Question 1

What is a SAML Response?

Accepted Answer

A SAML Response is an XML document sent by the Identity Provider (IdP) to the Service Provider (SP) after successful authentication. It contains the user's identity assertions, attributes, and a status code indicating whether authentication succeeded.

Question 2

How is a SAML Response encoded in the browser?

Accepted Answer

In HTTP POST Binding (the most common for responses), the XML is Base64 encoded and submitted as a form field named SAMLResponse. This tool decodes that Base64 value back to the original XML.

Question 3

What claims should I look for in a SAML Response?

Accepted Answer

Key fields include: Issuer (the IdP URL), NameID (the user identifier), StatusCode (Success or Failure), Conditions (NotBefore/NotOnOrAfter validity window), and Attributes (email, groups, roles, etc.).

Question 4

Why is my SAML Response showing as expired?

Accepted Answer

SAML assertions have a short validity window (typically 5–10 minutes) to prevent replay attacks. If the NotOnOrAfter condition has passed, the SP will reject the assertion even if it decodes correctly.

Question 5

Is this safe for production SAML tokens?

Accepted Answer

Yes. This tool processes everything in your local browser — no data is sent to any server. However, be cautious when pasting SAML tokens containing PII in shared environments.

Question 6

What is a SAML assertion?

Accepted Answer

A SAML assertion is the core statement in a SAML response that contains authenticated user data — the NameID (user identifier), attributes like email and roles, validity conditions (NotBefore/NotOnOrAfter), and the issuing IdP's digital signature. This decoder extracts all assertion data from the Base64-encoded SAML response your browser receives during SSO login.

Question 7

How do I debug a SAML SSO login failure?

Accepted Answer

Capture the raw SAML response using your browser's developer tools (Network tab → find SAMLResponse parameter in POST data). Paste it into this decoder to inspect the status code, conditions, NameID, and attributes. Common failures: expired conditions, wrong audience restriction, or missing required attributes. For JWT SSO flows, use DevDecode's JWT Debugger.

SAML Response Decoder

Frequently Asked Questions

Understanding SAML Response Decoding

Related Tools

SAML Decoder

SAML Validator

JWT Decoder

Cookie Decoder