SAML tokens, if they are encrypted, are encrypted against the X509 certificate of the relaying party, either the public HTTPS certificate, or an agreed upon certificate between the STS and RP. In which case, you'll need the private key for that certificate to decrypt.
But if you are working in a Dev environment without encryption, you can use view the traffic within Chrome, and then copy it paste the SAMLRequest and SAMLResponse into:
The algorithm (to be verified) to decode the query strings encoded as follows: