SAML Response Decoder

开发人员安全

输入

自动处理

输出

客户端

概括

场地	价值
结果将显示在这里

Decoded XML

广告移除？

指导

SAML Response Decoder

Paste a base64-encoded SAML response or assertion and instantly see the decoded XML alongside a summary of the most important fields. Handles URL-encoded payloads and DEFLATE-compressed strings used by SAML’s HTTP-Redirect binding, all in your browser — nothing is uploaded.

如何使用

Capture the SAML response from your IdP — usually a hidden form field named SAMLResponse on the ACS POST, or the SAMLRequest query parameter for HTTP-Redirect.
Paste the raw value into the input box. URL-encoding, DEFLATE compression and zlib/gzip wrappers are detected automatically.
Read the Summary table for at-a-glance details: Issuer, NameID, NotBefore / NotOnOrAfter, Audience, Destination, SessionIndex and attribute statements.
Use the formatted XML view (with copy and download buttons) for deeper inspection or to share with a colleague.

特征

Auto-detect encoding – Handles base64, URL-encoded base64, and DEFLATE-compressed payloads from the HTTP-Redirect binding without extra clicks.
Summary highlights – Surfaces NameID, Audience, Issuer, Status, Destination, NotBefore / NotOnOrAfter and SessionIndex so you can spot integration issues at a glance.
Validity check – Compares the assertion’s NotOnOrAfter against the current time and flags expired tokens.
Pretty-printed XML – Indented, syntax-highlighted output with copy and download actions.
隐私优先 – All decoding happens locally in your browser. SAML responses never touch our servers.

 常问问题

What is SAML and how does it work?

SAML (Security Assertion Markup Language) is an XML-based open standard for exchanging authentication and authorization data between an Identity Provider (IdP) and a Service Provider (SP). The IdP authenticates the user, then issues a signed XML assertion that the SP trusts to grant access — enabling Single Sign-On across independent web applications.
What is the difference between a SAML Response and a SAML Assertion?

A SAML Response is the outer envelope sent from the IdP to the SP and includes protocol-level metadata such as Status, Destination and InResponseTo. The SAML Assertion is the payload inside that response — it carries the actual identity claims: NameID, AuthnStatement, Conditions and AttributeStatement. A response can wrap one or more assertions.
What do NotBefore and NotOnOrAfter mean in a SAML assertion?

NotBefore and NotOnOrAfter are time-window attributes inside the Conditions element that define when an assertion is valid. The SP must reject any assertion presented before NotBefore or at/after NotOnOrAfter. The window is usually only a few minutes wide to limit replay attacks, which is why clock skew between IdP and SP is a common cause of SAML failures.
What is the AudienceRestriction and why does it matter?

AudienceRestriction names the intended Service Provider (the SP's entity ID) for the assertion. The SP must reject assertions whose Audience does not match its own configured entity ID. This binding prevents an assertion issued for one application from being replayed against another — even if both trust the same IdP.
What is the difference between HTTP-Redirect and HTTP-POST bindings?

HTTP-Redirect places the SAML message in a URL query string, so it must be DEFLATE-compressed and base64-encoded to fit. It is typically used for AuthnRequests sent from SP to IdP. HTTP-POST submits the message as a hidden form field, which has no size limit and does not require compression — it is the binding used for the SAML response back from IdP to SP.