SAML Decoder

SAML 2.0 messages travel base64-encoded — and over the HTTP-Redirect binding they're also DEFLATE-compressed (OASIS SAML Bindings spec). This decoder takes a SAMLRequest or SAMLResponse blob (or the full callback URL) and surfaces the underlying XML, the key fields (Issuer, Destination, Audience, NameID, Conditions, Status), and whether the message carries a digital signature.

Decoding happens entirely in your browser via atob and the native DecompressionStream API. Nothing is sent to a server — useful when debugging an SSO flow or auditing a captured authentication during a pentest engagement.

SAMLRequest or SAMLResponse — paste the raw value, a base64 blob, or even the full callback URL

When you'll reach for this

SSO debugging

The IdP rejected your AuthnRequest? Decode it and check the Destination, Issuer, and ProtocolBinding match what the IdP expects.

Pentest engagements

Capture SAML over the wire and look for missing signatures, replayable Conditions, or weak NameID formats. Tampering classes start here.

Audit trails

A logged SAML message is opaque base64 in your SIEM. Decode it to verify Audience restrictions and NotOnOrAfter windows match policy.