SharePoint 2013 and SharePoint 2010 claims encoding

SharePoint 2013 and SharePoint 2010 display claims with the following encoding format:

<IdentityClaim>:0<ClaimType><ClaimValueType><AuthMode>|<OriginalIssuer (optional)>|<ClaimValue>

Where:

 <IdentityClaim> indicates the type of claim and is the following:

o “i” for an identity claim
o “c” for any other claim
 <ClaimType> indicates the format for the claim value and is the following:
o “#” for a user logon name
o “.” for  an anonymous user
o “5” for an email address
o “!” for an identity provider
o “+” for a Group security identifier (SID)
o “-“ for a role
o “%” for a farm ID
o “?” for a name identifier
o "\" for a private personal identifier (PPID)
 <ClaimValueType> indicates the type of formatting for the claim value and is the following:
o “.” for a string
o “+” for an RFC 822-formatted name
 <AuthMode> indicates the type of authentication used to obtain the identity claim and is the following:
o “w” for Windows claims (no original issuer)
o “s” for the local SharePoint security token service (STS) (no original issuer)
o “t” for a trusted issuer
o “m” for a membership issuer
o “r” for a role provider issuer
o “f” for forms-based authentication
o “c” for a claim provider
 <OriginalIssuer> indicates the original issuer of the claim.
 <ClaimValueType> indicates the value of the claim in the <ClaimType> format.

Here are some places in SharePoint where you will see claims encoding (please add to this list):

 In the display of user sign-in information on a SharePoint 2010 Products web site
 In the "Authentication Authorization" log entries in the Unified Logging Service (ULS) log files for SharePoint 2013

 Here are some examples (please add your own based on your experience):

Type of claim Encoded claim Claim encoding breakdown

Windows User i:0#.w|contoso\chris  “i” for an identity claim
 “#” for the user logon name
format for the claim value
 “.” for a string
 “w” for Windows claims
 “contoso\chris” for the identity
claim value (the Windows account
name)

Windows Authenticated Users group
c:0!.s|windows  “c” for a claim other than identity
 “!” for an identity provider
 “.” for a string
 “s” for the local SharePoint STS
 “windows” for the Windows
Authenticated Users group

SAML authentication (Trusted User) i:05.t|adfs|chris@contoso.com  “i” for an identity claim

 “5” for the email address format
for the claim value
 “.” for a string
 “t” for a trusted issuer
 “adfs” identifies the original issuer
of the identity claim
  “chris@contoso.com” for the
identity claim value

Forms-based authentication i:0#.f|mymembershipprovider|chris  “i” for an identity claim

 “#”for the user logon name
format for the claim value
 “.” for string
 “f” for forms-based authentication
 “mymembershipprovider”
identifies the original issuer of the
identity claim
 “chris” for the user logon name

Programmatically convert Claims to Classic:

 Approach 1:
if (SPContext.Current.Site.WebApplication.UseClaimsAuthentication)
{
Username=SPContext.Current.Web.CurrentUser.LoginName.Split(‘|’)[1];
}]

LoginName of user in claims for Windows User: i:0#.w|DOMAIN\\UserName

Identity of user in claims for Windows User: 0#.w|DOMAIN\\UserName

 Approach 2:
SPClaimProviderManager class in Microsoft.SharePoint.Administration.Claims namespace, represents a class to provide management of the various claims providers
in the SPFarm object.