Released: Jun 2, 2026

Updates in v8.0.0

Features

• SAML 2.0 Identity Provider
  • IdentityServer can now act as a full SAML 2.0 Identity Provider, allowing enterprise and legacy applications that require SAML to authenticate against your server alongside OpenID Connect clients. It supports:
    • SP-initiated SSO via HTTP-Redirect and HTTP-POST bindings.
    • Single Logout (SLO) with front-channel notifications.
    • Per-SP assertion signing.
    • NameID format support.
    • AuthnContext class mapping, per-SP claim mappings.
    • Metadata endpoint.
  • Your existing login UI requires only a small update to the cancellation path.
• SAML 2.0 External Authentication - IdentityServer can now federate with external SAML 2.0 Identity Providers, letting you use a third-party SAML IdP as an upstream identity source - the same way you'd add Google or Microsoft Entra ID as an external provider. Configure SAML external providers statically or dynamically using the existing dynamic providers mechanism.
• Financial-Grade Security & Conformance Report - A new Duende.IdentityServer.ConformanceReport package assesses your IdentityServer deployment against OAuth 2.1 and FAPI 2.0 Security Profile specifications and generates an HTML report at a protected endpoint (/_duende/conformance-report). Use it to verify your server is correctly configured for high-security API scenarios.
• User Management - IdentityServer now integrates with Duende User Management which adds user registration, password management, MFA (TOTP, passkeys), account recovery, and more.
• Token Cleanup Performance - The token cleanup service now uses a more efficient bulk delete strategy when IOperationalStoreNotification is not registered, reducing database load in high-throughput deployments. MySQL EF Core provider compatibility for PAR entry cleanup is also restored.
• Orphaned Grants Revoked on Session Overwrite - When a server-side session is overwritten (for example, when a user signs in again without signing out first), refresh tokens belonging to the prior session are now automatically revoked. This prevents stale grants from accumulating and remaining valid after re-authentication.
• Quieter Secret Validation Logging - Expected-failure log entries in client and API secret validation have been downgraded from Error to Debug. This reduces noise in production logs where failed secret lookups are a normal part of the secret hashing comparison process.
• Relaxed Audience Validation - Audience validation for private key JWT authentication in strict mode now accepts single-element JSON arrays in addition to scalar string values, improving compatibility with tokens from issuers that always serialize audiences as arrays.
• HTTP 303 Redirects - All redirects from IdentityServer's authorization endpoint now unconditionally use HTTP 303 See Other, aligning with the OAuth 2.0 and OpenID Connect specifications and avoiding issues with intermediaries that treat 302 redirects differently.
• Unified Authorization Context - SAML and OpenID Connect flows now share the same IAuthenticationContext abstraction. Your login page can access protocol-specific context - including SAML-specific details such as RequestedAuthnContext - through a single consistent interface.
• License Key from IConfiguration - The IdentityServer license key can now be provided through standard .NET configuration sources such as appsettings.json, environment variables, or a secrets manager, making deployment configuration simpler and more consistent with other .NET settings.
• AuthorizeInteractionPageHttpWriter Now Public - The AuthorizeInteractionPageHttpWriter class is now part of the public API, giving you full control over how IdentityServer writes authorization interaction responses without relying on internal implementation details.

Fixes

• Backchannel Logout Fix - Resolved an issue where backchannel logout notifications could be sent twice for the same session.