SAML Assertion Plain HTML
<html
    xml:lang="en">
  <body
      onload="document.forms[0].submit()">
    <form
        action="https://aai-demo.switch.ch/Shibboleth.sso/SAML2/POST"
        method="post">
      <div>
        <input
            type="hidden"
            name="RelayState"
            value="ss:mem:23e3a3b1268acd89dc226bb1ce0d0c6ba7ecf773"/>
        <input
            type="hidden"
            name="SAMLResponse"
            value="
              PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz4KPHNhbWxwO8
              ...
              vbj0iW1scDVlc+PC9zYW1scRGLsTgiPz4KPlc3U+"/>
      </div>
    </form>
  </body>
</html>
SAML response encrypted (Base64 decoded)
<samlp:response xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
    destination="https://aai-demo.switch.ch/Shibboleth.sso/SAML2/POST"
    id="_f3323e32c6cf83b1996fbf703beebe61"
    inresponseto="_f2f27516ec08af29501c749629b119d3"
    issueinstant="2008-02-27T12:20:19.256Z"
    version="2.0">
  <saml:issuer xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
      format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity">
    https://aai-demo-idp.switch.ch/idp/shibboleth
  </saml:issuer>
  <ds:signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
    <ds:signedinfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
      <ds:canonicalizationmethod xmlns:ds="http://www.w3.org/2000/09/xmldsig#"
          algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
      <ds:signaturemethod xmlns:ds="http://www.w3.org/2000/09/xmldsig#"
          algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
      <ds:reference xmlns:ds="http://www.w3.org/2000/09/xmldsig#"
          uri="#_f3323e32c6cf83b1996fbf703beebe61">
        <ds:transforms xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
          <ds:transform xmlns:ds="http://www.w3.org/2000/09/xmldsig#"
              algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
          <ds:transform xmlns:ds="http://www.w3.org/2000/09/xmldsig#"
              algorithm="http://www.w3.org/2001/10/xml-exc-c14n#">
            <ec:inclusivenamespaces xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#"
                prefixlist="
                  ds
                  saml
                  samlp
                  xenc"/>
          </ds:transform>
        </ds:transforms>
        <ds:digestmethod xmlns:ds="http://www.w3.org/2000/09/xmldsig#"
            algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
        <ds:digestvalue xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
          W/4ffn8dtDoWa0ZVk0RY9VsYHn8=
          <!-- The Hash over the signature value -->
        </ds:digestvalue>
      </ds:reference>
    </ds:signedinfo>
    <ds:signaturevalue xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
      YiLWdmVJUL9OYxFdEcI+MUlu1WixOXeR6HDNxTBEgplmQ0bnKD8/YAmtjzM1BPceLvFjb7/FnGXW
      ...
      <!-- The signature value -->
      zSSKvGzMHsu2jAvua7QulhpIP88VI9D2B7ZvKg==
    </ds:signaturevalue>
    <ds:keyinfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
      <ds:x509data xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
        <ds:x509certificate xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
          MIIETDCCAzSgAwIBAgICAKQwDQYJKoZIhvcNAQEFBQAwdTELMAkGA1UEBhMCQ0gxDzANBgNVBAcT
          ...
          <!-- The certificate, which signed the message -->
          8fIN2ZZr14dNQSohA1C18D47+9m2
        </ds:x509certificate>
      </ds:x509data>
    </ds:keyinfo>
  </ds:signature>
  <samlp:status xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol">
    <samlp:statuscode xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
        value="urn:oasis:names:tc:SAML:2.0:status:Success"/>
  </samlp:status>
  <saml:encryptedassertion xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">
    <xenc:encrypteddata xmlns:xenc="http://www.w3.org/2001/04/xmlenc#"
        id="_12bc564f5615db1caa1ed9cec18644fc"
        type="http://www.w3.org/2001/04/xmlenc#Element">
      <xenc:encryptionmethod xmlns:xenc="http://www.w3.org/2001/04/xmlenc#"
          algorithm="http://www.w3.org/2001/04/xmlenc#aes128-cbc"/>
      <ds:keyinfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
        <xenc:encryptedkey xmlns:xenc="http://www.w3.org/2001/04/xmlenc#"
            id="_01573d8cf066e3294c9701be13f5278c">
          <xenc:encryptionmethod xmlns:xenc="http://www.w3.org/2001/04/xmlenc#"
              algorithm="http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p">
            <ds:digestmethod xmlns:ds="http://www.w3.org/2000/09/xmldsig#"
                algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
          </xenc:encryptionmethod>
          <ds:keyinfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
            <ds:x509data xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
              <ds:x509certificate xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
                MIIEwzCCA6ugAwIBAgILAQAAAAABGB3PGicwDQYJKoZIhvcNAQEFBQAwXzELMAkGA1UEBhMCQkUx
                ...
                <!-- The certificate, for which the symetric key is encrypted -->
                TlHWg9fT28Ryoi5ix8+VIVE5wsRlGRWMca0=
              </ds:x509certificate>
            </ds:x509data>
          </ds:keyinfo>
          <xenc:cipherdata xmlns:xenc="http://www.w3.org/2001/04/xmlenc#">
            <xenc:ciphervalue xmlns:xenc="http://www.w3.org/2001/04/xmlenc#">
              nyjhj8mP5bf79fUj0Pd9oDkHdaOe4Zz0XHoPfUxTCaVaXhbOlPJIy6E/leWN40fFdzR1OmeFhRec
              ...
              <!-- The encrypted symetric key, which allows to decrypt the message -->
              2J7T4BHptXGsrxGRcNxPdHaJAN4SB+S3ZXhdWA==
            </xenc:ciphervalue>
          </xenc:cipherdata>
        </xenc:encryptedkey>
      </ds:keyinfo>
      <xenc:cipherdata xmlns:xenc="http://www.w3.org/2001/04/xmlenc#">
        <xenc:ciphervalue xmlns:xenc="http://www.w3.org/2001/04/xmlenc#">
          UHtcpb7a9KZpFst9CoPSAMWO9dLeJTUpQzgLtKXra3iGe2LURnjq+LC1Mh4nByRpyEe2RgqyOJz1
          ...
          <!-- The encrypted data -->
          ew==
        </xenc:ciphervalue>
      </xenc:cipherdata>
    </xenc:encrypteddata>
  </saml:encryptedassertion>
</samlp:response>
SAML response decrypted (Base64 decoded)
<saml:assertion xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
    id="_7a7344b64600d4405da04fcb9e27f5f1"
    issueinstant="2008-02-27T12:20:19.256Z"
    version="2.0">
  <saml:issuer xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
      format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity">
    https://aai-demo-idp.switch.ch/idp/shibboleth
  </saml:issuer>
  <saml:subject xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">
    <saml:nameid xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
        format="urn:oasis:names:tc:SAML:2.0:nameid-format:transient">
      _e7b68a04488f715cda642fbdd90099f5
    </saml:nameid>
    <saml:subjectconfirmation xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
        method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
      <saml:subjectconfirmationdata xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
          address="130.59.4.134"
          inresponseto="_f2f27516ec08af29501c749629b119d3"
          notonorafter="2008-02-27T12:25:19.256Z"
          recipient="https://aai-demo.switch.ch/Shibboleth.sso/SAML2/POST"/>
    </saml:subjectconfirmation>
  </saml:subject>
  <saml:conditions xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
      notbefore="2008-02-27T12:20:19.256Z"
      notonorafter="2008-02-27T12:25:19.256Z">
    <saml:audiencerestriction xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">
      <saml:audience xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">
        https://aai-demo.switch.ch/shibboleth
      </saml:audience>
    </saml:audiencerestriction>
  </saml:conditions>
  <saml:authnstatement xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
      authninstant="2008-02-27T12:20:06.991Z"
      sessionindex="4m2ETlKYtvbNEmBzVNo3UHLuKSdo3HqTUqAmeZiar94="
      sessionnotonorafter="2008-02-27T12:50:06.991Z">
    <saml:subjectlocality xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
        address="130.59.4.134"/>
    <saml:authncontext xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">
      <saml:authncontextdeclref xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">
        urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport
      </saml:authncontextdeclref>
    </saml:authncontext>
  </saml:authnstatement>
  <saml:attributestatement xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">
    <saml:attribute xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
        friendlyname="givenName"
        name="urn:oid:2.5.4.42"
        nameformat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">
      <saml:attributevalue xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
          xsi:type="xs:string">
        Demouser
      </saml:attributevalue>
    </saml:attribute>
    <!--  More attributes here -->
    <saml:attribute xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
        friendlyname="surname"
        name="urn:oid:2.5.4.4"
        nameformat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">
      <saml:attributevalue xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
          xsi:type="xs:string">
        SWITCHaai
      </saml:attributevalue>
    </saml:attribute>
  </saml:attributestatement>
</saml:assertion>