Table of Contents

Format 

SharePoint 2013 and SharePoint 2010 display identity claims with the following encoding format:

<IdentityClaim>:0<ClaimType><ClaimValueType><AuthMode>|<OriginalIssuer (optional)>|<ClaimValue>

Components explained

<IdentityClaim>

  • <IdentityClaim> indicates the type of claim and is the following:
    • i” for an identity claim
    • c” for any other claim

<ClaimType>

  • <ClaimType> indicates the format for the claim value and is the following:
    • #” for a user logon name
    • .” for  an anonymous user
    • 5” for an email address
    • !” for an identity provider
    • +” for a Group security identifier (SID)
    • -“ for a role
    • %” for a farm ID
    • ?” for a name identifier
    • "\" for a private personal identifier (PPID)
    • "e" for a user principal name (UPN)
    • """ for a user ID
    • "$" for a distribution list security identifier (SID)
    • "&" for a process identity security identifier (SID)
    • "'" for a process identity logon name
    • "(" for an authenticated user
    • ")" for a primary security identifier (SID)
    • "*" for a primary group security identifier (SID)
    • "0" for an authorization decision
    • "1" for a country
    • "2" for a date of birth
    • "3" for a deny only security identifier (SID)
    • "4" for DNS
    • "6" for a gender
    • "7" for a given name
    • "8" for a hash
    • "9" for a home phone
    • "<" for a locality
    • "=" for a mobile phone
    • ">" for a name
    • "@" for other phone
    • "[" for a postal code
    • "]" for RSA
    • "^" for a secure identifier (SID)
    • "_" for a service principal name (SPN)
    • "`" for a state or province
    • "a" for a street address
    • "b" for a surname
    • "c" for a system
    • "d" for a thumbprint
    • "f" for a uniform resource name (URI)
    • "g" for a web page

<ClaimValueType>

  • <ClaimValueType> indicates the type of formatting for the claim value and is the following:
    • .” for a string
    • +” for an RFC 822-formatted name
    • ")"  for an integer
    • """ for a Boolean
    • "#" for a date
    • "$" for a date with time
    • "&" for a double
    • "!" for a Base64 formatted binary
    • "0" for a X.500 formatted name

<AuthMode>

  • <AuthMode> indicates the type of authentication used to obtain the identity claim and is the following:
    • w” for Windows claims (no original issuer)
    • s” for the local SharePoint security token service (STS) (no original issuer)
    • t” for a trusted issuer
    • m” for a membership issuer
    • r” for a role provider issuer
    • f” for forms-based authentication
    • c” for a claim provider

<OriginalIssuer>

  • <OriginalIssuer> indicates the original issuer of the claim.

<ClaimValueType>

  • <ClaimValueType> indicates the value of the claim in the <ClaimType> format.

Where used

Here are some places in SharePoint where you will see claims encoding (please add to this list):

  • In the display of user sign-in information on a SharePoint 2010 or 2013 web site (For example, on a SharePoint 2013 team site page, click your user name in the upper-left corner, and then click My Settings. The Account field uses the claims encoding.)
  • In the "Authentication Authorization" log entries in the Unified Logging Service (ULS) log files for SharePoint 2013
  • In the audit log under the User ID field

Examples

 Here are some examples (please add your own based on your experience):

Type of claim

Encoded claim

Claim encoding breakdown

Windows User

i:0#.w|contoso\chris
  • “i” for an identity claim
  • “#” for the user logon name  format for the claim value
  • “.” for a string
  • “w” for Windows claims
  • “contoso\chris” for the identity claim value (the Windows account name)

Windows Authenticated Users group

c:0!.s|windows
  • “c” for a claim other than identity
  • “!” for an identity provider
  • “.” for a string
  • “s” for the local SharePoint STS
  • “windows” for the Windows Authenticated Users group

Active Directory Users group with SID

c:0+.w|s-1-2-34-1234567890-1234567890-1234567890-1234
  • “c” for a claim other than identity
  • “+” for Group security identifier
  • “.” for a string
  • “w” for Windows claims
  • “s-1-2-34-123...” for the Active Directory Users group SID

Custom ADFS claim provider

i:0ǵ.t|custom-adfs|First.Last
  • “i” for an identity claim
  • ǵ” for custom claim provider (see note 1 below)
  • “.” for a string
  • “t” for a trusted issuer
  • “custom-adfs” identifies the original issuer of the identity claim
  • "First.Last" for the identity claim value

SAML authentication (Trusted User)

i:05.t|adfs|chris@contoso.com
  • “i” for an identity claim
  • “5” for the email address format for the claim value
  • “.” for a string
  • “t” for a trusted issuer
  • “adfs” identifies the original issuer of the identity claim
  • “chris@contoso.com” for the identity claim value

Forms-based authentication

i:0#.f|mymembershipprovider|chris
  • “i” for an identity claim
  • “#”for the user logon name  format for the claim value
  • “.” for string
  • “f” for forms-based authentication
  • “mymembershipprovider” identifies the original issuer of the identity claim
  • “chris” for the user logon name
  • Note 1: the "ǵ" here is actually a "g" with a tilde on top.  On odd character that arises from how SharePoint tracks custom claim providers.  Wictor Wilen explains it best: "If you are creating custom claim providers or using a trusted provider (as original issuer), you will see that you get some "undocumented" values in the Claim Type (4th) position (that is they are not documented in the protocol specs). The most common character to see here is ǵ (0x01F5). If the claim encoding mechanism in SharePoint cannot find a claim type it automatically creates a claim type encoding for that claim. It will always start with the value of 500 increment that value with 1 which results in 501. 501 is in hex 01F5 which represents that character. It will continue to increase the value for each new (and to SharePoint not already defined) claim type. The important thing here to remember is that these claim types and their encoding is not the same cross farms, it all depends on in which order the new claim types are added/used. (All this is stored in a persisted object in the configuration database)".  From: How Claims encoding works in SharePoint 2010.