How to query decoded SAML response in Shbboleth SP version 3.0.1

Kannan, Satheesh (ELS-CON) s.kannan.1 at
Thu Oct 21 14:04:37 UTC 2021

Thanks Peter, for your suggestion.

On the Service provider end, I was looking to display decrypted  saml assertions received from the Idp in user interface. 

In most cases, we are unable to see the saml assertions/attributes sent by the IDP and what Name Format they are sending. Whether we received single/multiple values are not. 

I tried multiple handlers namely Attribute Resolver and Attribute Checker. Both handlers didn't seems to working and doesn't solve the purpose since they are coming after downloading saml assertions by the shib SP software.

I was seeing, Idp was sending  samlresponse in form data to I see , samlresponse in form data  seems to be lost when attaching customize sessionHook="/sso-" endpoint. Since, session hook always does get call instead of post.

Is there way we make use of PostData and PostTemplate attributes in sessions element to retrieve  saml response sent by the SP?

Could you suggest any shortcut to change customize handler url to download decrypted saml assertions/attributes?

<Sessions checkAddress="false" cookieName="testcookie" cookieProps="; path=/;" handlerURL=""  >


-----Original Message-----
From: users <users-bounces at> On Behalf Of Peter Schober
Sent: Wednesday, October 20, 2021 6:47 PM
To: users at
Subject: Re: How to query decoded SAML response in Shbboleth SP version 3.0.1

*** External email: use caution ***

* Kannan, Satheesh (ELS-CON) <s.kannan.1 at> [2021-10-20 15:12]:
> Is there a way we can query the decoded SAML Response in Shibboleth SP 
> version 3.0.1 to see the SAML assertions sent by the IDP for debugging 
> purpose.

For merely decoding you could do that in the browser without access to the server, using e.g. the SAML-tracer browser extension.

If the Reponse (or the Assertion within) is also encrypted you'd need to do that on the SP: Have a look at your shibd.logger and uncomment the category for SAML protocol messages.

That should allow you to log the decoded, decrypted Reponse (or Assertion).

For Consortium Member technical support, see
To unsubscribe from this list send an email to users-unsubscribe at

More information about the users mailing list