Introducing the next era of Duende IdentityServer.

Read our CEO’s announcement
Start for Free

Duende Spring Launch '26: Identity Infrastructure That Expands With You

Two blue circles

Duende Spring Launch '26: Identity Infrastructure That Expands With You

For years, customers have come to Duende for one thing: industry-leading OAuth and OIDC expertise codified into a .NET SDK. A token server they could run themselves, while they built their own user stores, admin tooling, and federation logic around it. This arrangement worked.

What every customer faces around that arrangement has changed: security threat surfaces that keep expanding, compliance baselines that keep rising, partnerships that require OIDC and SAML bridged together, AI agents that need to authenticate, register, discover endpoints, and obtain tokens through the same surfaces users hit today. The identity status quo was not built for any of this. Across very different businesses, the same components get built manually: user stores, admin APIs, federation logic, multi-tenant issuers. Every team running its own identity stack builds these from scratch, then keeps rebuilding them as business and security demands shift.

We heard it loud and clear that you wanted something different: building blocks alongside IdentityServer, not parallel infrastructure to stand up, and a foundation you can compose identity capabilities on, with the architecture, the data model, and the extension points still in your hands. And no less important, you want the option to adopt them incrementally, without a major modernization program.

So that’s exactly what we delivered: identity infrastructure for teams that need ultimate control and sovereignty. Build your own user management, or don't. Add identity capabilities when your business needs them. The choice remains yours.

Today, we are proud to announce Duende IdentityServer v8. Duende IdentityServer remains the gold standard for fully customizable identity solutions: the most flexible, standards-compliant SDK for OpenID Connect and OAuth 2.0.

In addition to IdentityServer v8, we're introducing a modular add-on system: a new way to extend your identity provider implementations with advanced capabilities like SAML 2.0, User Management, Financial-Grade Security & Conformance (FGSC), Automatic Key Management, and Multi-Issuer support. Our Backend for Frontend offering and is now part of the modular add-on system. These modular capabilities can be added when your business is ready. This release is a continued evolution of IdentityServer, yet it also marks a shift in how we deliver it.

What's in the Release?

In this release: IdentityServer v8 with the add-ons that expand your identity capabilities and additive identity infrastructure with first-party storage, management APIs, and operational tooling, ships inside our new User Management offering.

IdentityServer v8: The Foundation for Your Identity Infrastructure

  • Architectural improvements throughout. v8 is a refinement of the programming model with idiomatic cooperative cancellation across all asynchronous interfaces, TimeProvider replacing legacy clock abstractions and enabling deterministic time-based testing, HybridCache facilitating multi-layered caching strategies, and improved extensibility in the authorized interaction pipeline. These are the kinds of changes that make IdentityServer easier to extend, test, and operate.
  • SAML IdP & SP support. IdentityServer v8 adds first-class SAML capabilities, letting your identity infrastructure bridge OIDC and SAML worlds without bolting on separate middleware.
  • A unified model for connected applications. v8 introduces the Connected Application with a protocol-agnostic abstraction that represents both OIDC clients and SAML Service Providers under a single concept. Consent, enablement, and application management work consistently regardless of protocol.
  • Additive Infrastructure. The debut of additive identity infrastructure with first-party storage, management APIs, and operational tooling, ships with our new User Management offering. This capability surface covers what every interactive application needs and what most teams end up hand-rolling, including native user store with high-level operational APIs; admin-level user control for enable/disable and credential reset; and multi-database support across SQLite, SQL Server, and PostgreSQL. If you don't need the platform-level features, stay exactly where you are. But if you're looking for more expert guidance, this additive infrastructure will serve as the north star for Duende’s current and future advanced capabilities.
  • Meeting you where you are. Already on .NET 10? IdentityServer 7.4 supports it today. Upgrade your runtime without changing your identity stack. Ready for a bigger step? v8 targets .NET 10 and brings the new capabilities above. Whether you're migrating incrementally or jumping ahead, we've got you covered.

Choose What You Want, When You Want

Beginning with this release, Duende delivers modular add-ons by design. Customers add what they need when they're ready. Each add-on solves a real problem on its own, synergizing with the others through the shared foundation, and staying under your control. Adopt one. Add another when the business demands it. Pay only for what you use.

User Management - A Modern User Store Built for the Future of Auth

User Management is a first-party, embeddable extension of Duende IdentityServer that brings fully supported user storage, authentication, and lifecycle management directly into your deployment. Passwords, MFA, and passkeys are built in, not bolted. It replaces older solutions and bespoke user systems most teams still maintain in-house with a modern, extensible, enterprise-grade user store. Leave legacy user stores behind. Plan your identity story with future-proof user management.

Explore User Management for more details, including pricing.

SAML 2.0 (IdP and SP) - Building Bridges to New Opportunities

SAML 2.0 becomes a first-party capability of your Duende IdentityServer deployment. A single add-on covers both Identity Provider (IdP) and Service Provider (SP) roles, letting OAuth, OIDC, and SAML run through the same token server. No second vendor, no second upgrade cycle, no integration seam to manage every release.

The add-on issues SAML assertions to downstream service providers like Salesforce, Workday, internal enterprise apps, and accepts them from upstream enterprise IdPs like ADFS, Ping, Okta. It bridges protocols in both directions, so you can authenticate via OIDC internally and issue SAML downstream, or accept SAML upstream and translate it into OIDC for the rest of your stack. All self-hosted, all version-matched to IdentityServer.

Explore SAML 2.0 for more details, including pricing.

Financial-Grade Security & Conformance - Accelerate Confidently Towards Compliance

Financial-Grade Security & Conformance (FGSC) validates your existing Duende IdentityServer configuration against FAPI 2.0 and OAuth 2.1 requirements and produces an audit-supporting conformance report, strictly adhering to the OpenID Foundation specifications

The report is a human-readable web page that an auditor can read directly: rule by rule, pass/fail/warning status for every FAPI 2.0 profile requirement, with specific recommendations on what to change when a check fails. Define the requirement, run the report, fix what it flags, and rerun to strengthen your compliance and security posture. Because it validates the IdentityServer deployment you already run, there's no re-architecture or migration to a SaaS service required to prove FAPI conformance.

Explore FGSC for more details, including pricing.

Automatic Key Management - Hardened Security on Autopilot

Automatic Key Management handles the full lifecycle of signing and validation keys within Duende IdentityServer - generation, rotation, propagation to relying parties, and retirement - natively, with no external key management tooling required. It is designed for zero-downtime rollover.

Key rotation is the identity infrastructure discipline everyone knows matters and almost nobody does well. It is error-prone, often forgotten, and one of the most preventable causes of production outages: when a signing key expires unexpectedly, token validation breaks across every relying party at once. Automatic Key Management minimizes the risk of that whole category of incidents. Keys are managed as infrastructure, not as a manual task with a calendar reminder. The add-on is native to IdentityServer, with no external dependencies, is designed for zero-downtime rollover by default, and is priced as a flat fee.

Explore Automatic Key Management for more details, including pricing.

Multi-Issuer - Optimizing Your Infrastructure, Scaling Your Ambitions

Multi-Issuer adds native multi-issuer URI support configuration and policy without deploying separate IdentityServer instances.

Multi-Issuer lets a single Duende IdentityServer deployment serve multiple issuer URLs. Tokens carry the iss claim that matches the URL used to obtain them, in full compliance with OpenID Connect specification. The result is a protocol-level trust boundary between contexts, from a single licensed deployment. Brand portfolios, regional subsidiaries, and partitioned-trust deployments run under a single instance, each with its own OIDC issuer. Add a brand, region, or business unit on the existing instance without increasing operational overhead.

Explore Multi-Issuer for more details, including pricing.

Backend for Frontend - Simplify Front-end Security

BFF manages tokens on the server, not in the browser, to simplify your front-end development and increase security for Angular, React, Vue, and Blazor WASM apps. Host anywhere. With this release, v8 adds IUserEndpointClaimsEnricher, letting you enrich or transform claims after authentication with full access to the AuthenticateResult, including the access token, no need to override authentication handlers. Duende BFF is included in all editions of IdentityServer and customers can purchase additional front-ends as their needs arise.

Explore BFF for more details, including pricing.

The Power to Build

IdentityServer v8 remains the gold standard for fully customizable identity solutions. The shared foundation is additive, bringing platform-level features, opinionated defaults, and developer guidance to teams that want the power of IdentityServer with more expert guidance. The add-ons are the first concrete building blocks customers can compose into the architecture that fits them. See the blog post from our CEO, Tyler Parramore, on how customers can try all these add-ons for free in production.

You've already built your foundation with Duende. Now extend it on your terms.

IdentityServer v8 is included in all existing license tiers at no additional cost. The five modular add-ons are now available via NuGet, each with its own tier requirements. For migration guidance, the Conformance Report, and the full v8 release notes, see the Duende documentation.