Introducing the next era of Duende IdentityServer.

Read our CEO’s announcement
Start for Free

Your Identity, Your Terms: Duende's Modular Identity Infrastructure and v8.x Release

Tyler Parramore
Two blue circles

Today marks the most significant expansion of Duende’s offerings in our history. We’ve listened to you on customer success calls, during support discussions, and at conference booths. You’ve told us you need more comprehensive and responsive identity solutions, so we’ve been busy building.

Our goal now is to make Duende’s solutions the most accessible, most flexible, and most trusted foundation for securing human, machine, and agentic access across modern .NET ecosystems and beyond. Today is an important step on that journey. We are excited to share a major product release for IdentityServer, new platform-layer features and advanced capabilities as well as updated, flexible packaging for new customers. And we’re just getting started.

Simply put, we are partnering with our customers in a more expansive way. In addition to updates to our token server, we’re now delivering broader identity infrastructure capabilities that give you the power to build even more with Duende. Keep absolute control over identity and access, but move faster, scale smarter, and build whatever’s next with confidence.

TL;DR

  • Expanding Identity Infrastructure. Today we are releasing IdentityServer v8.x, a major release focused on modern .NET and five new modular add-ons, including first-class SAML Identity Provider (IdP) and Service Provider (SP) support. We are also shipping new additive identity infrastructure with first-party storage, management APIs, and operational tooling, first landing on our new User Management offering.
  • A more flexible packaging model for new customers. IdentityServer’s standards-aligned core identity solution now comes with modular add-ons that let customers flexibly adapt their package to their needs. Lite, Standard, Advanced, and Custom tiers replace Starter / Business / Enterprise / Enterprise+ for new customers. Tiers map to stages of growth so that customers can extend identity infrastructure on their own terms as their use cases evolve.
  • Increasing Investment in Technical Support and Customer Success. We are growing our Technical Support and Customer Success teams with expert engineers to deliver more of what our customers value most: architectural reviews; Priority and Premium Support SLAs; better documentation, samples, and templates; AI agent skills, documentation MCP server, and other tooling to help our customers build regardless of their build process.
  • Existing customers choose what’s best. Existing customers keep everything they have today. This is worth repeating: you can keep your historical legacy package tier (Starter / Business / Enterprise / Enterprise +) with all its entitlements. You can also upgrade to one of the new packages (Lite / Standard / Advanced / Custom) if they’re a better fit. For example, a new tier may offer a more comprehensive technical support package or more attractive SLA than your legacy tier. For customers who wish to stay on their legacy tiers, renewal pricing will reflect standard cost-of-living adjustments only.
  • Existing customers can try all the new add-ons, free in production. For any new add-on you don’t already have, you get free production access through the remainder of your current license term plus a full renewal year on top. Use it on real workloads. See what fits. If it earns its place, great. If not, your current package is still yours.

Why We’re Making These Changes

When we launched Duende IdentityServer, the job was clear: give .NET teams the most complete, standards-compliant token server available. Own your identity layer and control every extensibility point. That job hasn’t changed. What’s changed is the scope of the problem we’re helping you solve.

Yesterday, your identity project started with “we need login with basic SSO across a portfolio of applications.” Today, identity requirements include dynamic federation for multi-tenant platforms, a first-party user store with passkeys and MFA, an audit trail your compliance team can hand to an auditor, and an architecture that holds together while all of that is happening at once. Non-human identity and verifiable credentials are creating emergent issues that need to be addressed faster than ever. We see it in almost every customer conversation. Identity scope grows. The infrastructure underneath it has to grow with it.

That’s what we’ve been building, your expanding identity infrastructure. IdentityServer v8 remains the gold standard for fully customizable identity solutions. But there's also additive infrastructure now with first-party storage, management APIs, and operational tooling that today powers broader capabilities like User Management and lays the foundation for even more functionality in the future. This new foundation brings advanced capabilities to teams that want the power of IdentityServer with expert knowledge baked into the product. Additionally, customers can now extend their identity infrastructure on their terms with first-class modular add-ons, like SAML, FAPI conformance, automatic key management, and multi-issuer support.

This is the most significant expansion of Duende’s offering we’ve ever shipped. It’s also the reason the packaging is changing. The legacy packages told a story about a customer’s company size. The new packages tell a story about a customer’s identity architecture: what you’re running, what you’re extending, and what you’re not paying for because you don’t need it yet.

What’s New (For New Customers)

A More Flexible, Modular Model

IdentityServer’s core remains what it has always been: a standards-aligned OpenID Connect and OAuth 2.x foundation, production-ready, with the extensibility points .NET teams expect. The baseline in every paid tier is Duende’s latest version, IdentityServer v8.x, which is focused on modern .NET.

Shipping alongside v8 is additive identity infrastructure with first party storage, management APIs, and operational tooling, first landing on our new User Management offering. This is what we mean by “expanding identity infrastructure,” the token server isn’t going anywhere but it’s no longer the whole story.

Additionally, the capabilities that used to be buried inside higher tiers are now first-class modules. Most teams need one or two of them. Pricing them independently means you can adopt SAML the day you sign your first enterprise partner without paying for FAPI conformance you don’t need yet. A quick preview of the five modules being delivered:

  • SAML: Native SAML 2.0 in both directions. Provide SAML SSO to downstream partners and accept SAML assertions from upstream enterprise IdPs, all from the IdentityServer your team already controls.
  • User Management: First-party, embeddable .NET SDK with a modern, extensible user foundation tightly integrated with IdentityServer. Passwords, MFA, passkeys are all built in, all without the schema lock-in and technical debt of the legacy approach.
  • Financial Grade Security & Compliance (FGSC): FAPI 1.0 / 2.0 profiles for regulated industries, validating that your specific deployment is configured correctly against the full profile and produces an audit-supporting conformance report with remediation guidance.
  • Multi-Issuer: Enabling a single Duende IdentityServer deployment to serve multiple issuer URLs. Tokens carry the iss claim that matches the URL used to obtain them, in full compliance with OpenID Connect specification.
  • Automatic Key Management: Handles the full key lifecycle - generation, rotation, propagation, retirement - natively within IdentityServer. No external tooling. No manual processes.

Some add-ons are included at higher tiers; some are always purchased separately. The point is that you can see the line between what you’re running today and your next step.

Package Tiers That Map To How Teams Build

The new package tiers are scoped around the shape of an identity deployment: how many environments you’re running, how many client applications sit on top of it, and which capabilities are in scope. A two-person team building a regulated fintech app and a 5,000-person enterprise running an internal portfolio can each find a tier that matches the work, without paying for headroom they’ll never use.

  • Lite: A production-ready OpenID Connect and OAuth 2.0 identity provider built on ASP.NET Core entry point for a first production deployment.
  • Standard: Where most production deployments land. Server-side sessions, extended protocol support, and the ability to extend with add-ons when you actually need them.
  • Advanced: Full suite of capabilities with enterprise support with Dynamic Authentication Providers, SAML 2.0 IdP + SP, and Automatic Key Management included. Complete Duende IdentityServer solution for organizations running identity at scale, with a 2 business day SLA.
  • Custom: Up to unlimited deployments, unlimited client IDs, and unlimited BFF front-ends. 1 business day SLA support with direct access to Duende Software engineers.

For the detailed grid, see the pricing page. Also, it’s important to remember that with Duende, it’s free for development and testing. You only pay when you move to production.

New Duende Pricing & Packaging

What This Means for Existing Customers

Let's be honest: we haven’t always communicated our licensing changes well, and we've heard the frustration loud and clear. We've spent real time listening, and the way we are rolling out this evolution of our offering reflects what we've learned. We've tried to make the update straightforward, give our current customers flexibility, stability and predictability, and craft new packages that will help us build more together with all of our customers moving forward.

Keep everything you have. Indefinitely. We are not migrating any existing customer onto the IdentityServer v8.x tier structure. Your historical package with every capability, every allowance, including unlimited client IDs if you have them, is preserved at renewal. Your renewal quote will reflect standard cost-of-living adjustments only. If a capability is now bundled in the IdentityServer v8.x tier equivalent to your historical tier (SAML at Advanced, for example), it becomes a permanent part of your entitlements at no added cost. Not a trial. Not a promotion. Yours.

Try everything else, free in production. We want you to try what we’ve built. So for any add-on you don’t already have and isn’t bundled in your equivalent IdentityServer v8.x tier, we’re giving existing customers free access in production through your next renewal year. That’s a real production trial, not a sandbox demo. Ship it. Use it. Tell us what works. If at the end of that window you decide you love your current package as-is, your current package is still yours. If something we built earns its place in your architecture, you’ll know based on the strength of running it.

Whatever you choose, it’s your call. Moving to the IdentityServer v8.x model is opt-in, never imposed. If at any point you’d like us to model both options side by side, your historical package versus the new structure, your account contact will walk through it transparently. We built something we’re proud of, and we want our existing customers to be the first to use it.

Closing

You’ll notice Duende has a different look on our website, at conferences, and across our social platforms. With our offering and team expanding, we wanted to create a new look and feel for Duende that reflects our energy and ambition as we set out on the next stage of our journey. The look is new. What's behind it isn't: control in your hands, expert support at every step, and identity infrastructure built to be the foundation of your business. All of this translates into giving you the power to build with confidence.

Please remember that a commercial license with Duende is a relationship, not a one-time transaction. The packaging update on June 2 is the licensing implementation of a much bigger commitment: to keep building identity infrastructure that grows with the .NET teams who depend on it, and to keep widening the support, the reviews, the engineering depth, and the customer success engagement that surrounds it.

If you’re an existing customer, and have questions, your account contact is the fastest path. We'd welcome the conversation now, well before renewal comes around.

Thank you for building with Duende.

Tyler Parramore

Frequently Asked Questions

When do the new pricing and packaging take effect?

June 2, 2026. All new licenses quoted on or after that date are on the new model. Active licenses continue under their original terms.

What happens to my existing license?

Your current license, tier, and entitlements are preserved at renewal. The capabilities you have today stay. The usage allowances you have today stay. Any future renewals will reflect a standard cost-of-living adjustment only. You are not migrated to the new tier structure at renewal. Where a capability is now bundled in the IdentityServer v8.x tier equivalent to your historical tier, the capability becomes a permanent part of your entitlements at no added cost. If you'd like to explore the IdentityServer v8.x because it might save you money or unlock something new, we'll happily model it alongside your renewal quote. But choosing it is opt-in.

What if I want to take advantage of my “free add-ons for 1 year”?

Existing customers are grandfathered on their base terms with an offer of add-ons free for one year. After one year, at renewal, you can choose to stay on your current tier plus the add-on price (if you choose to keep it in your identity stack).

Will any existing customer see a price increase?

The only pricing change that will be seen, if not opting for any packaging changes, would reflect a standard cost-of-living increase. For any customer-specific pricing questions, please reach out to sales@duendesoftware.com. Again, we'd welcome the conversation now, well before renewal comes around.

What are the new tiers, and how do I know which one I’m in?

The new tiers are Community (free), Lite, Standard, Advanced, and Custom. Tiers are scoped by number of production deployments, number of client applications, which add-ons are included, and the support level. Your account contact can also model it with you directly.

What are the add-ons, and why aren’t they just in the tier?

The add-ons are SAML, Financial-grade Security & Conformance (FGSC), Multi-Issuer, Automatic Key Management, and User Management. They’re modular because most teams need one or two of them, not all of them. Pricing each capability independently means you can say yes to SAML without paying for FGSC headroom you don’t need. Advanced and Custom tiers include a subset of these by default; the rest are always priced separately.

For existing customers: if an add-on is bundled in the IdentityServer v8.x tier equivalent to your historical tier, it is permanently included in your preserved package at no added cost. If you had a capability under your historical package that is now an IdentityServer v8.x add-on, you keep it permanently. And any add-on can be used in production free for one year when you try IdentityServer v8. Continued production use after the trial year requires a new license.

What is the additive platform layer, and is it a separate product?

The additive platform layer is how Duende delivers capabilities that sit above the protocol surface: purpose-built SDK management plane, first-party storage, and operational tooling. User Management is the first capability on that layer, and it scales alongside your IdentityServer tier.

I use the redistribution license. What changes?

The redistribution license model continues, and your existing agreement is honored. The core plus add-ons structure applies the same way: the redistribution scope is negotiated against the same tiers and capabilities under the new model. If you’re a redistribution partner, your account contact will reach out ahead of renewal to walk through the specifics.

What happens to Duende’s Backend for Frontend Security Framework?

Duende’s BFF is now bundled in every paid tier and is no longer sold as a standalone product.

I bought BFF as a standalone product. What changes?

For existing Business and Enterprise customers who purchased BFF as a standalone product, your entitlement depends on when you purchased:

  • Before March 2025: You receive unlimited frontends.
  • March 2025 through June 2, 2026: You receive whichever is higher: the frontend count on your original BFF entitlement, or the BFF entitlement included in your current tier/edition under the new packaging.
  • After June 2, 2026: Standard entitlements under the new packaging apply.

Does the free community edition still exist?

Yes. The Community tier is free for development, learning, and small-scale production use within clearly defined limits on deployments, clients, and distinct users. It doesn’t include commercial support or add-ons.

If you are using the Community Edition today and your usage no longer qualifies under the IdentityServer v8.x eligibility criteria, you retain free use of your current IdentityServer version under the Community terms that applied when you adopted it, consistent with our principle of preserving existing entitlements.

How does support work under the new model?

Community and Lite include community-level support. Standard includes two escalations per year. Advanced includes a 48-hour SLA. Custom includes a 24-hour SLA and a dedicated Technical Account Manager (TAM).

Existing customers retain the support level included in their historical package at renewal.

Where can I learn more?

The pricing page has the full tier grid and the add-on line items. Your account contact can model your specific renewal before anything is final. For a deeper technical view of what’s shipping alongside the new packaging and the .NET 10 release, see the product release announcement.