Decoding FedAuth Token

I created a windows forms application sample that can assist with decoding to FedAuth tokens captured from tools like Fiddler, source is included. It is downloadable from this link.

The sample and example below will work for all WS-Federated responses as long as it does not contain reference tokens.

Extract the federated response

Start of by using your web browser and recording the sign – in request and responses using Fiddler.

The response you need to look for is the first response from the Identity Provider (STS) to your application. Once the RP has received the response it will turn the response into FedAuth cookies. The name of the cookies can be different so its best to look for something with similar content.

If a ChunkedCookieHandler is used the token will be broken up into multiple FedAuth cookies. The cookies will look like it is encrypted but in fact they are all simply Base64 encoded.

Copy the contents of each of the FedAuth cookies and paste them in order in notepad with no spaces or carriage return between them.

Ensure you have the certificate

Make sure your user under which the application runs has access to the private key of the certificate. You can check this via MMC.

The certificate you use can be identified by the Identity provider metadata file. The Identity provider has an url to the metadata that usually looks something like this.” The xml will have a element for signature. Inside that element you will find a element called KeyInfo, this will contain a base64 certificate.

STS metadata

Copy the cert value out to notepad. Save the file to disk, rename its extension to *.cer and Import the file

Decode the fedauth token

If you have retrieved the FedAuth token and made sure the certificate is the correct one then paste the Base64 string into the application I provided. Select the correct certificate and click decode.

It then prints out the Identity and claims that are provided within the SessionToken.

No Token found or unable to decode

If the application is unable to decode the token and gives the following error.

ID4243:Could not create a SecurityToken

Then copy the FedAuth base64 string from your notepad to If you decode the token and it contains an Identifier as in the xml below then the claims are stored on the server and not within the token.

This is a reference token. The token in this case only has a identifier to the token stored in the server side cache. Nothing can be done to get around this unless you know the http url to the token cache or have access.

Below is the key snippet of code that does the decoding of the token.

private SessionSecurityToken decodeToken(string decodedFedAuthCookieXml)
SessionAuthenticationModule m = new SessionAuthenticationModule();
m.FederationConfiguration = new System.IdentityModel.Services.Configuration.FederationConfiguration(false);
m.FederationConfiguration.ServiceCertificate = GetCertificate(cmbCertificates.SelectedItem.ToString());
m.FederationConfiguration.CookieHandler = new ChunkedCookieHandler();

// Specifies the certificate use to decrypt the federation token.
var sessionTransforms = new List(new CookieTransform[]
new DeflateCookieTransform(),
new RsaEncryptionCookieTransform(m.FederationConfiguration.ServiceCertificate),
new RsaSignatureCookieTransform(m.FederationConfiguration.ServiceCertificate)
var sessionHandler = new SessionSecurityTokenHandler(sessionTransforms.AsReadOnly());
byte[] cookieBytes = Encoding.UTF8.GetBytes(decodedFedAuthCookieXml);
SessionSecurityToken token = m.ReadSessionTokenFromCookie(cookieBytes);

return token;

If the solution above does not help

Please tell me by posting in the comments and try one of the following so long.

  • Update 2017/10/09 – Fixed a bug in the example. The application was trying to use DPAPI instead of RSA.
  • Update 2017/11/16 – Fixed the broken link in the article.
  • Update 2018/03/24 – There have been reports of people unable to decode their tokens. – I added some error handling to prevent crashes. Also adjusted the manifest file of the application to run at a the highest allowed execute level. The user must have manage rights to the private key of the certificate.


Leave a Reply

3 Comment threads
5 Thread replies
Most reacted comment
Hottest comment thread
6 Comment authors
Benjamin D GoldmanWayne Clifford BarkerEugeneØystein Grande JarenTonyM Recent comment authors

This site uses Akismet to reduce spam. Learn how your comment data is processed.

newest oldest most voted
Notify of

Your link to the source is broken. Thank you so much for this! Saved me a lot of time.


Hi Wayne,

Unfortunately your link is still broken. Could you fix it please? That tool would be very useful to us.
Also, how do you know which certificate to use to decode the token?
Where can we find it?

thank you in advance.

Benjamin D Goldman
Benjamin D Goldman

so this is great information and the project you posted does not work.