Pages

Search This Blog

Wednesday, November 30, 2011

Claims Encoding


The following describes claims encoding. Keep in mind that the way a claim is created for each token issuer can be different based on the primary identity claim that was used. It is generally recommended to review the user profiles after adding them before activating the claim provider feature.

Examples:

i:0#.w|socialauth\nitingupta

05.t|socialauth|nitingupta



Definitions:

i = Identity Claim all other claims will use “c” as opposed to “i”

: = Colon

0 = Reserved to support future Claims

#/? = Claim Type Encoded Value. The default claim types will have a hardcoded encoded value that will enable parity across farms.

E.g. Key: ? Value: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier
Key: # Value: http://schemas.microsoft.com/sharepoint/2009/08/claims/userlogonname

./0 = Claim Value Type. The default claim value types will have a hardcoded encoded value that will enable parity across farms.
E.g. Key: . Value: urn:oasis:names:tc:xacml:1.0:data-type:rfc822Name
Key: 0 Value: http://www.w3.org/2001/XMLSchema#string

w/m/r/t/p/s = Original Issuer Type -> w = windows, m = membership, r = role, t = trusted STS, p = personal card, s= local sts claim



The AttributeValue element is encoded as follows:
  • Character 1 MUST be "i" for an identity claim (unique identifier for a user) or "c" for all other claims.
  • Character 2 MUST be ":" (colon).
  • Character 3 MUST be "0" (zero).
  • Character 4 MUST be the encoded character for the claim type. The claim type URIs and their encoded characters are specified in the following table:
Claim type URI
Encoded character
"http://schemas.microsoft.com/sharepoint/2009/08/claims/audienceid"
"0"
"http://schemas.microsoft.com/sharepoint/2009/08/claims/organizationid"
"1"
"http://schemas.microsoft.com/sharepoint/2009/08/claims/useridentifier"
"""
"http://schemas.microsoft.com/sharepoint/2009/08/claims/userlogonname"
"#"
"http://schemas.microsoft.com/sharepoint/2009/08/claims/identityprovider"
"!"
"http://schemas.microsoft.com/sharepoint/2009/08/claims/distributionlistsid"
"$"
"http://schemas.microsoft.com/sharepoint/2009/08/claims/farmid"
"%"
"http://schemas.microsoft.com/sharepoint/2009/08/claims/farmid"
"7"
"http://schemas.microsoft.com/sharepoint/2009/08/claims/processidentitysid"
"&"
"http://schemas.microsoft.com/sharepoint/2009/08/claims/processidentitylogonname"
"‘"
"http://schemas.microsoft.com/sharepoint/2009/08/claims/windowstoken/handle"
"A"
"http://sharepoint.microsoft.com/claims/2009/01/windowstoken/processid"
"B"
"http://sharepoint.microsoft.com/claims/2009/01/windowstoken/processid"
"C"
"http://schemas.microsoft.com/sharepoint/2009/08/claims/isauthenticated"
"("
"http://schemas.microsoft.com/sharepoint/2009/08/claims/provideruserkey"
"h"
Service model claim type URIs
"http://schemas.microsoft.com/ws/2008/06/identity/claims/primarysid"
")"
"http://schemas.microsoft.com/ws/2008/06/identity/claims/primarygroupsid"
"*"
"http://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid"
"+"
"http://schemas.microsoft.com/ws/2008/06/identity/claims/role"
"-"
"http://schemas.xmlsoap.org/ws/2005/05/identity/claims/anonymous"
"."
"http://schemas.xmlsoap.org/ws/2005/05/identity/claims/authentication"
"/"
"http://schemas.xmlsoap.org/ws/2005/05/identity/claims/authorizationdecision"
"0"
"http://schemas.xmlsoap.org/ws/2005/05/identity/claims/country"
"1"
"http://schemas.xmlsoap.org/ws/2005/05/identity/claims/dateofbirth"
"2"
"http://schemas.xmlsoap.org/ws/2005/05/identity/claims/denyonlysid"
"3"
"http://schemas.xmlsoap.org/ws/2005/05/identity/claims/dns"
"4"
"http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress"
"5"
"http://schemas.xmlsoap.org/ws/2005/05/identity/claims/gender"
"6"
"http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname"
"7"
"http://schemas.xmlsoap.org/ws/2005/05/identity/claims/hash"
"8"
"http://schemas.xmlsoap.org/ws/2005/05/identity/claims/homephone"
"9"
"http://schemas.xmlsoap.org/ws/2005/05/identity/claims/locality"
"<"
"http://schemas.xmlsoap.org/ws/2005/05/identity/claims/mobilephone"
"="
"http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name"
">"
"http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier"
"?"
"http://schemas.xmlsoap.org/ws/2005/05/identity/claims/otherphone"
"@"
"http://schemas.xmlsoap.org/ws/2005/05/identity/claims/postalcode"
"["
"http://schemas.xmlsoap.org/ws/2005/05/identity/claims/privatepersonalidentifier"
"\"
"http://schemas.xmlsoap.org/ws/2005/05/identity/claims/rsa"
"]"
"http://schemas.xmlsoap.org/ws/2005/05/identity/claims/sid"
"^"
"http://schemas.xmlsoap.org/ws/2005/05/identity/claims/spn"
"_"
"http://schemas.xmlsoap.org/ws/2005/05/identity/claims/stateorprovince"
"`"
"http://schemas.xmlsoap.org/ws/2005/05/identity/claims/streetaddress"
"a"
"http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname"
"b"
"http://schemas.xmlsoap.org/ws/2005/05/identity/claims/system"
"c"
"http://schemas.xmlsoap.org/ws/2005/05/identity/claims/thumbprint"
"d"
"http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn"
"e"
"http://schemas.xmlsoap.org/ws/2005/05/identity/claims/uri"
"f"
"http://schemas.xmlsoap.org/ws/2005/05/identity/claims/webpage"
"g"
  • Character 5 MUST be the encoded character for claim value type. The claim value types and their encoded characters are specified in the following table:
Claim value type URI
Encoded character
"http://www.w3.org/2001/XMLSchema#base64Binary"
"!"
"http://www.w3.org/2001/XMLSchema#boolean"
"""
"http://www.w3.org/2001/XMLSchema#date"
"#"
"http://www.w3.org/2001/XMLSchema#dateTime"
"$"
"http://www.w3.org/TR/2002/WD-xquery-operators-20020816#dayTimeDuration"
"%"
"http://www.w3.org/2001/XMLSchema#double"
"&"
"http://www.w3.org/2001/XMLSchema#hexBinary"
"("
"http://www.w3.org/2001/XMLSchema#integer"
")"
"http://www.w3.org/2000/09/xmldsig#KeyInfo"
"*"
"http://www.w3.org/2000/09/xmldsig#RSAKeyValue"
"-"
"http://www.w3.org/2000/09/xmldsig#DSAKeyValue"
"`"
"http://www.w3.org/2001/XMLSchema#string"
"."
"http://www.w3.org/2001/XMLSchema#time"
"/"
"http://www.w3.org/TR/2002/WD-xquery-operators-20020816#yearMonthDuration"
"1"
X500Name
"0"
Rfc822Name
"+"
  • Character 6 MUST be "w", "m", "r", "t", "s" or "c". This character represents the encoded original issuer. The list of provider types is specified in the following table:
Original issuer
Encoded character
Windows
"w"
ASP.Net Membership provider (Forms based authentication)
"m"
ASP.Net Role provider (Forms based authentication)
"r"
Trusted STS
"t"
Local STS
"s"
Claim provider
"c"
  • If the original issuer is not Windows or the local STS, the next character MUST be "|" (pipe), then the name of the original issuer MUST begin at this point. If the identity provider is Windows or local STS, there MUST NOT be any character.
  • If the identity provider is not Windows or local STS, the next character MUST be "|" (pipe). If the identity provider is Windows or local STS, there MUST NOT be any character.
  • Next character after "|" - This character MUST be the claim value.
If the claim is encoded, as described at the beginning of this section, then the casing for encoded claims MUST be lower case and invariant culture,
upper case MUST not be used.
Claim value, Provider type and original issuer are not case sensitive.
Characters %, :, ;, | MUST be HTML encoded.
The preceding encoded strings have the following restrictions:
  • Characters 1 through 5 are case-sensitive.
  • Claim value, provider type, and original issuer are not case-sensitive.
These restrictions apply only to the encoded claim string. Non-encoded claims are not case sensitive.
The total length of the claim value MUST NOT exceed 255 characters.
In the SAML token, the casing for the claim value of the claim type NameIdentifier MUST be lower and invariant culture. This claim MUST be on the header of the SAML token as specified by the [SAMLToken1.1] protocol document.
All tokens issued for SharePoint MUST contain ONE FarmId claim with the SharePoint farm identifier for which the token was issued.