SAML Response Decoding: From Base64 to XML

Quick answer: A SAML Response is XML that is usually Base64-encoded and sometimes deflated (compressed), especially in Redirect flows. Decode it with /saml-decoder to inspect the assertion, issuer, audience, and time conditions.

A typical response includes:

• Issuer
• Subject and NameID
• Audience and recipient
• Conditions like NotBefore and NotOnOrAfter

Depending on configuration, you may also see:

• Status / StatusCode (success vs error)
• Attributes (email, groups, department, etc.)
• An EncryptedAssertion (assertion body encrypted)

Key takeaways

• Definition: What a SAML response contains explains what you are looking at and why it matters in practice.
• Context: this section helps you interpret inputs and outputs correctly, not just run a tool.
• Verification: confirm assumptions (format, encoding, units, or environment) before changing anything.
• Consistency: apply one approach end-to-end so results are repeatable and easy to debug.

Common pitfalls

• Mistake: skipping validation and trusting the first output you see from What a SAML response contains.
• Mistake: mixing formats or layers (for example, decoding the wrong field or using the wrong unit).

Quick checklist

1. Identify the exact input format and whether it is nested or transformed multiple times.
2. Apply the minimal transformation needed to make it readable.
3. Validate the result (structure, encoding, and expected markers).
4. If the result still looks encoded, repeat step-by-step and stop as soon as it becomes clear.

Why it is Base64 (and sometimes compressed)

Different bindings transport SAML differently:

• HTTP-POST binding: Base64-encoded XML posted in a form field.
• HTTP-Redirect binding: often deflate-compressed, then Base64-encoded, then URL-encoded.

To read it, decode Base64 first, then inflate if the result is not readable XML.

Key takeaways

• Definition: Why it is Base64 (and sometimes compressed) explains what you are looking at and why it matters in practice.
• Context: this section helps you interpret inputs and outputs correctly, not just run a tool.
• Verification: confirm assumptions (format, encoding, units, or environment) before changing anything.
• Consistency: apply one approach end-to-end so results are repeatable and easy to debug.

Common pitfalls

• Mistake: skipping validation and trusting the first output you see from Why it is Base64 (and sometimes compressed).
• Mistake: mixing formats or layers (for example, decoding the wrong field or using the wrong unit).

Quick checklist

1. Identify the exact input format and whether it is nested or transformed multiple times.
2. Apply the minimal transformation needed to make it readable.
3. Validate the result (structure, encoding, and expected markers).
4. If the result still looks encoded, repeat step-by-step and stop as soon as it becomes clear.

• The Assertion element
• The signature and certificate
• The audience and destination

Key takeaways

• Definition: What to look for explains what you are looking at and why it matters in practice.
• Context: this section helps you interpret inputs and outputs correctly, not just run a tool.
• Verification: confirm assumptions (format, encoding, units, or environment) before changing anything.
• Consistency: apply one approach end-to-end so results are repeatable and easy to debug.

Common pitfalls

• Mistake: skipping validation and trusting the first output you see from What to look for.
• Mistake: mixing formats or layers (for example, decoding the wrong field or using the wrong unit).

Quick checklist

1. Identify the exact input format and whether it is nested or transformed multiple times.
2. Apply the minimal transformation needed to make it readable.
3. Validate the result (structure, encoding, and expected markers).
4. If the result still looks encoded, repeat step-by-step and stop as soon as it becomes clear.

Signatures can appear on:

• the Response
• the Assertion or both.

Your service provider may require one or the other. A mismatch can look like a generic “invalid signature” error.

Key takeaways

• Definition: Where signatures show up (important for debugging) explains what you are looking at and why it matters in practice.
• Context: this section helps you interpret inputs and outputs correctly, not just run a tool.
• Verification: confirm assumptions (format, encoding, units, or environment) before changing anything.
• Consistency: apply one approach end-to-end so results are repeatable and easy to debug.

Common pitfalls

• Mistake: skipping validation and trusting the first output you see from Where signatures show up (important for debugging).
• Mistake: mixing formats or layers (for example, decoding the wrong field or using the wrong unit).

Quick checklist

1. Identify the exact input format and whether it is nested or transformed multiple times.
2. Apply the minimal transformation needed to make it readable.
3. Validate the result (structure, encoding, and expected markers).
4. If the result still looks encoded, repeat step-by-step and stop as soon as it becomes clear.

• Destination does not match your ACS URL
• Audience does not match your SP entity ID
• NotBefore / NotOnOrAfter fails due to clock skew
• Signature fails because the wrong IdP certificate is used

Key takeaways

• Definition: Minimal checklist (what usually breaks) explains what you are looking at and why it matters in practice.
• Context: this section helps you interpret inputs and outputs correctly, not just run a tool.
• Verification: confirm assumptions (format, encoding, units, or environment) before changing anything.
• Consistency: apply one approach end-to-end so results are repeatable and easy to debug.

Common pitfalls

• Mistake: skipping validation and trusting the first output you see from Minimal checklist (what usually breaks).
• Mistake: mixing formats or layers (for example, decoding the wrong field or using the wrong unit).

Quick checklist

1. Identify the exact input format and whether it is nested or transformed multiple times.
2. Apply the minimal transformation needed to make it readable.
3. Validate the result (structure, encoding, and expected markers).
4. If the result still looks encoded, repeat step-by-step and stop as soon as it becomes clear.

• Validate what the identity provider sent
• Troubleshoot mismatched audience
• Confirm user attributes

Key takeaways

• Definition: Common use cases explains what you are looking at and why it matters in practice.
• Context: this section helps you interpret inputs and outputs correctly, not just run a tool.
• Verification: confirm assumptions (format, encoding, units, or environment) before changing anything.
• Consistency: apply one approach end-to-end so results are repeatable and easy to debug.

Common pitfalls

• Mistake: skipping validation and trusting the first output you see from Common use cases.
• Mistake: mixing formats or layers (for example, decoding the wrong field or using the wrong unit).

Quick checklist

1. Identify the exact input format and whether it is nested or transformed multiple times.
2. Apply the minimal transformation needed to make it readable.
3. Validate the result (structure, encoding, and expected markers).
4. If the result still looks encoded, repeat step-by-step and stop as soon as it becomes clear.

If the output starts with less than XML, try inflating. If it already starts with XML, no inflate needed.

Key takeaways

• Definition: Tip explains what you are looking at and why it matters in practice.
• Context: this section helps you interpret inputs and outputs correctly, not just run a tool.
• Verification: confirm assumptions (format, encoding, units, or environment) before changing anything.
• Consistency: apply one approach end-to-end so results are repeatable and easy to debug.

Common pitfalls

• Mistake: skipping validation and trusting the first output you see from Tip.
• Mistake: mixing formats or layers (for example, decoding the wrong field or using the wrong unit).

Quick checklist

1. Identify the exact input format and whether it is nested or transformed multiple times.
2. Apply the minimal transformation needed to make it readable.
3. Validate the result (structure, encoding, and expected markers).
4. If the result still looks encoded, repeat step-by-step and stop as soon as it becomes clear.

Is it safe to paste a SAML response?

Treat SAML as sensitive. Prefer using trusted tools and avoid pasting production responses into unknown third-party sites.

What if the XML contains EncryptedAssertion?

You can still inspect metadata (issuer, destination, time conditions), but you cannot read user attributes without the decryption key.

What should I do if the output still looks encoded?

Decode step-by-step. If you still see obvious markers (percent codes, escape sequences, or Base64-like text), the data is likely nested.

What is the safest way to avoid bugs?

Keep the original input, change one thing at a time, and validate after each step so you know exactly what fixed the issue.

Should I use the decoded value in production requests?

Usually no. Decode for inspection and debugging, but send the original encoded form unless your protocol explicitly expects decoded text.

Why does it work in one environment but not another?

Different environments often have different settings (time zones, keys, encoders, or parsing rules). Compare a known-good sample side-by-side.

• OASIS SAML 2.0 Core - Core SAML spec.
• OASIS SAML 2.0 Bindings - HTTP bindings.
• OASIS SAML 2.0 Profiles - Profile definitions.
• OASIS SAML 2.0 Metadata - Metadata spec.
• OASIS SAML V2.0 Errata - Errata updates.
• W3C XML Signature - XML signature spec.
• W3C XML Canonicalization 1.1 - Canonicalization rules.
• RFC 7522: SAML 2.0 Bearer Assertion Grant - OAuth profile.
• OASIS SAML Technical Committee - SAML committee home.
• IANA XML Media Types - XML media types.