SAML Decoder

When to Use the SAML Decoder

SAML assertions and requests travel as Base64-encoded, deflate-compressed XML strings. They appear in browser network traffic, server logs, and SSO error reports — but are unreadable until decoded. This tool reverses the encoding so you can inspect the raw XML.

Common Debugging Scenarios

Debugging SSO login failures: Capture the SAMLRequest or SAMLResponse query parameter from your browser's developer tools or a SAML tracer extension, paste it here, and read the XML to find the cause of the failure.

Inspecting AuthnRequests: Service Providers send an AuthnRequest to the Identity Provider to initiate login. Decoding it reveals the requested AssertionConsumerServiceURL, Issuer, and any RequestedAuthnContext requirements.

Reading SAML Responses: The IdP sends back a SAMLResponse containing a signed assertion. Decoding it lets you read the NameID, attribute statements, and validity conditions without needing special tooling.

What to Look for in Decoded SAML

Issuer: The <Issuer> element identifies who sent the message — the SP entity ID in requests, the IdP entity ID in responses.

NameID: Found in SAML responses, the <NameID> is the unique identifier for the authenticated user (often an email address or opaque ID).

Attributes: The <AttributeStatement> block contains user attributes passed from the IdP (name, email, groups, roles, etc.).

Conditions: The <Conditions> block specifies the time window during which the assertion is valid (NotBefore and NotOnOrAfter). Clock skew between IdP and SP is a common source of failures.

Status: In a SAML Response, the <StatusCode> value tells you if the authentication succeeded (urn:oasis:names:tc:SAML:2.0:status:Success) or failed, and why.

Need more encoding tools? Try the full Encode & Decode suite.