Recently I was doing some custom development for SharePoint 2010 and came across the need to determine whether the identity claim of a user (in a claims-based web application, of course) mapped back to a Windows (Active Directory) account. The reason was if the user was logging in with a Windows account, I wanted to look up some information about them in Active Directory. Since I knew the lookup wouldn’t work for non-Windows claims users (for example, a user who logged in with Forms Authentication), I wanted to make the code smart enough to only attempt the lookup for users with Windows accounts.
I’ve included a code snippet below that shows the approach I took. Basically I retrieve the original issuer of a user’s identity claim and check whether the issuer was Windows (Active Directory). But the same approach can be used to check for other issuers as well.
using Microsoft.SharePoint;
using Microsoft.SharePoint.Administration.Claims;
// Note: 'userLoginName' is a string containing the value of the 'LoginName' property
// from an SPUser object. In a claims-enabled web app, this will be a string similar
// to "i:0#.w|CONTOSO\JohnSmith".
if (SPClaimProviderManager.IsEncodedClaim(userLoginName))
{
SPClaim claim = SPClaimProviderManager.Local.DecodeClaim(userLoginName);
if (SPOriginalIssuers.GetIssuerType(claim.OriginalIssuer) == SPOriginalIssuerType.Windows)
{
// User identity claim maps back to a Windows/AD account.
// Now I can use 'claim.Value' to grab the account name ("DOMAIN\Username")
// and do something with it.
// Note: SPClaimProviderManager.Local.ConvertClaimToIdentifier() could also be used
// to get the account name from the claim, but in the case of a Windows-issued
// identity claim it'll return the same string as the 'Value' property of the
// SPClaim object.
}
}
SPOriginalIssuerType is an enumeration that contains the following values:
- ClaimsProvider
- Forms
- SecurityTokenService
- TrustedProvider
- Unknown
- Windows
Hopefully this will get you started down the right path. Happy claims coding!
