Loading SAML Decoder...
Decode a SAMLRequest or SAMLResponse from the Redirect or POST binding into readable XML. Runs entirely in your browser.
SAML is the XML standard behind much of single sign-on between identity providers and service providers. The messages, called SAMLRequest and SAMLResponse, travel base64-encoded and are often compressed, so they are unreadable as captured. This tool turns that encoded value back into formatted XML so you can inspect issuers, destinations, conditions, assertions and attributes while debugging SSO or reviewing a flow.
Input:
fVLL... (base64 SAMLResponse)
Output:
<samlp:Response> ... </samlp:Response>
Which bindings are supported?
Both. The POST binding (plain base64 XML) and the Redirect binding (base64 of raw-DEFLATE XML) are detected automatically, and URL-encoded values are handled too.
Can it decrypt encrypted assertions?
No. It decodes and decompresses the message, but EncryptedAssertion elements stay encrypted because that needs the service provider's private key.
Does it validate the signature?
No. This is a decoder for inspection. It does not verify XML signatures or trust.
Is anything uploaded?
No. Decoding and decompression run entirely in your browser.
Decode a SAMLRequest or SAMLResponse from the Redirect (deflate) or POST binding into readable XML. Everything runs in your browser.
The HTTP-POST binding base64-encodes the XML directly. The HTTP-Redirect binding base64-encodes raw-DEFLATE-compressed XML and URL-encodes it in the query string. This tool auto-detects both and pretty-prints the result.