In System.IdentityModel.Claims there are three entries: UPN, Name and NameIdentifier "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name" "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn" "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier"
While debugging after authentication with AzureAD, OpenIdConnect and Office365. I see that name and upn are always the same, something that looks like the 'email' of a given user: e.g. [email protected] or [email protected] while the nameidentifier is a non human readable identifier.
Then, I do have a couple of questions:
1) Does 'name' and 'upn' will always be the same in my context?
2) Are they mutable? We see that the domain name is present in the name (or upn) does it means that if contoso.com is acquired by rototo.com the name and upn could be modified? Or similarly, if the company started its Office365 subscription without a custom domain name but later they decide to by one? The values of those claims may change?
3) It is related to 2) but does NameIdentifier the only safe way to get a reference to a particular user? For example to store as a foreign key in the database?
In this article Gets the URI for a claim that specifies a user principal name (UPN).
IT Admin: Office 365 – Why Your User Principal Name (UPN) Should Match Your Email Address. In the Windows operating system's Active Directory, a User Principal Name (UPN) is the name of a user. The User Principal Name is basically the ID of the user in Active Directory and sometimes might not be same as users' email.
After a UPN change, users will need to browse to re-open active OneDrive files in their new location. Any links to the files (including browser favorites, desktop shortcuts, and "Recent" lists in Office apps and Windows) will no longer work.
When a user signs in, Azure AD sends an ID token that contains a set of claims about the user. A claim is simply a piece of information, expressed as a key/value pair. For example, email = [email protected] .
Refer User Name Formats
The first answers the second question to some part. UPN will change based on the domain. Domain is the UPN suffix. The Name is the display name and may not change unless you specify the rules when migrating AD users from one domain to another.
NameIdentifier is the unique "SAML name identifier of the user". In other terms its just the ID of the user object. Purpose: When trying to identify a user uniquely this should be your go-to choice.
Refer:
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With