Free Developer Tool

SAML Decoder & Builder

Decode, inspect, and build SAML requests and responses. Debug your SSO integrations instantly.

100% Client-Side No Data Stored No Signup Required
Input
Decoded Output

No SAML decoded yet

Paste a Base64-encoded SAML request or response and click Decode.

Need Managed SAML SSO?

Skycloak provides enterprise-grade SAML 2.0 support with pre-configured IdP templates. No ops burden.

Start Free Trial

What is SAML?

SAML (Security Assertion Markup Language) is an XML-based standard for exchanging authentication and authorization data between parties. It enables Single Sign-On (SSO) by allowing an Identity Provider (IdP) to authenticate users and pass identity information to a Service Provider (SP).

The most common version in use today is SAML 2.0, which supports:

  • IdP-Initiated SSO: User starts at the IdP and is redirected to the SP
  • SP-Initiated SSO: User starts at the SP, is redirected to IdP for auth, then back to SP
  • Single Logout (SLO): Terminate sessions across all connected applications

SAML Request vs Response

SAMLRequest (AuthnRequest): Sent by the Service Provider to the Identity Provider to initiate authentication. It's typically Base64-encoded AND deflate-compressed when sent via HTTP Redirect binding.

SAMLResponse: Sent by the Identity Provider back to the Service Provider after successful authentication. Contains the SAML Assertion with user identity and attributes. Usually only Base64-encoded (not compressed) when sent via HTTP POST binding.

This tool automatically detects which type you're decoding and applies the appropriate decompression.

Anatomy of a SAML Assertion

A SAML Assertion is the core component that carries identity information:

  • Issuer: The entity that created the assertion (usually the IdP)
  • Subject/NameID: The authenticated user's identifier
  • Conditions: Validity constraints (NotBefore, NotOnOrAfter, AudienceRestriction)
  • AuthnStatement: When and how the user authenticated
  • AttributeStatement: User attributes (email, roles, groups, etc.)
  • Signature: Digital signature for integrity verification

Common SAML Errors

When debugging SAML integrations, watch for these common issues:

  • Clock Skew: NotBefore/NotOnOrAfter validation fails due to time differences between IdP and SP
  • Audience Mismatch: The SP Entity ID doesn't match the AudienceRestriction in the assertion
  • Invalid Signature: Certificate mismatch or XML canonicalization issues
  • Destination Mismatch: The ACS URL doesn't match the Destination attribute
  • Missing Required Attributes: SP expects attributes that IdP doesn't provide

More Developer Tools

Pricing Calculator

Estimate your cost with clusters, domains, and add-ons.

JWT Decoder

Decode, verify, and inspect JSON Web Tokens for OIDC debugging.

SCIM Tester

Build and validate SCIM requests for user provisioning integrations.

Keycloak Generator

Generate production-ready Keycloak realm configurations.

ROI Calculator

Calculate potential savings with managed identity vs DIY.

Docker Compose Generator

Generate Docker Compose files for Keycloak deployments.
© 2026 All Rights Reserved. Made by Yasser