SAML Decoder Workbench

Decode SAML Requests, Responses, and Assertions into Readable XML

This SAML decoder is built for SSO troubleshooting and message inspection rather than generic text decoding. The current workbench accepts deflated and Base64-encoded SAML content, lets you load a sample, clear the input, swap directions with the encoder workflow, and then convert the message into readable XML. The decoded results are shown in separate output areas so you can inspect the deflated XML layer and the final SAML message, then copy or download the XML when you need it elsewhere.

That makes the page useful for debugging identity-provider and service-provider integrations, checking attributes and audience values, validating timestamps and conditions, and learning what is actually inside a captured SAMLRequest or SAMLResponse. It is a fast bridge between an opaque browser or log payload and something a human can inspect.

Key Features

• Dedicated SAML decoding workflow for messages commonly captured from browser redirects or POST bodies.
• Sample, clear, convert, and swap controls that make it easier to move between real payloads and quick test cases.
• Separate output areas for decoded layers so the message is easier to inspect and reuse.
• Copy and download actions for decoded XML when you need to hand it to another tool or teammate.
• Good fit for SSO debugging, attribute validation, and protocol education without local setup.

Use Cases

• Decode a captured SAMLResponse from a failing login flow so you can inspect status, audience, subject, and attribute values.
• Review an AuthnRequest or assertion in readable XML before you change identity-provider or service-provider settings.
• Jump to SAML Encoder when you need to go back in the other direction and rebuild a request or response from XML for controlled testing.
• Compare messages from different identity providers to spot issuer, timestamp, or namespace differences.
• Use the page as a low-friction learning tool when you need to understand what encoded SAML actually contains.

How To Use

1. Capture the SAMLRequest or SAMLResponse value from the browser, logs, or test fixture, then paste the encoded content into the source field.
2. Use the sample control if you want to confirm the workflow with a known-good message before pasting your own data.
3. Click Convert and review the decoded XML output carefully. Start with high-value fields such as issuer, destination, audience restrictions, subject, attributes, and validity windows.
4. Copy or download the XML for deeper inspection, and use URL Link Decoder only after you have decoded the message cleanly and confirmed whether the problem is transport encoding or the XML content itself.
5. If the message still looks wrong, swap to the encoder workflow only when you are intentionally rebuilding or simulating a SAML exchange for QA or reproduction.

How It Works

Many SAML messages are transported as encoded text rather than raw XML. This page reverses that transport-oriented packaging so the original XML becomes readable again. That is why it is useful in SSO debugging: you can move from a long opaque blob to a structured message you can inspect field by field.

The important boundary is between decoding and decryption. This tool helps with encoding layers such as Base64 and related transport preparation, but it does not replace cryptographic decryption for genuinely encrypted assertions. A good sanity check is to confirm whether the message becomes readable XML after decoding or whether you are still dealing with encrypted content that needs another step.

Examples

Investigate an SSO failure

Paste a captured SAMLResponse from a failing browser flow, decode it, and inspect the XML for status codes, audience mismatches, expired conditions, or missing attributes before you start changing IdP configuration blindly.

Attribute mapping review

Decode a known-good assertion and compare the XML attributes against what the application expects. That is often faster than trying to infer the problem from screenshots or generic login errors.

Edge Cases & Troubleshooting

• If the decode fails immediately, verify that you copied the raw SAMLRequest or SAMLResponse value rather than an already transformed or truncated version.
• If the output is still unreadable, the message may be encrypted rather than merely encoded.
• Whitespace and URL-transport artifacts can matter when copying values from logs or browser tools, so work from the raw parameter where possible.
• A valid decode does not prove the SAML flow is correct. You still need to inspect issuer, audience, expiry, bindings, and attribute mappings.
• Use sanitized or non-production payloads when policy requires it. Decoded assertions can contain sensitive identity data.

FAQ

What is this page for?

It is for turning encoded SAML requests, responses, and assertions into readable XML so they can be inspected and debugged.

Does decoding mean decrypting?

No. Decoding reverses transport-oriented encoding layers. Encrypted assertions may still require a separate cryptographic step.

When should I use the encoder page?

Use the encoder when you need to rebuild or simulate a SAML message from XML after you have already understood the message structure.

Next Steps / Related Workflows

After the main result looks right, continue with Querystring Decode if the next step in the workflow needs another related check, transform, or verification pass.