SAML Encoder

What Is SAML Encoding?

SAML (Security Assertion Markup Language) is an XML-based standard used for Single Sign-On (SSO) between an Identity Provider (IdP) and a Service Provider (SP). When a user tries to access a service, the SP sends an AuthnRequest to the IdP asking for authentication.

For the HTTP Redirect binding, the SAML XML payload must be compressed and encoded before being appended to a URL as a query parameter. Raw XML is too large and contains too many special characters to place directly in a URL.

The Encoding Steps

1. Deflate (raw): The SAML XML string is compressed using the DEFLATE algorithm without the zlib wrapper (raw deflate). This reduces the size significantly for typical XML payloads.

2. Base64URL encode: The compressed bytes are Base64-encoded and then made URL-safe by replacing + with - and / with _. This produces a string that can be safely placed in a URL query parameter.

The result is appended to the IdP SSO URL as ?SAMLRequest=<encoded-value>.

When Is SAML Encoding Used?

Use this encoder when you are building or testing an SP implementation that initiates SSO via the HTTP Redirect binding. It is also useful when you need to manually construct a SAMLRequest URL to test an IdP endpoint, or when debugging a redirect loop where the SAMLRequest parameter needs to be re-encoded after modification.

Testing With an IdP

After encoding your SAML XML, append the result to your IdP's SSO endpoint URL: https://idp.example.com/sso?SAMLRequest=<encoded-value>. Tools like Okta, Azure AD, and OneLogin will accept this format for HTTP Redirect binding. Use the SAML Decoder to verify a round-trip by decoding the output back to the original XML.

Need more encoding tools? Try the full Encode & Decode suite.