This documentation is for WSO2 Identity Server 5.3.0 . View documentation for the latest release.

Versions Compared


  • This line was added.
  • This line was removed.
  • Formatting was changed.


  1. Login to the WSO2 Identity Server and access the management console.
  2. In the management console, you can find the SAML section under the Main Tools menu in the Tools section.
    Image RemovedImage Added

Working with the SAML request validator

  1. Once you click the SAML Request Validator link, the following screen appears:
    Image RemovedImage Added
    • Before starting the validation, it is required to specify the request binding which the service provider has initiated. This may be either HTTP POST or HTTP Redirect. You can specify this in your SP side configuration.
    • You must also provide the SAML2 Request. For HTTP POST binding, you can extract the request using a Mozilla Firefox add-on like SAML Tracer or using in-built developer tools in most of the web browsers. In both cases you can find the SAML Request as "SAMLRequest=IZfhfReBEadHHLl...." inside the form data. Copy and paste only the encoded request without "SAMLRequest=" to the given text area. If the request binding used is HTTP Redirect, you can also get the SAML Request from the developer tools. However, in this instance you have to copy the URL instead of the encoded request. This is required because parameters like "SigAlg" and "Signature" which are used in the validation are also included in the URL. The URL should have a similar format to "https://localhost:9443/samlsso?SAMLRequest=jZLRjqowEIZfhfReBEXRR...".
    • As the Issuer can be extracted from the SAML request there is no need to specify SAML Web SSO configuration which is required to do the validation. The toolkit will automatically select the appropriate configuration using the issuer value.
  2. Finally use "Validate" button to get the validation results. The results are displayed as steps indicating whether the request has passed or failed that specific step.
    Image Removed
     Using this information, the user can identify the exact area of the configuration that requires attention and fix it using the expected value.


  1. Once you click the "SAML Response Builder" link, the following screen appears:
    Image RemovedImage Added
    • This feature allows you to build a valid response against a selected SAML2 Web SSO configuration. 
    • All the issuers available in configurations are listed here in the Issuer drop down. So you can select the required configuration by selecting the Issuer
    • The User Name is also required to get the user profile which will be used during the response generation.
  2. Click the "Generate" button, the response builder will generate the response using provided data and display it in both XML and in encoded format as follows.

    The user can verify the configuration from the returned response, by looking at the XML. Also, some web sites like Salesforce provides the facility to validate the encoded response against the service provider's configuration. So you can use the returned encoded response there to identify the issues in configuration. By using the information provided by this tool, the user can modify the configuration in the identity provider's side or service provider's side accordingly to get the desired result.