--- a/rallly.yaml.tmpl
+++ b/rallly.yaml.tmpl
@@ -8,7 +8,9 @@ entries:
 
 - attrs:
     access_code_validity: minutes=1
+    authentication_flow: !Find [authentik_flows.flow, [slug, default-authentication-flow]]
     authorization_flow: !Find [authentik_flows.flow, [slug, default-provider-authorization-implicit-consent]]
+    invalidation_flow: !Find [authentik_flows.flow, [slug, default-provider-invalidation-flow]]
     client_id: {{ secret  "rallly_id" }}
     client_secret: {{ secret  "rallly_secret" }}
     client_type: confidential
diff --git a/vikunja.yaml.tmpl b/vikunja.yaml.tmpl
index c2ff204..ab7af08 100644
--- a/vikunja.yaml.tmpl
+++ b/vikunja.yaml.tmpl
@@ -8,7 +8,9 @@ entries:
 
 - attrs:
     access_code_validity: minutes=1
+    authentication_flow: !Find [authentik_flows.flow, [slug, default-authentication-flow]]
     authorization_flow: !Find [authentik_flows.flow, [slug, default-provider-authorization-implicit-consent]]
+    invalidation_flow: !Find [authentik_flows.flow, [slug, default-provider-invalidation-flow]]
     client_id: {{ secret  "vikunja_id" }}
     client_secret: {{ secret  "vikunja_secret" }}
     client_type: confidential
diff --git a/wekan.yaml.tmpl b/wekan.yaml.tmpl
index 7be7eba..a9549f8 100644
--- a/wekan.yaml.tmpl
+++ b/wekan.yaml.tmpl
@@ -25,7 +25,9 @@ entries:
 
 - attrs:
     access_code_validity: minutes=1
+    authentication_flow: !Find [authentik_flows.flow, [slug, default-authentication-flow]]
     authorization_flow: !Find [authentik_flows.flow, [slug, default-provider-authorization-implicit-consent]]
+    invalidation_flow: !Find [authentik_flows.flow, [slug, default-provider-invalidation-flow]]
     client_id: {{ secret  "wekan_id" }}
     client_secret: {{ secret  "wekan_secret" }}
     client_type: confidential
diff --git a/wordpress.yaml.tmpl b/wordpress.yaml.tmpl
index 28644aa..7624908 100644
--- a/wordpress.yaml.tmpl
+++ b/wordpress.yaml.tmpl
@@ -8,7 +8,9 @@ entries:
 
 - attrs:
     access_code_validity: minutes=1
+    authentication_flow: !Find [authentik_flows.flow, [slug, default-authentication-flow]]
     authorization_flow: !Find [authentik_flows.flow, [slug, default-provider-authorization-implicit-consent]]
+    invalidation_flow: !Find [authentik_flows.flow, [slug, default-provider-invalidation-flow]]
     client_id: {{ secret  "wordpress_id" }}
     client_secret: {{ secret  "wordpress_secret" }}
     client_type: confidential
diff --git a/zammad.yaml.tmpl b/zammad.yaml.tmpl
index 7d634d7..b84a6d9 100644
--- a/zammad.yaml.tmpl
+++ b/zammad.yaml.tmpl
@@ -36,6 +36,7 @@ entries:
     audience: https://{{ env  "ZAMMAD_DOMAIN" }}/auth/saml/metadata
     authentication_flow: !Find [authentik_flows.flow, [slug, default-authentication-flow]]
     authorization_flow: !Find [authentik_flows.flow, [slug, default-provider-authorization-implicit-consent]]
+    invalidation_flow: !Find [authentik_flows.flow, [slug, default-provider-invalidation-flow]]
     digest_algorithm: http://www.w3.org/2001/04/xmlenc#sha256
     issuer: https://{{ env  "ZAMMAD_DOMAIN" }}/auth/saml/metadata
     name: zammad
@@ -43,6 +44,7 @@ entries:
     - !KeyOf zammad_name_mapping
     - !KeyOf zammad_email_mapping
     session_valid_not_on_or_after: minutes=86400
+    sign_assertion: true
     signature_algorithm: http://www.w3.org/2001/04/xmldsig-more#rsa-sha256
     signing_kp: !Find [authentik_crypto.certificatekeypair, [name, authentik Self-signed Certificate]]
     sp_binding: post