Encrypt Online
Theme
Privacy Tool inputs are processed in your browser and are not sent to us.

SAML Decoder & Diagnostic Workbench

Decode SAML requests and responses, compare expected values, and inspect protocol details locally

Sensitive SAML data: A SAML message can contain a live bearer assertion, names, email addresses, group memberships, and session details. Prefer a redacted or test message. Inspection runs in this browser; input is not saved, uploaded, or added to the URL.
Decode and inspect one SAML messageRead structure, routing, timing, identity, and mismatch evidence without implying trust
Samples use invented domains and identities.
Auto accepts raw XML, Base64, and copied URL or form values.
Maximum input: 512 KiB. Nothing is fetched from a URL.
Optional exact mismatch checks Issuer, audience, ACS, request ID, and time skew
Allows for small clock differences; 180 seconds is the default.

Comparisons are exact. Audience checks allow alternatives within one restriction and require every restriction to match.

Decode SAML Requests, Responses, and Assertions

Paste raw SAML XML, an HTTP-POST Base64 value, an HTTP-Redirect SAMLRequest or SAMLResponse value, or a copied URL/form string. The workbench identifies the message shape and surfaces routing, status, conditions, assertions, NameID, attributes, encryption, and signature markers.

Diagnose a SAML Configuration Mismatch

Compare the observed issuer, audience, destination or recipient, ACS URL, correlation ID, and time window with the exact values configured by the identity provider and service provider. Keep audience identifiers separate from endpoint URLs: they serve different roles even when an installation happens to reuse a URL.

Signature Presence Is Not Signature Verification

A visible Signature element or Redirect Signature parameter only shows that signature material is present. Trust requires cryptographic verification over the correct bytes, an approved key or certificate, policy checks, and replay-safe application handling. This decoder does not perform those steps.

Handle SAML as Sensitive Data

SAML assertions can act as bearer credentials and can expose identity, group, role, and session information. Prefer test data or remove sensitive values before inspection. This page processes the pasted value locally and does not place it in browser storage, a URL, or a server request.

SAML Decoder FAQ
Why can a SAML response decode but still be rejected?

Decoding only establishes that the container and XML are readable. A service provider can still reject the message because of issuer, audience, destination, recipient, correlation, timing, status, signature, key, replay, or local policy checks.

Does “signature present” mean the SAML message is valid?

No. Presence is not cryptographic verification and does not establish certificate trust or identity-provider trust.

Why is InResponseTo sometimes absent?

An unsolicited identity-provider-initiated flow may not correlate to a prior authentication request. Treat absence as a mismatch only when your flow and service-provider policy require a specific request ID.