SAML Response Decoder
Guide
SAML Response Decoder
Paste a base64-encoded SAML response or assertion and instantly see the decoded XML alongside a summary of the most important fields. Handles URL-encoded payloads and DEFLATE-compressed strings used by SAML’s HTTP-Redirect binding, all in your browser — nothing is uploaded.
Comment utiliser
- Capture the SAML response from your IdP — usually a hidden form field named
SAMLResponseon the ACS POST, or theSAMLRequestquery parameter for HTTP-Redirect. - Paste the raw value into the input box. URL-encoding, DEFLATE compression and zlib/gzip wrappers are detected automatically.
- Read the Summary table for at-a-glance details: Issuer, NameID, NotBefore / NotOnOrAfter, Audience, Destination, SessionIndex and attribute statements.
- Use the formatted XML view (with copy and download buttons) for deeper inspection or to share with a colleague.
Caractéristiques
- Auto-detect encoding – Handles base64, URL-encoded base64, and DEFLATE-compressed payloads from the HTTP-Redirect binding without extra clicks.
- Summary highlights – Surfaces NameID, Audience, Issuer, Status, Destination, NotBefore / NotOnOrAfter and SessionIndex so you can spot integration issues at a glance.
- Validity check – Compares the assertion’s NotOnOrAfter against the current time and flags expired tokens.
- Pretty-printed XML – Indented, syntax-highlighted output with copy and download actions.
- Première confidentialité – All decoding happens locally in your browser. SAML responses never touch our servers.
FAQ
-
What is SAML and how does it work?
SAML (Security Assertion Markup Language) is an XML-based open standard for exchanging authentication and authorization data between an Identity Provider (IdP) and a Service Provider (SP). The IdP authenticates the user, then issues a signed XML assertion that the SP trusts to grant access — enabling Single Sign-On across independent web applications.
-
What is the difference between a SAML Response and a SAML Assertion?
A SAML Response is the outer envelope sent from the IdP to the SP and includes protocol-level metadata such as Status, Destination and InResponseTo. The SAML Assertion is the payload inside that response — it carries the actual identity claims: NameID, AuthnStatement, Conditions and AttributeStatement. A response can wrap one or more assertions.
-
What do NotBefore and NotOnOrAfter mean in a SAML assertion?
NotBefore and NotOnOrAfter are time-window attributes inside the Conditions element that define when an assertion is valid. The SP must reject any assertion presented before NotBefore or at/after NotOnOrAfter. The window is usually only a few minutes wide to limit replay attacks, which is why clock skew between IdP and SP is a common cause of SAML failures.
-
What is the AudienceRestriction and why does it matter?
AudienceRestriction names the intended Service Provider (the SP's entity ID) for the assertion. The SP must reject assertions whose Audience does not match its own configured entity ID. This binding prevents an assertion issued for one application from being replayed against another — even if both trust the same IdP.
-
What is the difference between HTTP-Redirect and HTTP-POST bindings?
HTTP-Redirect places the SAML message in a URL query string, so it must be DEFLATE-compressed and base64-encoded to fit. It is typically used for AuthnRequests sent from SP to IdP. HTTP-POST submits the message as a hidden form field, which has no size limit and does not require compression — it is the binding used for the SAML response back from IdP to SP.
Installez nos extensions
Ajoutez des outils IO à votre navigateur préféré pour un accès instantané et une recherche plus rapide
恵 Le Tableau de Bord Est Arrivé !
Tableau de Bord est une façon amusante de suivre vos jeux, toutes les données sont stockées dans votre navigateur. D'autres fonctionnalités arrivent bientôt !
Outils essentiels
Tout voir Nouveautés
Tout voirMise à jour: Notre dernier outil a été ajouté le 9 mai 2026
Impliquez-vous
Aidez-nous à continuer à fournir des outils gratuits et précieux
