A reference table for working with SharePoint claims encoding.
Claims encoding format
SharePoint 2013 and SharePoint 2010 display identity claims with the following encoding format:
<IdentityClaim>:0<ClaimType><ClaimValueType><AuthMode>|<OriginalIssuer(optional)>|<ClaimValue>
Each component is explained below:
<IdentityClaim>
Indicates the type of claim and could be one of the following:
- “i” for an identity claim
- “c” for any other claim
<ClaimType>
Indicates the format for the claim value and could be one of the following:
- “#” for a user logon name
- “.” for an anonymous user
- “5” for an email address
- “!” for an identity provider
- “+” for a Group security identifier (SID)
- “–” for a role
- “%” for a farm ID
- “?” for a name identifier
- “\” for a private personal identifier (PPID)
- “e” for a user principal name (UPN)
- ““” for a user ID
- “$” for a distribution list security identifier (SID)
- “&” for a process identity security identifier (SID)
- “‘” for a process identity logon name
- “(” for an authenticated user
- “)” for a primary security identifier (SID)
- “*” for a primary group security identifier (SID)
- “0” for an authorization decision
- “1” for a country
- “2” for a date of birth
- “3” for a deny only security identifier (SID)
- “4” for DNS
- “6” for a gender
- “7” for a given name
- “8” for a hash
- “9” for a home phone
- “<” for a locality
- “=” for a mobile phone
- “>” for a name
- “@” for other phone
- “[” for a postal code
- “]” for RSA
- “^” for a secure identifier (SID)
- “_” for a service principal name (SPN)
- “`” for a state or province
- “a” for a street address
- “b” for a surname
- “c” for a system
- “d” for a thumbprint
- “f” for a uniform resource name (URI)
- “g” for a web page
<ClaimValueType>
Indicates the type of formatting for the claim value and could be one of the following:
- “.” for a string
- “+” for an RFC 822-formatted name
- “)” for an integer
- ““” for a Boolean
- “#” for a date
- “$” for a date with time
- “&” for a double
- “!” for a Base64 formatted binary
- “0” for a X.500 formatted name
<AuthMode>
Indicates the type of authentication used to obtain the identity claim and could be one of the following:
- “w” for Windows claims (no original issuer)
- “s” for the local SharePoint security token service (STS) (no original issuer)
- “t” for a trusted issuer
- “m” for a membership issuer
- “r” for a role provider issuer
- “f” for forms-based authentication
- “c” for a claim provider
<OriginalIssuer>
Indicates the original issuer of the claim.
<ClaimValueType>
Indicates the value of the claim in the <ClaimType> format.
Some examples
1. Windows user
i:0#.w|contoso\chris
- “i” for an identity claim
- “#” for the user logon name format for the claim value
- “.” for a string
- “w” for Windows claims
- “contoso\chris” for the identity claim value (the Windows account name)
2. Windows authenticated users group
c:0!.s|windows
- “c” for a claim other than identity
- “!” for an identity provider
- “.” for a string
- “s” for the local SharePoint STS
- “windows” for the Windows Authenticated Users group
3. SAML authentication (trusted user)
i:05.t|adfs|chris@contoso.com
- “i” for an identity claim
- “5” for the email address format for the claim value
- “.” for a string
- “t” for a trusted issuer
- “adfs” identifies the original issuer of the identity claim
- “chris@contoso.com” for the identity claim value
4. Forms-based authentication
i:0#.f|mymembershipprovider|chris
- “i” for an identity claim
- “#”for the user logon name format for the claim value
- “.” for string
- “f” for forms-based authentication
- “mymembershipprovider” identifies the original issuer of the identity claim
- “chris” for the user logon name
Leave a Reply