SharePoint 2013 and SharePoint 2010 display identity claims with the following encoding format:

<IdentityClaim>:0<ClaimType><ClaimValueType><AuthMode>|<OriginalIssuer (optional)>|<ClaimValue>

Where:

  • <IdentityClaim> indicates the type of claim and is the following:
    • i” for an identity claim
    • c” for any other claim
  • <ClaimType> indicates the format for the claim value and is the following:
    • #” for a user logon name
    • .” for  an anonymous user
    • 5” for an email address
    • !” for an identity provider
    • +” for a Group security identifier (SID)
    • -“ for a role
    • %” for a farm ID
    • ?” for a name identifier
    • "\" for a private personal identifier (PPID)
    • "e" for a user principal name (UPN)
  • <ClaimValueType> indicates the type of formatting for the claim value and is the following:
    • .” for a string
    • +” for an RFC 822-formatted name
  • <AuthMode> indicates the type of authentication used to obtain the identity claim and is the following:
    • w” for Windows claims (no original issuer)
    • s” for the local SharePoint security token service (STS) (no original issuer)
    • t” for a trusted issuer
    • m” for a membership issuer
    • r” for a role provider issuer
    • f” for forms-based authentication
    • c” for a claim provider
  • <OriginalIssuer> indicates the original issuer of the claim.
  • <ClaimValueType> indicates the value of the claim in the <ClaimType> format.

Here are some places in SharePoint where you will see claims encoding (please add to this list):

  • In the display of user sign-in information on a SharePoint 2010 or 2013 web site (For example, on a SharePoint 2013 team site page, click your user name in the upper-left corner, and then click My Settings. The Account field uses the claims encoding.)
  • In the "Authentication Authorization" log entries in the Unified Logging Service (ULS) log files for SharePoint 2013
  • In the audit log under the User ID field

 Here are some examples (please add your own based on your experience):

Type of claim

Encoded claim

Claim encoding breakdown

Windows User

i:0#.w|contoso\chris

  • “i” for an identity claim
  • “#” for the user logon name  format for the claim value
  • “.” for a string
  • “w” for Windows claims
  • “contoso\chris” for the identity claim value (the Windows account name)

Windows Authenticated Users group

c:0!.s|windows

  • “c” for a claim other than identity
  • “!” for an identity provider
  • “.” for a string
  • “s” for the local SharePoint STS
  • “windows” for the Windows Authenticated Users group

SAML authentication (Trusted User)

i:05.t|adfs|chris@contoso.com

  • “i” for an identity claim
  • “5” for the email address format for the claim value
  • “.” for a string
  • “t” for a trusted issuer
  • “adfs” identifies the original issuer of the identity claim
  • “chris@contoso.com” for the identity claim value

Forms-based authentication

i:0#.f|mymembershipprovider|chris

  • “i” for an identity claim
  • “#”for the user logon name  format for the claim value
  • “.” for string
  • “f” for forms-based authentication
  • “mymembershipprovider” identifies the original issuer of the identity claim
  • “chris” for the user logon name