How to Get the Real Original Issuer for an Identity Claim in SharePoint 2010

I’ve done this task a variety of ways over the past year but finally decided that I should just do things the “right” way.  The task is simply enough – when your custom claims provider is being invoked, like during claims augmentation, and you want to know what kind of user they are – Windows claims, FBA claims or SAML claims, how should we do that?  Rather than give you the different variety of ways I’ve done this in the past, here is a short chunk of code that summarizes the right way to do it.


//get the claim provider manager

SPClaimProviderManager cpm = SPClaimProviderManager.Local;


//get the current user so we can get to the “real” original issuer

SPClaim curUser = SPClaimProviderManager.DecodeUserIdentifierClaim(entity);


//get the original issuer for the user

SPOriginalIssuerType loginType = SPOriginalIssuers.GetIssuerType(curUser.OriginalIssuer);


if (loginType == SPOriginalIssuerType.Windows)


//do windows


else if ((loginType == SPOriginalIssuerType.TrustedProvider) ||

(loginType == SPOriginalIssuerType.ClaimProvider))


//do SAML



I think the code is pretty straightforward so I don’t have a lot of commentary to add.  In this case, the “entity” parameter being used in the DecodeUserIdentifierClaim method was passed in as part of my override of FillClaimsForEntity (i.e. augmenting claims) in my custom claims provider.  The method illustrated here should work pretty well anywhere in a custom claims provider.


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s