SAML Validator

A valid SAML assertion must satisfy several structural and temporal conditions before a Service Provider will accept it. Simply decoding the Base64 payload is not enough — the contents must be well-formed XML in the correct SAML namespace, contain the required elements, and fall within the allowed time window.

The most common SAML validation failures in production environments are clock-skew issues, where the IdP and SP server clocks are out of sync by more than the assertion's validity window. Most SAML libraries allow a small tolerance (typically 2–5 minutes) but a skew beyond that will cause consistent authentication failures that look like mysterious rejections to end users.

Other common issues include missing or incorrect AudienceRestriction values (the SP entity ID must match exactly), non-success StatusCode values indicating the IdP rejected the request, missing NameID elements that the SP requires to identify the user, and namespace mismatches between SAML 1.x and SAML 2.0 formats.

This validator runs all checks client-side. Paste your raw SAML (Base64, XML, or URL-encoded) and get an instant pass/fail report with specific issues identified.