Skip to content
Duende Software Docs
Introducing the next era of Duende IdentityServer. Read our CEO’s announcement

Identity Provider and Service Provider

IdentityServer can participate in SAML 2.0 in two distinct roles: as an Identity Provider, or as a Service Provider. Understanding which role you need determines which part of the documentation to follow.

Most deployments use one role or the other, but both can be active at the same time.

Acting as an Identity Provider

Section titled “Acting as an Identity Provider”

When IdentityServer acts as an Identity Provider (IdP), it issues SAML assertions to Service Providers. Service Providers redirect users to IdentityServer for authentication, and IdentityServer returns a signed SAML assertion confirming the user’s identity.

This is the most common setup. You configure IdentityServer to trust one or more SPs, and those SPs delegate authentication to IdentityServer.

Acting as a Service Provider

Section titled “Acting as a Service Provider”

When IdentityServer acts as a Service Provider (SP), it consumes SAML assertions from an external IdP. IdentityServer redirects users to the external IdP for authentication, then processes the resulting assertion to establish a local session.

This is useful when you need to federate with enterprise systems like ADFS or Shibboleth. In this setup, IdentityServer is a consumer of SAML, not a producer.

Get started

Section titled “Get started”
SAML Identity Provider Configure IdentityServer to issue SAML assertions to Service Providers.
SAML Service Provider Configure IdentityServer to consume SAML assertions from an external IdP.