11

In System.IdentityModel.Claims there are three entries: UPN, Name and NameIdentifier "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name" "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn" "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier"

While debugging after authentication with AzureAD, OpenIdConnect and Office365. I see that name and upn are always the same, something that looks like the 'email' of a given user: e.g. johndoe@contoso.com or johdoe@contoso.onmicrosoft.com while the nameidentifier is a non human readable identifier.

Then, I do have a couple of questions:

1) Does 'name' and 'upn' will always be the same in my context?

2) Are they mutable? We see that the domain name is present in the name (or upn) does it means that if contoso.com is acquired by rototo.com the name and upn could be modified? Or similarly, if the company started its Office365 subscription without a custom domain name but later they decide to by one? The values of those claims may change?

3) It is related to 2) but does NameIdentifier the only safe way to get a reference to a particular user? For example to store as a foreign key in the database?

Benoit Patra
  • 4,355
  • 5
  • 30
  • 53

1 Answers1

16
  1. UPN is the User Principal Name. It is always in the format which looks like an email address. Essentially it has 3 parts. User account name, the separator (i.e. @ symbol) and UPN suffix or Domain name. Its primary purpose is to use during the authentication. Whereas the Name is supposed to be for display purposes. The Name and UPN can be same or different. Depending upon your objective you should use one vs the other.

Refer User Name Formats

  1. The first answers the second question to some part. UPN will change based on the domain. Domain is the UPN suffix. The Name is the display name and may not change unless you specify the rules when migrating AD users from one domain to another.

  2. NameIdentifier is the unique "SAML name identifier of the user". In other terms its just the ID of the user object. Purpose: When trying to identify a user uniquely this should be your go-to choice.

Refer:

Community
  • 1
  • 1
Aman Sharma
  • 1,930
  • 1
  • 17
  • 31