Programmatically converting login name to claim and vice versa
Claims, Development, SharePoint 2010, Tips & TricksSharePoint 2010 introduced Claims Based Authentication. One of the consequences of this is the fact that in order to use Forms Based Authentication (FBA) you need to configure your Web Application to use Claims instead of Classic Authentication. One of the many changes that you notice while working with claims are different login names: while in SharePoint 2007 you used something like myprovider:myuser, SharePoint 2010 makes the claims-soup of it: i:0#.f|myprovider|myuser. And while this is something you can take into account for newly created solutions, it can get confusing when upgrading SharePoint 2007 solutions to SharePoint 2010, especially if all you need is the user name. So is String.Replace the only way to get it out or is there a better way?
It turns out that retrieving the user name from its claims representation is pretty straight forward and can be done using the following code snippet:
string userName = null;
SPClaimProviderManager mgr = SPClaimProviderManager.Local;
if (mgr != null)
{
userName = mgr.DecodeClaim(SPContext.Current.Web.CurrentUser.LoginName).Value;
}
First we retrieve a reference to the Claims Provider Manager configured with the current Web Application. Then, using the DecodeClaim(string) method, we convert the string into SPClaim and retrieve its value, which contains the login name of the current user.
So, assuming you were logged in with the myuser account and the value of the SPContext.Current.Web.CurrentUser.LoginName property was something similar to i:0#.f|myprovider|myuser, calling the code snippet above would return myuser.
Claims back and forth
In some scenario’s you might want to do the exact opposite: you might be starting off with a login name and will need to turn it over into the claims-based name. Just like in the previous scenario this can be easily done using the SPClaimProviderManager:
string userName = null;
SPClaimProviderManager mgr = SPClaimProviderManager.Local;
if (mgr != null)
{
SPClaim claim = new SPClaim(SPClaimTypes.UserLogonName, "myuser", "http://www.w3.org/2001/XMLSchema#string", SPOriginalIssuers.Format(SPOriginalIssuerType.Forms, "myprovider"));
userName = mgr.EncodeClaim(claim);
}
Just as in the previous example we start off by getting a reference to the current Claims Provider Manager. The next step is to create a claim based on the login name of the current user. You can do this using the constructor of the SPClaim class. As the type you have to provide SPClaimTypes.UserLogonName, as the value – the login name of the user, as the value type, the XML type for string and finally, as the originalIssuer the name of your Membership Provider. In this sample I used a custom Forms Based Membership Provider but you might need some other type depending on your scenario.
In our example, if you needed the claims representation for the the myuser claims account, calling the above code snippet would return i:0#.f|myprovider|myuser.
And that’s it: converting the login names to claims and vice versa is that simple. And using the DecodeClaim and EncodeClaim methods makes it more reliable than parsing or building the strings manually.
August 18th, 2010 at 12:37 pm
I do believe you can also just use an SPUser instance to accomplish getting just the user name. But thanks for this! I struggled with this for a time before I realized that the current SPUser will just return the user name alone. I have not hit a situation yet where I need to add the claim information back though.
November 25th, 2010 at 4:48 pm
Just thought I'd mention, if you want to get the claim from a login name you can use:
SPClaimProviderManager.Local.ConvertIdentifierToClaim(accountName, SPIdentifierTypes.WindowsSamAccountName)
R.
May 25th, 2011 at 4:18 am
Hey Waldek, hope u r well and doing great. I had a question regarding Claims and migration from MOSS 2007. Image a you had web-apps setup in MOSS 2007 using classic windows auth. Now the web-app is migrated to SP 2010 and customer decides on using Claims based for the web-app. Also we do have User Profiles (pulled from AD), now do you think even the UserProfile service has to be extended to understand claims so that it can have profiles for users of claims instead of Windows. What I am trying to refer here is the people-picker in the user profile has to resolve to users of the Claims (i.e. i:0#:w|mydomain\mbd) instead of just regular (mydomain\mbd). Do we have to extend anything on UPA or simply some change in some config to enable people picker to differentiate between claims and classic users. This is important as in case if u have some custom code for user profiles in 2007 that might fail in 2010 as the user's identity in claims is different than simple classics identity.
Thanks and sorry abt this lengthy query.
July 12th, 2011 at 11:41 am
Thanks Waldek!
Before calling .DecodeClaim you should call .IsEncodedClaim, because you never know whether you will actually receive a Claims user or not.
July 13th, 2011 at 7:19 am
@Dennis: Nice tip. Thanks!
July 29th, 2011 at 7:04 am
Hi,
how can we call Decode claim method fi we are getting a current user using httpcontext object. We dont want to user SPContext.Current.Web.CurrentUser.LoginName as sometimes it does not return actually value of user (ex: some times it returns system account). So we are using HTTPContext.User.Identity.Name
July 29th, 2011 at 8:46 am
@Nandini: Both properties return string which can be passed to the method. What is your challenge exactly?
September 23rd, 2011 at 11:08 am
Hi,
I want to second MossBuddy's comment and would like to know if you are aware of any solution on that.
Regards
Pooja
September 23rd, 2011 at 12:42 pm
Hi,
I have developed a infopath form and packaged in visual studio solution for migrating between various servers (Dev/Test/Production) My server is using a Claims based authentication and I am using userprofileservices on the Infopath form included in the solution. I would want to know where should I add these lines of code so that I can change the login details before it communicates with the service as it only accepts domain\username format.
Regards
Pooja
December 2nd, 2011 at 3:53 am
Can you impersonate incoming claims token with custom SAML token created for SharePoint in code?
I have a sharepoint web application configured with claims but I want to impersonate incoming claims with custom SAML token using NT domain name, userid, and password or Windows Identity and call Search Service Application for custom search application.
December 2nd, 2011 at 12:02 pm
@Nik: I'm not sure. Have you tried asking at http://mssharepointforums.com?
January 21st, 2012 at 7:39 am
Hello,
Can you please tell me how to set the user names on the sharepoint 2010 blogs template,because its not a webpart ,its the template provided by sharepoint where it reflects the names of the users who have posted the blogs.
Please help me in this.
Thanks