Developer Tools

SAML Decoder

Decode SAML Requests and Responses from Base64 (with optional deflate) to readable XML

Note: This tool decodes SAML data but does not verify XML digital signatures. Do not trust decoded data without proper signature verification using the IdP certificate.

About this saml decoder

The SAML decoder converts Base64-encoded SAML Requests and Responses into readable XML. It can handle the optional DEFLATE encoding commonly used with HTTP-Redirect binding and extracts useful fields and assertion attributes for troubleshooting.

How to use the saml decoder

  1. Copy the SAMLRequest or SAMLResponse value, without the surrounding form field name.
  2. Paste it into the decoder and select Decode.
  3. Inspect the message type, issuer, destination, audience, timestamps, attributes, and decoded XML.

Important details

Decoding is not signature verification

Readable XML is not proof that a SAML message is authentic. A service provider must verify the XML signature with a trusted IdP certificate and enforce destination, recipient, audience, InResponseTo, time, and replay protections.

Treat assertions as sensitive

SAML assertions can contain names, email addresses, group membership, session identifiers, and other security-sensitive attributes. This tool processes input locally, but you should still avoid sharing decoded production assertions unnecessarily.

Frequently asked questions

Why does a SAMLRequest sometimes need decompression?

HTTP-Redirect binding commonly DEFLATE-compresses the XML before Base64 and URL encoding. HTTP-POST binding generally sends Base64-encoded XML without DEFLATE.

Can this page prove that a SAML response is safe?

No. Use a SAML library configured with trusted metadata and strict validation rules for authentication decisions.

References: OASIS SAML 2.0 technical overview

Share this tool

Send the direct link or post it to your network.