SAML Response Decoder

Decode Base64-encoded SAML 2.0 responses to inspect assertions, attributes, conditions, and signature details

Paste the SAMLResponse value from your IdP POST (Base64) or the decoded SAML XML

What is the SAML Response Decoder?

The SAML Response Decoder is a client-side tool that decodes Base64-encoded SAML 2.0 responses and extracts key information including assertions, attributes, conditions, authentication statements, and digital signature details — all without transmitting your sensitive authentication data anywhere.

How to Use

  1. Open your browser's developer tools and navigate to the Network tab
  2. Trigger a SAML login flow and find the POST to your ACS URL
  3. Copy the SAMLResponse parameter value (Base64-encoded)
  4. Paste it into the input field and click "Decode"
  5. Review the extracted assertions, attributes, and conditions

Example: SAML Response Structure

A typical SAML response contains these key elements:

<samlp:Response ID="_abc123" IssueInstant="2024-01-15T10:30:00Z">
  <saml:Issuer>https://idp.example.com</saml:Issuer>
  <samlp:Status>
    <samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success"/>
  </samlp:Status>
  <saml:Assertion>
    <saml:Subject>...</saml:Subject>
    <saml:Conditions>...</saml:Conditions>
    <saml:AttributeStatement>...</saml:AttributeStatement>
  </saml:Assertion>
</samlp:Response>

What Information Is Extracted?

  • Response metadata — ID, IssueInstant, Destination, Status code
  • Issuer — The Identity Provider that created the response
  • Subject — NameID, format, confirmation method and data
  • Conditions — Validity window (NotBefore/NotOnOrAfter), audience restrictions
  • AuthnStatement — Session details, authentication context class
  • Attributes — User attributes released by the IdP (email, name, groups)
  • Signature — Algorithm, digest method, reference URI, certificate presence

Common SAML Debugging Scenarios

  • Login failures — Check the Status code for error details
  • Missing user info — Verify attributes are present in the assertion
  • Expired assertions — Compare Conditions timestamps with current time
  • Wrong audience — Ensure AudienceRestriction matches your SP entity ID
  • Signature issues — Confirm signature algorithm and certificate presence

Privacy and Security

All decoding happens entirely in your browser using the native DOMParser API. Your SAML responses — which contain authentication assertions, personal identity attributes, and session information — are never transmitted to any server. No data is stored, logged, or shared.

Frequently Asked Questions

What does the SAML Response Decoder do?

It decodes Base64-encoded SAML 2.0 responses and extracts key elements: assertions, attributes, conditions (NotBefore/NotOnOrAfter), subject (NameID), authentication statements, and digital signature information. You can also paste raw SAML XML directly.

Is my SAML response sent to a server?

No. All decoding and parsing happens entirely in your browser using JavaScript and the browser-native DOMParser API. Your SAML response — which often contains authentication credentials and personal identity attributes — never leaves your device.

What input format does the tool accept?

The tool accepts both Base64-encoded SAML responses (as received from an Identity Provider via the SAMLResponse POST parameter) and raw SAML XML. It automatically detects the format and decodes accordingly.

What SAML elements are extracted?

The tool extracts: Response metadata (ID, IssueInstant, Destination, Status), Issuer, Assertions with their Subject (NameID, confirmation method), Conditions (validity window, audience restrictions), AuthnStatement (session details, authentication context), Attributes (name, values, format), and Signature details (algorithm, digest method, certificate presence).

How do I get the SAML response to decode?

Use your browser's developer tools: open the Network tab, trigger a SAML login, and look for a POST request to your Service Provider's ACS (Assertion Consumer Service) URL. The SAMLResponse parameter in the form data is the Base64-encoded value you can paste into this tool.

Can this tool validate SAML signatures?

No. This tool decodes and displays signature information (algorithm, digest method, reference URI, certificate presence) but does not perform cryptographic signature validation. Signature verification requires the Identity Provider's public key and should be done server-side in your application.

What is the difference between SAML and JWT?

SAML (Security Assertion Markup Language) uses XML and is typically used in enterprise Single Sign-On (SSO) flows between Identity Providers and Service Providers. JWT (JSON Web Token) uses JSON and is more common in API authentication. SAML responses are larger and more complex, but provide richer identity assertions.

Why does my SAML response have no attributes?

Attribute release depends on the Identity Provider configuration. The IdP must be configured to include specific attributes (email, name, groups, etc.) in the assertion. Check your IdP's attribute mapping or attribute release policies.

What is the maximum input size?

The tool warns when input exceeds 500KB and rejects input larger than 5MB. Most SAML responses are under 50KB. Extremely large responses may indicate excessive attribute release or embedded certificates.

Related Tools

JWT Decoder

Decode JWT tokens locally in your browser to inspect headers, claims, and token expiration

Security

JWT Security Auditor

Audit JWT tokens for algorithm vulnerabilities, missing claims, excessive expiration, and sensitive data exposure

Security

XML Formatter

Format and beautify XML documents with cleaner structure for integrations and schema troubleshooting

Data

Base64 Decode

Decode Base64 data into readable text with safe UTF-8 handling and quick validation

Encoding