SAML Decoder & Diagnostic Workbench
Decode SAML requests and responses, compare expected values, and inspect protocol details locally
Optional exact mismatch checks
Comparisons are exact. Audience checks allow alternatives within one restriction and require every restriction to match.
Paste raw SAML XML, an HTTP-POST Base64 value, an HTTP-Redirect SAMLRequest or SAMLResponse value, or a copied URL/form string. The workbench identifies the message shape and surfaces routing, status, conditions, assertions, NameID, attributes, encryption, and signature markers.
Compare the observed issuer, audience, destination or recipient, ACS URL, correlation ID, and time window with the exact values configured by the identity provider and service provider. Keep audience identifiers separate from endpoint URLs: they serve different roles even when an installation happens to reuse a URL.
A visible Signature element or Redirect Signature parameter only shows that signature material is present. Trust requires cryptographic verification over the correct bytes, an approved key or certificate, policy checks, and replay-safe application handling. This decoder does not perform those steps.
SAML assertions can act as bearer credentials and can expose identity, group, role, and session information. Prefer test data or remove sensitive values before inspection. This page processes the pasted value locally and does not place it in browser storage, a URL, or a server request.
Why can a SAML response decode but still be rejected?
Decoding only establishes that the container and XML are readable. A service provider can still reject the message because of issuer, audience, destination, recipient, correlation, timing, status, signature, key, replay, or local policy checks.
Does “signature present” mean the SAML message is valid?
No. Presence is not cryptographic verification and does not establish certificate trust or identity-provider trust.
Why is InResponseTo sometimes absent?
An unsolicited identity-provider-initiated flow may not correlate to a prior authentication request. Treat absence as a mismatch only when your flow and service-provider policy require a specific request ID.