diff --git a/platform/kanidm/values.yaml b/platform/kanidm/values.yaml
index 20884ec2..321a647d 100644
--- a/platform/kanidm/values.yaml
+++ b/platform/kanidm/values.yaml
@@ -6,7 +6,7 @@ app-template:
         main:
           image:
             repository: docker.io/kanidm/server
-            tag: 1.1.0-rc.16
+            tag: 1.3.3
       statefulset:
         volumeClaimTemplates:
           - name: data
@@ -21,7 +21,7 @@ app-template:
         server.toml: |
           bindaddress = "[::]:443"
           ldapbindaddress = "[::]:636"
-          # trust_x_forward_for = false
+          trust_x_forward_for = true
           db_path = "/data/kanidm.db"
           tls_chain = "/data/ca.crt"
           tls_key = "/data/tls.key"
diff --git a/scripts/hacks b/scripts/hacks
index de4f2a60..e269ec64 100755
--- a/scripts/hacks
+++ b/scripts/hacks
@@ -172,7 +172,7 @@ def setup_kanidm_group(name: str) -> None:
 def setup_kanidm_oauth_app(name: str, redirect_uri: str) -> None:
     try:
         subprocess.run(
-            ["kanidm", "system", "oauth2", "create", "--url", f"https://{kanidm_host}", "--name", "admin", name, name, redirect_uri],
+            ["kanidm", "system", "oauth2", "create", "--url", f"https://{kanidm_host}", "--name", "idm_admin", name, name, redirect_uri],
             capture_output=True,
             check=True,
         )
@@ -181,20 +181,20 @@ def setup_kanidm_oauth_app(name: str, redirect_uri: str) -> None:
 
     # TODO https://github.com/dexidp/dex/pull/3188
     subprocess.run(
-        ["kanidm", "system", "oauth2", "warning-insecure-client-disable-pkce", "--url", f"https://{kanidm_host}", "--name", "admin", name],
+        ["kanidm", "system", "oauth2", "warning-insecure-client-disable-pkce", "--url", f"https://{kanidm_host}", "--name", "idm_admin", name],
         capture_output=True,
         check=True,
     )
 
     subprocess.run(
         # TODO better group management
-        ["kanidm", "system", "oauth2", "create-scope-map", "--url", f"https://{kanidm_host}", "--name", "admin", name, "editor", "openid", "profile", "email", "groups"],
+        ["kanidm", "system", "oauth2", "create-scope-map", "--url", f"https://{kanidm_host}", "--name", "idm_admin", name, "editor", "openid", "profile", "email", "groups"],
         capture_output=True,
         check=True,
     )
 
     client_secret = json.loads(subprocess.run(
-        ["kanidm", "system", "oauth2", "show-basic-secret", "--url", f"https://{kanidm_host}", "--name", "admin", "--output", "json", name],
+        ["kanidm", "system", "oauth2", "show-basic-secret", "--url", f"https://{kanidm_host}", "--name", "idm_admin", "--output", "json", name],
         capture_output=True,
         check=True,
     ).stdout.decode("utf-8"))['secret']