diff --git a/sso.go b/sso.go
index 13e600143bd5cb56dcfa45a1c3c0e6592c75ab26..37c5832ed917999f8c86beabdae303c5841cfca6 100644
--- a/sso.go
+++ b/sso.go
@@ -270,3 +270,21 @@ func (v *ssoValidator) Validate(encoded, nonce, service string, allowedGroups []
 
 	return t, nil
 }
+
+// InspectTicket reads a ticket without validating it (beyond syntax),
+// returning user and service. The results are untrusted.
+func InspectTicket(encoded string) (string, string, error) {
+	decoded, err := base64.RawURLEncoding.DecodeString(encoded)
+	if err != nil {
+		return "", "", err
+	}
+	if len(decoded) < signatureLen {
+		return "", "", ErrMessageTooShort
+	}
+	serialized := decoded[signatureLen:]
+	t, err := deserializeTicket(string(serialized))
+	if err != nil {
+		return "", "", err
+	}
+	return t.User, t.Service, nil
+}