Like this tool?
Install byteflow.tools for faster startup and offline tool access.
Install guideLike this tool?
Install byteflow.tools for faster startup and offline tool access.
Install guideDecode SAML requests and responses locally, inspect assertions, attributes, audiences, recipients, and signature material without validating trust.
Decode SAML requests and responses locally to inspect assertions, issuer metadata, subject identifiers, conditions, attributes, and signature material before debugging IdP/SP integration issues.
It accepts raw XML, Base64 POST binding payloads, or URLs containing SAMLResponse or SAMLRequest parameters.
It extracts issuer, NameID, audience, recipient, destination, condition timestamps, attributes, signature count, and embedded certificate count.
It keeps the decoded XML visible for local review while making the summary table easier to scan during incident response.
It explicitly separates decoding from trust validation, so teams do not mistake parsed fields for a verified login decision.
POST binding payload
Base64 SAMLResponse copied from a browser form post.
Raw XML
<samlp:Response>...</samlp:Response>
URL parameter
https://sp.example.com/acs?SAMLResponse=...
Summary table
Issuer, NameID, audience, recipient, conditions, signatures, and certificates.
Attribute list
role=admin, department=engineering, email=alice@example.com
Decoded XML
Pretty reviewable XML for local inspection and redaction.
Compressed Redirect binding pasted as Base64
Use POST binding payload or raw XML for this MVP; compressed Redirect payloads are detected but not inflated.
Audience does not match SP entity ID
Compare the Audience value with your service provider configuration.
Recipient points to the wrong ACS URL
Check SubjectConfirmationData Recipient against the expected ACS endpoint.
Assertion appears expired
Review NotBefore and NotOnOrAfter with IdP and SP clocks in mind.
Treating decoded XML as verified
Use platform-level signature and trust validation before accepting any authentication result.
SAML Decoder is most effective when it produces a focused, reproducible evidence bundle that can be handed to the next engineer without extra cleanup.
Does this validate SAML signatures?
No. It decodes and summarizes SAML XML only; signature trust must be verified by your SAML runtime.
Can it read SAMLResponse form values?
Yes. Paste the Base64 value directly or a URL/query containing SAMLResponse.
Does it support compressed Redirect binding?
It detects likely compressed payloads and warns, but the MVP focuses on raw XML and Base64 POST binding.
Is the assertion uploaded?
No. Decoding and parsing happen locally in your browser.
What fields should I check first?
Issuer, audience, recipient, condition timestamps, NameID, and expected attributes usually explain most SSO mismatches.