Hi @Poseidon1974 - tagging my colleague @JRahm and MVP @Kai_Wilke because they are two experts in iRules and may be able to help out. Edit: and my colleague @Lucas_Thompson since you mentioned SAML.
Fun question. A SAML request is typically URL encoded in redirect-binding and not encoded at all in POST-binding. This post describes how to decode something that's URL encoded:
For POST-binding it's in the HTTP body, so you'd need to collect the content using SSL::collect.
Keep in mind that when writing security related code it's easy to accidentally introduce vulnerabilities, so try to think about the service you're implementing like a security researcher / attacker.
As an alternative, the APM module for BIG-IP already has SAML support, so you can also just use the bulit-in functions that have already been well validated for security.
