SAML Response Decoder

All decoding happens locally in your browser. No data is sent to any server.

How to capture a SAML Response

Field	Description
`Issuer`	The Certificate Authority (CA) or entity that issued this certificate. Shows the organisation that vouches for the certificate's authenticity.
`Subject`	The entity this certificate was issued to — typically the Identity Provider (IdP). This identifies who owns the certificate.
`Valid From`	The date/time when this certificate became valid. Shows warning if not yet valid.
`Valid Until`	The date/time when this certificate expires. Shows EXPIRED if past this date. Certificate renewal required before expiry.
`Signature Algorithm`	The cryptographic algorithm used to sign this certificate (e.g., SHA256withRSA). Older algorithms like SHA1 may indicate security concerns.

Field	Description
`NameID Format`	The format/type of the user identifier. Common formats include `emailAddress`, `persistent` (opaque ID), and `transient` (session-specific ID).
`NameID Value`	The unique identifier for the authenticated user. This is the value the Service Provider uses to identify the user (e.g., email address or username).
`Issuer`	The SAML Identity Provider (IdP) that issued this assertion. Usually the IdP's entity ID or URL.
`Destination`	The URL where this SAML response should be delivered — typically the Service Provider's Assertion Consumer Service (ACS) URL.
`Not Before`	The time at which this assertion becomes valid. The assertion cannot be used before this time. Shows warning if not yet valid.
`Auth Instant`	The exact moment the user authenticated with the IdP (e.g., entered their password). Useful for determining session freshness.
`Not On Or After`	The expiry time — the assertion cannot be used on or after this time. Shows EXPIRED if past this date.
`Session Expires`	The time when the SSO session at the IdP expires (SessionNotOnOrAfter). This may differ from assertion expiry — shows how long the user's IdP session remains valid.
`Status`	Whether the SAML authentication was successful. `Success` means authentication succeeded; other values indicate errors.

SAML attributes are additional user information passed from the Identity Provider to the Service Provider. Common attributes include:

Attribute	Description
`email`	The user's email address.
`firstName` / `givenName`	The user's first/given name.
`lastName` / `surname`	The user's last name/surname.
`displayName`	The user's display name (often full name).
`groups` / `memberOf`	Group memberships for the user, often used for role-based access control.
`department`	The user's department within the organisation.

Note: Actual attributes vary depending on IdP configuration and what the SP has requested.

Paste Base64-encoded SAML Response:

X.509 Certificate

Issuer

Subject

Valid From

Valid Until

Signature Algorithm

View raw certificate (PEM)

SAML Assertion

NameID Format

NameID Value

Issuer

Destination

Not Before

Auth Instant

Not On Or After

Session Expires

Status