SAML Decoder

How to use

1. 1Paste a SAMLResponse or SAMLRequest value into the input. The tool accepts the raw base64, a full SAMLResponse=... form parameter, or a URL-encoded query string parameter from an HTTP-Redirect SSO URL.
2. 2Pick the binding. HTTP-POST (base64 only) is what an IdP sends inside an auto-submitting form to the SP's ACS URL. HTTP-Redirect (base64 + DEFLATE) is what an SP sends to start SSO with the request inside the URL.
3. 3Click Decode. The Summary view shows the document type, the IdP issuer, the SAML status with a plain-English meaning, the assertion Subject NameID, the SubjectConfirmation and Conditions windows, the AudienceRestriction, the AuthnContext, and every saml:Attribute with its values.
4. 4Read the Validity checks section. Expired Conditions, expired SubjectConfirmation, missing AudienceRestriction, SHA-1 signature algorithms, and non-success status codes are flagged with the exact field that caused them.
5. 5Switch to Pretty XML or Raw decoded XML to copy the underlying SAML document. Click Load sample to see a realistic signed Response with an email NameID, a group attribute with two values, and an RSA-SHA256 signature.

About this tool

SAML Decoder takes any base64-encoded SAMLResponse, SAMLRequest, AuthnRequest, LogoutRequest, or LogoutResponse and inspects it in the browser. It supports both SAML 2.0 bindings: the HTTP-POST binding (base64 only) and the HTTP-Redirect binding (base64 followed by raw DEFLATE compression). The decoder accepts the raw base64, a full SAMLResponse=... form parameter, or a URL-encoded query parameter as it appears in a browser address bar after an SSO redirect; URL decoding, base64 decoding, optional DEFLATE inflation through the browser's DecompressionStream, and XML parsing through DOMParser all happen locally. The Summary view surfaces the document type, version, ID, IssueInstant, Destination, InResponseTo, the IdP Issuer entity URI, and the status code with a plain-English description of what each standard SAML status URN means (Success, Requester, Responder, AuthnFailed, NoPassive, NoAuthnContext, and the rest). The Assertion card shows the assertion ID, the assertion Issuer, the Subject NameID with its Format (email address, persistent, transient, unspecified, kerberos, entity, and X509SubjectName) explained in human terms, the SubjectConfirmation Recipient and validity window, the Conditions NotBefore and NotOnOrAfter window, every Audience inside AudienceRestriction, the AuthnInstant, SessionIndex, SessionNotOnOrAfter, and the AuthnContextClassRef. The Attributes card lists every saml:Attribute with its Name, NameFormat, optional FriendlyName, and one row per AttributeValue, so groups and role claims with multiple values are readable at a glance. The Signature card reports which elements are signed (the Response, the Assertion, or both), the SignatureMethod algorithm (RSA-SHA256, RSA-SHA1, ECDSA-SHA256, and other XML-DSig algorithms) with weakness flags for SHA-1 based suites, the DigestMethod, the CanonicalizationMethod, and whether the IdP signing certificate is embedded inside KeyInfo / X509Data. Validity checks flag the failures developers actually run into during SSO integration: an assertion whose Conditions window is already in the past or still in the future, a SubjectConfirmation that has already expired, a Response without an XML signature, a SignatureMethod still using SHA-1, a missing AudienceRestriction, and a status code that does not equal Success. The Pretty XML and Raw decoded XML tabs hand back the underlying XML so you can copy it into your IdP or SP test harness. The decoder does not cryptographically verify the XML-DSig signature; that requires the IdP's signing certificate and XPath canonicalization that are out of scope for a one-shot inspector. SAML payloads carry personal information (NameID, emails, group memberships) and bearer credentials, so the tool never makes a network request: the input never leaves your browser tab.

Free to use. Works in your browser. No signup, no login.