Migration
Move from Duende IdentityServer to Authagonal
Connect Authagonal to your Duende IdentityServer database, preview the full import, and bring your clients, scopes, users, roles, and federated providers across — and stop self-hosting your IdP.
Why teams switch
| Duende | Authagonal | |
|---|---|---|
| Operating model | You host, patch & scale it | Fully hosted & managed |
| SAML | Paid add-on on the license | Included |
| Admin portal & MFA | Build it yourself | Included |
| Audit logs | Build it yourself | Included |
| Upgrades & patches | Your responsibility | Handled for you |
| Licensing | $5,750/yr+ per environment | From $29/mo, or self-host free |
How the migration works
- 1
Connect the database
Paste a read-only connection string to your Duende configuration / ASP.NET Identity database. The connection is opened only long enough to preview or run the import.
- 2
Preview everything
See exactly how many clients, scopes, users, roles, federated providers, and API resources will import, with warnings for anything custom or unmapped.
- 3
Import in one click
Clients (including logout URIs, refresh-token semantics, and device-code lifetimes), API and identity scopes, users with their ASP.NET Identity password hashes, roles and assignments, and OIDC providers all come across.
- 4
Owner-ID reconciliation
If a portal owner’s email matches a Duende user, their ID is rotated to the Duende sub so downstream references keep resolving — with three-stage recovery if a step fails.
- 5
Cut over
Repoint your relying parties at Authagonal. Password hashes verify natively and rehash on first sign-in, so no user resets are required.
What comes across
- Clients & client secrets
- API & identity scopes
- API resources (flattened)
- Users & ASP.NET Identity hashes
- Roles & assignments
- External logins
- Federated OIDC providers
- Consent-screen branding (logo, URL)
The honest details
ASP.NET Identity V3 and legacy BCrypt password hashes verify natively in Authagonal and rehash on first sign-in — no user resets.
Disabled clients import disabled; expired client secrets are skipped with a warning so you know to rotate them.
Duende’s ApiResource layer is flattened onto Authagonal’s model — audiences land on clients, claims on scopes — preserving the effective token shape.
SAML identity providers are flagged for reconfiguration in the portal; OIDC providers import automatically.
Switch in an afternoon, not a quarter
Start a free trial, run a preview against your current setup, and import when you’re ready.