SAML Response Decoding and SSO Security
SAML responses are XML documents encoded in Base64 and passed through the browser during single sign-on. Decoding them reveals the identity provider, the authenticated user, their attributes, and the conditions under which the assertion is valid. When debugging SSO issues or testing for SAML vulnerabilities, decoding the response is always the first step.
Try it now
SAML Decoder
Runs in your browser, nothing leaves your device.
Issuer: which identity provider generated the assertion. Audience: which service provider should accept it (if your app accepts assertions meant for other services, that's a vulnerability). Conditions: NotBefore and NotOnOrAfter timestamps for validity window. NameID: the authenticated user's identifier. AuthnContext: what authentication method was used (password, MFA, certificate).
XML signature wrapping: the signature covers one part of the XML, but the application reads a different part. Comment injection in NameID: `[email protected]<!---->.evil.com` might be parsed differently by the XML parser and the application. Replay attacks: reusing an old SAML response if the service provider doesn't check timestamps or track used assertion IDs.
Examples
Decoded SAML assertion (simplified)
PHNhbWw6QXNzZXJ0aW9uIElEPSIuLi4i...
Issuer: idp.company.com
Subject: [email protected]
Role: admin
Expires: 5min
Security context
SAML implementations are complex and error-prone. Most SSO vulnerabilities come from improper signature validation, not from SAML itself. Always verify that the assertion signature covers all the claims your application relies on.
Frequently asked
SAML uses XML and is designed for browser-based SSO between organizations. JWTs use JSON and are lighter, commonly used in API authentication. SAML is more complex but supports richer attribute assertions and has been the enterprise standard for longer.
Related techniques
JWT Token Analysis and Security Pitfalls
Decode and inspect JSON Web Tokens. Detect algorithm confusion attacks, missing signature verification, excessive claims, and insecure token storage.
Base64 Decoding
How to decode Base64-encoded payloads found in malware, phishing kits, and obfuscated scripts. Detect hidden URLs, credentials, and executable code.