Fun question. A SAML request is typically URL encoded in redirect-binding and not encoded at all in POST-binding. This post describes how to decode something that's URL encoded:
For POST-binding it's in the HTTP body, so you'd need to collect the content using SSL::collect.
Keep in mind that when writing security related code it's easy to accidentally introduce vulnerabilities, so try to think about the service you're implementing like a security researcher / attacker.
As an alternative, the APM module for BIG-IP already has SAML support, so you can also just use the bulit-in functions that have already been well validated for security.