SharePoint 2013: Claims Encoding

SharePoint 2013 display identity claims with the following encoding format:

• <IdentityClaim>:0<ClaimType><ClaimValueType><AuthMode>|<OriginalIssuer (optional)>|<ClaimValue>
• For e.g.  à i:0#.w|<Domain Name>\<userid>

Where:

• <IdentityClaim> indicates the type of claim and is the following:
• “i” for an identity claim
• “c” for any other claim
• <ClaimType> indicates the format for the claim value and is the following:
• “#” for a user logon name
• “.” for  an anonymous user
• “5” for an email address
• “!” for an identity provider
• “+” for a Group security identifier (SID)
• “-“ for a role
• “%” for a farm ID
• “?” for a name identifier
• "\" for a private personal identifier (PPID)
• "e" for a user principal name (UPN)
• <ClaimValueType> indicates the type of formatting for the claim value and is the following:
• “.” for a string
• “+” for an RFC 822-formatted name
• <AuthMode> indicates the type of authentication used to obtain the identity claim and is the following:
• “w” for Windows claims (no original issuer)
• “s” for the local SharePoint security token service (STS) (no original issuer)
• “t” for a trusted issuer
• “m” for a membership issuer
• “r” for a role provider issuer
• “f” for forms-based authentication
• “c” for a claim provider
• <OriginalIssuer> indicates the original issuer of the claim.
• <ClaimValueType> indicates the value of the claim in the <ClaimType> format.

The image below shows how claims are encoded in SharePoint 2013.

Here are some examples:

Type of claim	Encoded claim	Claim encoding breakdown
Windows User	i:0#.w|<Domain name>\<UserID>	“i” for an identity claim “#” for the user logon name  format for the claim value “.” for a string “w” for Windows claims “<Domain name>\<UserID>” for the identity claim value (the Windows account name)
Windows Authenticated Users group	c:0!.s|windows	“c” for a claim other than        identity “!” for an identity provider “.” for a string “s” for the local SharePoint STS “windows” for the Windows Authenticated Users group
SAML authentication (Trusted User)	i:05.t|adfs|userID@domain.com	“i” for an identity claim “5” for the email address        format for the claim value “.” for a string “t” for a trusted issuer “adfs” identifies the original issuer of the identity claim “userID@domain.com” for the identity claim value
Forms-based authentication	i:0#.f|mymembershipprovider|userid	“i” for an identity claim “#”for the user logon name  format for the claim value “.” for string “f” for forms-based authentication “mymembershipprovider” identifies the original issuer of the identity claim “userid” for the user logon name

This change means that your userid would look something like this:

i:0#.w|<Domain Name>\<userid>

Instead of this:

<Domain Name>\<userid>

Sometimes when calling other services, you need the windows userid and not the claim userid.  So for these instances, I’ve created a few helper methods.

public const string CLAIMS_REGEX = @"(?<IdentityClaim>[ic])?:?0(?<ClaimType>[#\.5\!\+\-%?\\])(?<ClaimValueType>[\.\+])(?<AuthMode>[wstmrfc])(\|(?<OriginalIssuer>[^\|]*))?(\|(?<ClaimValue>.*))";

public static string GetAdUserIdForClaim(string login)

 {

     string userName = login;

foreach (Match m in Regex.Matches(login, CLAIMS_REGEX, RegexOptions.IgnoreCase))

{

      try

       {

       if (m.Groups["AuthMode"].Captures[0].Value.ToLower() == "w") // Base on your Requirement change authentication    mode[authentication mode:-> wstmrfc].

         {

           userName = m.Groups["ClaimValue"].Captures[0].Value;

         }

       }

      catch { }

      }

return userName;

}

About Author:

Sameer Kothari works in Systems Plus and actively contributes to technology. To read more interesting articles from him, please follow:  http://samk2010.blogspot.in/