Enterprise SSO
SAML 检查器
Paste a Base64 SAML response or raw XML to inspect issuers, subjects, attributes, and validity windows instantly—no network requests.
🔐
Client-side only
Nothing leaves your browser.
⚡
Redirect & POST aware
Base64 + optional deflate.
Parsing error
—
SAML Flow
1. User requests resource → 2. SP sends AuthnRequest to IdP → 3. IdP authenticates user → 4. IdP sends Response with Assertion → 5. SP grants access
Key Elements
| Element | Purpose |
|---|---|
AuthnRequest | SP → IdP login request |
Response | IdP → SP with assertions |
Assertion | Claims about the user |
NameID | User identifier |
Attribute | User properties (email, role) |
What is SAML?
Security Assertion Markup Language (SAML) is an XML-based open standard for exchanging authentication and authorization data between parties, in particular, between an Identity Provider (IdP) and a Service Provider (SP). SAML is the backbone of many Enterprise Single Sign-On (SSO) solutions, allowing users to access multiple applications with a single set of credentials. The most common version is SAML 2.0, which uses security tokens containing assertions to pass information about a principal between the IdP and the SP.
How to Use This Tool
Paste the Base64-encoded SAMLResponse or raw XML into the input field. Toggle Attempt to inflate if decoding a Redirect binding payload. Click Decode response to parse the message. Check the Quick summary for the Issuer, Subject, and validity status. View decoded user attributes in the Attributes table. Use the tabs to see Pretty XML, Assertion details, or a JSON representation of the claims.
Common Use Cases
SSO troubleshooting by diagnosing why a user cannot log in by checking for expired assertions or audience mismatches. Integration testing to verify that your Identity Provider is sending the correct attributes. Security auditing to inspect the raw XML and ensure assertions are properly signed. Development to quickly view the contents of a SAML message during Service Provider integration.
Pro Tips
SAML messages sent via HTTP-Redirect are usually deflated (compressed) before being Base64 encoded — if your decode fails, try toggling the Attempt to inflate checkbox. Ensure the AudienceRestriction matches your SP Entity ID. If a response is marked invalid, check the NotBefore and NotOnOrAfter times for clock skew between the IdP and SP clocks.
Related Tools
Token Cryptography Suite
Inspect, generate, and manage JWT tokens and cryptographic keys.
X.509 Certificate Inspector
Parse X.509 certificates and CSRs.
Encoding & Decoding Workbench
Encode, decode, hash, and identify data transformations.
Email Security Analyzer
Analyze raw emails for SPF/DKIM/DMARC, routing hops, and embedded URLs.