SAML Signature Verification & Decoder – Free | 8gwifi.org

SAML Verify & Decode

Signature Verify Base64 Decode Inflate
Learn SAML Anish Nath
Verify / Decode
Operation Mode
Validate XML signature using X.509 certificate
Decode Base64-encoded SAML message to XML
Decode and inflate HTTP-Redirect binding messages
What to Verify
SAML Message
X.509 Certificate (IdP Public Key)
The IdP's public certificate used to verify the signature.
Results
Results Will Appear Here

Select an operation mode, paste your SAML message, and click Process

Quick Guide
Mode Input Use Case
Verify Signature SAML XML + X.509 Cert Validate signatures from IdP
Base64 Decode Base64 string HTTP-POST binding messages
Base64 + Inflate Deflated Base64 HTTP-Redirect binding (SAMLRequest param)
Signature Verification Tips
  • Response vs Assertion: IdPs may sign the Response, the Assertion, or both. Try both options if verification fails.
  • Certificate Mismatch: Ensure you're using the correct IdP certificate (not the SP certificate).
  • Embedded Certificates: Some signed messages include the certificate in <ds:X509Certificate>. You can extract and use it.
  • Clock Skew: Assertion conditions (NotBefore, NotOnOrAfter) may fail due to server time differences.
SAML Message Processing
SAML Signature Verification

SAML signatures use XML Digital Signatures (XMLDSig) to ensure message integrity and authenticity. Verification involves:

  1. Canonicalizing the signed XML element
  2. Computing the digest of the canonicalized content
  3. Verifying the digest matches <ds:DigestValue>
  4. Verifying the signature using the IdP's public key
What to Verify
  • Response Signature: Verifies the entire <samlp:Response> element wasn't modified
  • Assertion Signature: Verifies the <saml:Assertion> element independently
SAML Message Encoding

SAML messages are encoded differently depending on the binding:

  • HTTP-POST: Base64-encoded XML in a form field
  • HTTP-Redirect: DEFLATE compressed, then Base64-encoded, then URL-encoded
Decoding HTTP-Redirect Messages
# Decode SAMLRequest from URL
urldecode "$SAMLRequest" | base64 -d | inflate
Security Best Practices
  • Always verify signatures before trusting assertions
  • Check NotBefore and NotOnOrAfter conditions
  • Validate the Issuer matches expected IdP
  • Verify Destination matches your ACS URL
Related Tools
SAML Guide

Complete guide to understanding SAML 2.0
SAML Sign

Sign SAML XML messages
RSA Tools

RSA encryption, decryption, signing
Base64

Base64 encode and decode
PEM Parser

Parse and decode PEM certificates
JWT Decoder

Decode and verify JWT tokens

Support This Free Tool

Every coffee helps keep the servers running. Every book sale funds the next tool I'm dreaming up. You're not just supporting a site — you're helping me build what developers actually need.

500K+ users
200+ tools
100% private
One-time support Buy me a coffee 📚 Learn & support 9-Book Bundle - $9 Stay updated Follow @anish2good
Privacy Guarantee: Private keys you enter or generate are never stored on our servers. All tools are served over HTTPS.
Quick Access