drop saml response xml · parse assertions + attributes + signing · detect replay + audience mismatch · runs locally
parses assertion attributes · nameid · audience · notonorafter · inresponseto · signature keyinfo refs · flags audience mismatch · expired assertion · replay hints · unsigned assertion
signature validity heuristic only — no online cert revocation check · heuristic screener · not definitive proof