Claims Encoding for SharePoint 2013 and 2010

On a recent SharePoint 2013 project a question came up "How do you read those funny looking user ids?" After a bit of research, the claims identity breaks down in the following format:

<IdentityClaim>:0<ClaimType><ClaimValueType><AuthMode>|<OriginalIssuer (optional)>|<ClaimValue>

How it breaks down

For the IdentityClaim acceptable values are:

• "i" for identity claim
• "c" for any other claim

For the ClaimValue acceptable values are:

• “#” for a user logon name
• “.” for  an anonymous user
• “5” for an email address
• “!” for an identity provider
• “+” for a Group security identifier (SID)
• “-“ for a role
• “%” for a farm ID
• “?” for a name identifier
• "\" for a private personal identifier (PPID)

For the ClaimValueType acceptable values are:

• “.” for a string
• “+” for an RFC 822-formatted name

For the AuthMode acceptable values are:

• “w” for Windows claims (no original issuer)
• “s” for the local SharePoint security token service (STS) (no original issuer)
• “t” for a trusted issuer
• “m” for a membership issuer
• “r” for a role provider issuer
• “f” for forms-based authentication
• “c” for a claim provider

The option field of OriginalIssuer tells us who the original issuer of claim is

The value for ClaimType is the the user id when the IdentityClaim is "i".

Example

i:0#.f|mymembershipprovider|wick

I am reading the above example as Identity Claim ("i") that contains the username ("#") of type string (".") with an authmode of Forms Based Authentication ("f"). The member provider being used is "mymembershipprovider" and the user id is "wick".

Resources / References

• How Claims encoding works in SharePoint 2010
• SharePoint 2013: Claims Encoding - Also Valuable for SharePoint 2010