Introducing the next era of Duende IdentityServer.

Read our CEO’s announcement
Start for Free

Sovereign Identity for Sovereign Systems

Deploy a .NET-native identity foundation inside your authorization boundary, aligned with NIST SP 800-63 and the assurance standards your jurisdiction mandates. Bridge smartcard, certificate, and SAML 2.0 credentials, then extend with modular add-ons as your accreditation scope evolves.

Talk to an Expert
hero graphic
Challenge

SaaS Identity Fails Accreditation

Multi-tenant identity SaaS can't satisfy the cloud-security regimes that governments operate under, whether that's FedRAMP and IL4/IL5 in the US, GovRAMP at the state level, or IRAP for the EU's cloud schemes, and NCSC principles abroad. The identity layer must be deployed within the boundary, run on cleared staff, and remain auditable by your approving authority.

Impact of Doing Nothing

Your Mandate, Their Roadmap

Phishing-resistant authentication, sender-constrained tokens, continuous authorization: all your responsibility, none of it is buildable on the incumbent identity layer without a major upgrade. New services wait on procurement, legacy systems can't federate, and smartcard credentials get bolted on one integration at a time.

Duende IdentityServer Customers

Trusted by over 2,500 of the world's most standards-based and security-conscious organizations

Solution

One Identity Foundation, Bridging Modern and Legacy

Duende IdentityServer speaks OAuth 2.1, OpenID Connect, and SAML 2.0 from the same deployment. New citizen services and 20-year-old case-management systems share a single coherent identity foundation within your authorization boundary. Extend with modular add-ons under a single support contract.

Sovereign and Air-Gapped Deployment

On-prem, agency private cloud, government cloud region, sovereign in-country region, or fully air-gapped. Runs wherever your authorization boundary sits, with no external calls and no data leaving.

Federation Across Protocols, Agencies, and Tenants

IdentityServer acts as a full SAML 2.0 IdP and SP, as well as a modern OIDC provider. As a .NET SDK, it delivers per-agency isolation and branding; Multi-Issuer enables a single IdentityServer deployment to serve multiple issuer URLs.

Built for Assurance and Audit

The Financial-Grade Security & Conformance add-on validates config against FAPI 2.0 and produces an audit-supporting report for remediation. Automatic Key Management rotates signing keys with zero downtime on FIPS-compliant infrastructure.

Citizen Identity You Control

The User Management add-on brings passkeys, MFA, and passwordless auth to citizen portals as an embeddable .NET SDK. No SaaS routing citizen PII externally; source on GitHub for security team and supply-chain inspections.

Benefit

Identity That Passes Review

Deploy within your boundary, bridge every protocol your mission runs, and produce audit-ready evidence for your accreditation package.

Sovereign Deployment

On-prem, GovCloud, classified enclave, or air-gapped. Duende runs where your auth allows.


Legacy & Modern Protocols

SAML, OIDC, and OAuth from the same deployment.


Assurance Levels, Covered

FIDO2 and passkeys, ACR/AMR-surfaced, with step-up challenges for sensitive APIs.


Source-Available and SBOM-Aligned

Security team inspectable and supply-chain auditable, ready for software-provenance mandates.


Inter-Agency Federation

Federation capability brokers OIDC and SAML across agency boundaries.

See Duende in Action - Build Financial-Grade Identity on .NET

Explore SAML Add-on Explore Federation Broker and Identity Orchestration
CTA Background