Authentication & Tokens · 1 min read

SAML Response Decoding and SSO Security

SAML responses are XML documents encoded in Base64 and passed through the browser during single sign-on. Decoding them reveals the identity provider, the authenticated user, their attributes, and the conditions under which the assertion is valid. When debugging SSO issues or testing for SAML vulnerabilities, decoding the response is always the first step.

Try it now

SAML Decoder

Runs in your browser, nothing leaves your device.

Issuer: which identity provider generated the assertion. Audience: which service provider should accept it (if your app accepts assertions meant for other services, that's a vulnerability). Conditions: NotBefore and NotOnOrAfter timestamps for validity window. NameID: the authenticated user's identifier. AuthnContext: what authentication method was used (password, MFA, certificate).

XML signature wrapping: the signature covers one part of the XML, but the application reads a different part. Comment injection in NameID: `[email protected]<!---->.evil.com` might be parsed differently by the XML parser and the application. Replay attacks: reusing an old SAML response if the service provider doesn't check timestamps or track used assertion IDs.

Decoded SAML assertion (simplified)

Input
PHNhbWw6QXNzZXJ0aW9uIElEPSIuLi4i...
Result
Issuer: idp.company.com Subject: [email protected] Role: admin Expires: 5min

Security context

SAML implementations are complex and error-prone. Most SSO vulnerabilities come from improper signature validation, not from SAML itself. Always verify that the assertion signature covers all the claims your application relies on.

SAML uses XML and is designed for browser-based SSO between organizations. JWTs use JSON and are lighter, commonly used in API authentication. SAML is more complex but supports richer attribute assertions and has been the enterprise standard for longer.

Related techniques

Comparing (/4):

Tool Comparison

Feature
Type
Pricing
Platforms
Description