Format 

SharePoint 2013 and SharePoint 2010 display identity claims with the following encoding format:

<IdentityClaim>:0<ClaimType><ClaimValueType><AuthMode>|<OriginalIssuer (optional)>|<ClaimValue>

Components explained

<IdentityClaim>

  • <IdentityClaim> indicates the type of claim and is the following:
    • i” for an identity claim
    • c” for any other claim

<ClaimType>

  • <ClaimType> indicates the format for the claim value and is the following:
    • #” for a user logon name
    • .” for  an anonymous user
    • 5” for an email address
    • !” for an identity provider
    • +” for a Group security identifier (SID)
    • -“ for a role
    • %” for a farm ID
    • ?” for a name identifier
    • "\" for a private personal identifier (PPID)
    • "e" for a user principal name (UPN)
    • """ for a user ID
    • "$" for a distribution list security identifier (SID)
    • "&" for a process identity security identifier (SID)
    • "'" for a process identity logon name
    • "(" for an authenticated user
    • ")" for a primary security identifier (SID)
    • "*" for a primary group security identifier (SID)
    • "0" for an authorization decision
    • "1" for a country
    • "2" for a date of birth
    • "3" for a deny only security identifier (SID)
    • "4" for DNS
    • "6" for a gender
    • "7" for a given name
    • "8" for a hash
    • "9" for a home phone
    • "<" for a locality
    • "=" for a mobile phone
    • ">" for a name
    • "@" for other phone
    • "[" for a postal code
    • "]" for RSA
    • "^" for a secure identifier (SID)
    • "_" for a service principal name (SPN)
    • "`" for a state or province
    • "a" for a street address
    • "b" for a surname
    • "c" for a system
    • "d" for a thumbprint
    • "f" for a uniform resource name (URI)
    • "g" for a web page

<ClaimValueType>

  • <ClaimValueType> indicates the type of formatting for the claim value and is the following:
    • .” for a string
    • +” for an RFC 822-formatted name
    • ")"  for an integer
    • """ for a Boolean
    • "#" for a date
    • "$" for a date with time
    • "&" for a double
    • "!" for a Base64 formatted binary
    • "0" for a X.500 formatted name

<AuthMode>

  • <AuthMode> indicates the type of authentication used to obtain the identity claim and is the following:
    • w” for Windows claims (no original issuer)
    • s” for the local SharePoint security token service (STS) (no original issuer)
    • t” for a trusted issuer
    • m” for a membership issuer
    • r” for a role provider issuer
    • f” for forms-based authentication
    • c” for a claim provider

<OriginalIssuer>

  • <OriginalIssuer> indicates the original issuer of the claim.

<ClaimValueType>

  • <ClaimValueType> indicates the value of the claim in the <ClaimType> format.

Where used

Here are some places in SharePoint where you will see claims encoding (please add to this list):

  • In the display of user sign-in information on a SharePoint 2010 or 2013 web site (For example, on a SharePoint 2013 team site page, click your user name in the upper-left corner, and then click My Settings. The Account field uses the claims encoding.)
  • In the "Authentication Authorization" log entries in the Unified Logging Service (ULS) log files for SharePoint 2013
  • In the audit log under the User ID field

Examples

 Here are some examples (please add your own based on your experience):

Type of claim

Encoded claim

Claim encoding breakdown

Windows User

i:0#.w|contoso\chris

  • “i” for an identity claim
  • “#” for the user logon name  format for the claim value
  • “.” for a string
  • “w” for Windows claims
  • “contoso\chris” for the identity claim value (the Windows account name)

Windows Authenticated Users group

c:0!.s|windows

  • “c” for a claim other than identity
  • “!” for an identity provider
  • “.” for a string
  • “s” for the local SharePoint STS
  • “windows” for the Windows Authenticated Users group

SAML authentication (Trusted User)

i:05.t|adfs|chris@contoso.com

  • “i” for an identity claim
  • “5” for the email address format for the claim value
  • “.” for a string
  • “t” for a trusted issuer
  • “adfs” identifies the original issuer of the identity claim
  • “chris@contoso.com” for the identity claim value

Forms-based authentication

i:0#.f|mymembershipprovider|chris

  • “i” for an identity claim
  • “#”for the user logon name  format for the claim value
  • “.” for string
  • “f” for forms-based authentication
  • “mymembershipprovider” identifies the original issuer of the identity claim
  • “chris” for the user logon name