SharePoint 2013: Claims Encoding - Also Valuable for SharePoint 2010

SharePoint 2013: Claims Encoding - Also Valuable for SharePoint 2010

SharePoint 2013 and SharePoint 2010 display identity claims with the following encoding format:

<IdentityClaim>:0<ClaimType><ClaimValueType><AuthMode>|<OriginalIssuer (optional)>|<ClaimValue>

Where:

  • <IdentityClaim> indicates the type of claim and is the following:
    • i” for an identity claim
    • c” for any other claim
  • <ClaimType> indicates the format for the claim value and is the following:
    • #” for a user logon name
    • .” for  an anonymous user
    • 5” for an email address
    • !” for an identity provider
    • +” for a Group security identifier (SID)
    • -“ for a role
    • %” for a farm ID
    • ?” for a name identifier
    • "\" for a private personal identifier (PPID)
  • <ClaimValueType> indicates the type of formatting for the claim value and is the following:
    • .” for a string
    • +” for an RFC 822-formatted name
  • <AuthMode> indicates the type of authentication used to obtain the identity claim and is the following:
    • w” for Windows claims (no original issuer)
    • s” for the local SharePoint security token service (STS) (no original issuer)
    • t” for a trusted issuer
    • m” for a membership issuer
    • r” for a role provider issuer
    • f” for forms-based authentication
    • c” for a claim provider
  • <OriginalIssuer> indicates the original issuer of the claim.
  • <ClaimValueType> indicates the value of the claim in the <ClaimType> format.

Here are some places in SharePoint where you will see claims encoding (please add to this list):

  • In the display of user sign-in information on a SharePoint 2010 or 2013 web site (For example, on a SharePoint 2013 team site page, click your user name in the upper-left corner, and then click My Settings. The Account field uses the claims encoding.)
  • In the "Authentication Authorization" log entries in the Unified Logging Service (ULS) log files for SharePoint 2013

 Here are some examples (please add your own based on your experience):

Type of claim

Encoded claim

Claim encoding breakdown

Windows User

i:0#.w|contoso\chris

  • “i” for an identity claim
  • “#” for the user logon name  format for the claim value
  • “.” for a string
  • “w” for Windows claims
  • “contoso\chris” for the identity claim value (the Windows account name)

Windows Authenticated Users group

c:0!.s|windows

  • “c” for a claim other than identity
  • “!” for an identity provider
  • “.” for a string
  • “s” for the local SharePoint STS
  • “windows” for the Windows Authenticated Users group

SAML authentication (Trusted User)

i:05.t|adfs|chris@contoso.com

  • “i” for an identity claim
  • “5” for the email address format for the claim value
  • “.” for a string
  • “t” for a trusted issuer
  • “adfs” identifies the original issuer of the identity claim
  • “chris@contoso.com” for the identity claim value

Forms-based authentication

i:0#.f|mymembershipprovider|chris

  • “i” for an identity claim
  • “#”for the user logon name  format for the claim value
  • “.” for string
  • “f” for forms-based authentication
  • “mymembershipprovider” identifies the original issuer of the identity claim
  • “chris” for the user logon name
Sort by: Published Date | Most Recent | Most Useful
Comments
  • Great article ! It has to be featured on the TechNet Wiki home Page

  • valued info

  • valued info

  • I recently ran into an encoded claim of the form "c:0(.s|true". Do you know what <ClaimType> corresponds to '(' ?

  • Where did this format come from?

  • Rasteroid, I believe that refers to the 'Everyone' group.

  • Rasteroid, "c:0(.s|true" represents Everyone group.

  • Thank you for the info.

    After having spendt the last two nights with a rather special Claims provider I can tell that you have a small error in the ClaimType.

    The character for the name identifier is NOT “?” , it is the unicode character 501 "ǵ" that is shown as a "?" in Powershell and probably also on the site (dependent on your encoding).

    You can verify if you try to get a user by his claims login name from a site collection.It will fail with a plain "?" unless the text is something you copied from somewhere in the clipboard, than you've likely copied the real unicode character ;-)

  • Good explanation! Thanks!

Page 1 of 1 (9 items)