Introducing the next era of Duende IdentityServer.

Read our CEO’s announcement
Start for Free

One Protocol Bridge. Two-Way SAML.

Native SAML 2.0 in both directions. Provide SAML SSO to downstream partners and accept SAML assertions from upstream enterprise IdPs, all from the IdentityServer your team already controls.


View Documentation View Pricing & Tiers
digital star graphic

Bridging the Identity Divide

Replace your third-party SAML extension or custom SAML code with a first-party, add-on module that covers both Identity Provider (IdP) and Service Provider (SP) roles. Issue assertions to downstream apps like Salesforce and Workday; accept them from upstream IdPs like Active Directory Federation Services (ADFS), Okta, and Ping. Bridges SAML and OIDC in either direction. Self-hosted, air-gap compatible, version-matched. One vendor, one roadmap, one support contract.

SAML 2.0 Identity Provider (IdP)

Issue SAML assertions to downstream service providers like Salesforce, Workday, internal portals, legacy apps. SP-Initiated and IdP-Initiated SSO, Single Logout (SLO), and a SAML metadata endpoint.

SAML 2.0 Service Provider (SP)

Accept SAML assertions from upstream enterprise IdPs like ADFS, Ping, Okta SAML to onboard partner and customer organizations. Request signature validation and inbound federation. All native to Duende IdentityServer v8.

Bi-directional Protocol Bridging

Authenticate users upstream via OIDC and issue SAML assertions to downstream apps. Or accept SAML upstream and translate to OIDC for modern clients. One programming model, no parallel identity systems.

Capabilities

The SAML add-on matches your deployment and integrates natively with Duende IdentityServer v8.

  • SAML IdP: Provide SAML to downstream service providers. SP-Initiated and IdP-Initiated SSO, Single Logout.
  • SAML SP: Consume SAML from upstream enterprise IdPs. Accept assertions from ADFS, Ping, Okta SAML. Request signature validation, SAML metadata endpoint.
  • Deployment: Self-hosted, air-gapped, SDK-based. Suitable for HRI and data-sensitive environments. Fully opt-in, no impact to existing deployments.
  • Support: First-party and commercially supported. Version-matched to IdentityServer release cycle. No third-party extension to maintain across upgrades.

Both capabilities are included as a single add-on - bidirectional SAML in one license.

digital mountain graphic digital mountain graphic
digital mountain graphic

How to Get It

First-party SAML 2.0 IdP and SP capabilities are available as a capability of Duende IdentityServer across eligible tiers:

View Documentation View Pricing & Tiers

Tier

Availability

Community Edition Not available
Lite Not available
Standard Add-on, $4,000 flat fee
Advanced Included
Custom Included

See the IdentityServer pricing page for full tier details.