SAML Decoder

SAML Decoder – Decode SAML Requests, Responses & Assertions Online

Use this online SAML decoder to quickly decode SAML requests, responses, and assertions into readable XML. Whether you’re troubleshooting SSO, validating claims, or learning how SAML works, this SAML decoder online tool helps you go from opaque Base64 blobs to human-friendly XML in seconds.

What this SAML decoder does

This SAML decoder is designed to:

• Deflate and Base64 decode SAML messages captured from browser redirects or POSTs.
• Handle both SAMLRequest and SAMLResponse payloads (HTTP-Redirect or HTTP-POST).
• Act as a SAML assertion decoder for inspecting the XML inside SAML assertions and tokens.
• Provide a simple interface so you can decode SAML without installing libraries or writing code.

In short, you paste the encoded string, click Convert, and the tool SAML decodes the content into formatted XML.

Who this SAML decode tool is for

This online SAML decoder is useful for:

• Developers & DevOps engineers integrating SSO with identity providers (IdPs) and service providers (SPs).
• Security and IT engineers debugging authentication, authorization, and SSO issues.
• QA & support teams who need to quickly decode SAML responses from browser traces or logs.
• Students & learners who want to understand what’s actually inside a SAML token or assertion.

If you deal with SAML-based SSO, this SAML message decoder will quickly become one of your go-to SAML tools.

How to decode a SAML response (step-by-step)

1. Capture the SAMLResponse from your browser

1. Open your browser’s Developer Tools (usually F12).
2. Go to the Network tab and enable Preserve log.
3. Reproduce the SSO login flow until the error or redirect appears.
4. Look for a request that contains a SAMLResponse parameter (often an HTTP-POST back to the application).
5. Copy the entire SAMLResponse value (the long Base64 string).

2. Paste the encoded SAML response

1. Go to https://www.coderstool.com/saml-decoder.
2. Paste the Base64-encoded text into the “Deflated and Encoded XML” input box.
3. If needed, you can use the Sample button to see an example of a SAML message.

3. Decode the SAML response

1. Click Convert to decode SAML response data.
2. The tool will deflate and Base64 decode the SAML message and show the SAML Message (XML) output.
3. Use Copy to copy the decoded XML for further analysis or sharing.

Now you can inspect the SAML assertion, status codes, audience, subject, attributes, and conditions directly in XML.

How to decode a SAML request

You can also use this SAML tool as a SAML request decoder:

1. Capture the URL or form data containing the SAMLRequest parameter (often on the redirect from the SP to the IdP).
2. Copy the full SAMLRequest value.
3. Paste it into the Deflated and Encoded XML field.
4. Click Convert to SAML decode the request.

The decoded XML will show you the AuthnRequest, including issuer, ACS URL, NameID policy, requested authentication context, and more.

Decode SAML assertions and SAML tokens

SAML messages often contain assertions, which carry the actual authentication and authorization information. A SAML assertion decoder lets you view:

• The authenticated user (Subject)
• Attributes (email, username, roles, groups, etc.)
• Conditions (validity window, audience restrictions)
• Authentication statements (how and when the user authenticated)

By pasting a SAML message into this SAML token decoder, you can:

• Verify that the IdP is sending the attributes your application expects.
• Confirm that the audience, issuer, and expiry times are correct.
• Troubleshoot why a user is denied access, even after a “successful” login.

How SAML encoding and decoding works (in simple terms)

Most SAML bindings use a combination of:

1. URL or form encoding (for transport in HTTP GET/POST).
2. Base64 encoding of the XML message.
3. Optional DEFLATE compression (especially for HTTP-Redirect binding).

When you decode SAML with this tool, it essentially reverses these steps:

1. Takes the Base64 string from SAMLRequest or SAMLResponse.
2. Base64 decodes it back into bytes.
3. Inflates / deflates as needed to recover the original XML.
4. Displays the XML so you can read and debug it.

You don’t need to remember these details—just paste the message and click Convert—but understanding them helps when comparing results with other SAML tools.

SAML decoder vs SAML encoder

Working with SAML usually involves both decode and encode operations:

• Use SAML Decoder (this page) when you want to:
  • Inspect, debug, or log what was actually sent.
  • Read the raw XML inside requests, responses, and assertions.
  • Validate attributes, audience, and expiry times.
• Use SAML Encoder when you want to:
  • Inflate and Base64 encode an XML SAML message.
  • Rebuild a SAMLRequest or SAMLResponse from XML for manual testing.
  • Simulate SAML flows in development or QA environments.

Together, the SAML encoder and SAML decoder online make it easy to move between XML and encoded SAML tokens.

Practical use cases for decoding SAML

You might use this online SAML decoder when you need to:

• Debug SSO failures
  Check StatusCode, StatusMessage, audience, or clock skew issues that cause login failures.
• Verify attribute mappings
  Confirm that the IdP is sending the correct claims (like email, givenName, role) and that their names/namespaces match your app’s configuration.
• Audit security configurations
  Inspect conditions, NotBefore/NotOnOrAfter timestamps, and audience restrictions.
• Compare different IdP configurations
  Decode SAML messages from different identity providers to check configuration differences.
• Learn SAML syntax
  Paste sample messages and explore the structure of requests, responses, and assertions.

Security & privacy tips when using SAML tools

When you decode SAML assertions and tokens, you’re working with sensitive authentication data. Follow these guidelines:

• Prefer non-production or sanitized messages when possible.
• Avoid sharing decoded SAML XML in public channels or screenshots.
• Rotate secrets or certificates if you suspect they’ve been exposed.
• Consult your security policy before pasting production SAML data into any online SAML decoder.

Related Coderstool utilities for SAML & encoding

For more control over encoding/decoding and XML handling, try these related tools:

• SAML Encoder – Inflate and Base64 encode SAML XML for redirects and POSTs.
• Base64 Tools – A collection of Base64 encoders/decoders for text, files, XML, JSON and more.
• Base64 to XML – Decode Base64 strings directly into XML, useful when working with SAML or other XML-based formats.
• Encode Decode Tools – General encoding/decoding utilities (HTML, URL, query string, etc.) that often appear alongside SAML workflows.
• Unicode Text Converter – Helpful when dealing with Unicode characters inside XML payloads. 

FAQ: SAML Decoder

Does this SAML decoder support SAML 2.0?

Yes. SAML 2.0 messages are standard XML. As long as the data is properly Base64 encoded (and deflated when required), this tool will decode the SAML message and display the XML.

Can I decode SAML responses captured from logs?

Yes. If your logs contain the raw SAMLResponse or SAMLRequest value, copy the Base64 string and paste it into the decoder. The tool will decode SAML into XML so you can inspect it.

What’s the difference between decoding and decrypting SAML?

• Decoding reverses encoding (Base64, deflate) and is what this SAML decoder online does.
• Decrypting removes cryptographic protection from encrypted SAML assertions using private keys and certificates.

If your assertion is encrypted, you’ll see encrypted XML elements even after decoding; this tool does not perform decryption.

Can I use this SAML decoder for tokens from any IdP?

Yes. As long as the IdP follows standard SAML 2.0 encoding, you can decode SAML tokens from providers like Okta, Azure AD, ADFS, Ping, and others. The decoded XML will show the issuer and audience so you can verify all details.

Use this page whenever you need to decode SAML quickly—whether it’s a SAML response decode for a tricky SSO bug, a SAML request decode during setup, or inspecting a SAML assertion to confirm attributes and conditions.