Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Claims: difference between UPN, Name with Azure AD

In System.IdentityModel.Claims there are three entries: UPN, Name and NameIdentifier "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name" "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn" "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier"

While debugging after authentication with AzureAD, OpenIdConnect and Office365. I see that name and upn are always the same, something that looks like the 'email' of a given user: e.g. [email protected] or [email protected] while the nameidentifier is a non human readable identifier.

Then, I do have a couple of questions:

1) Does 'name' and 'upn' will always be the same in my context?

2) Are they mutable? We see that the domain name is present in the name (or upn) does it means that if contoso.com is acquired by rototo.com the name and upn could be modified? Or similarly, if the company started its Office365 subscription without a custom domain name but later they decide to by one? The values of those claims may change?

3) It is related to 2) but does NameIdentifier the only safe way to get a reference to a particular user? For example to store as a foreign key in the database?

like image 671
Benoit Patra Avatar asked Apr 19 '16 14:04

Benoit Patra


People also ask

What is UPN in claims?

In this article Gets the URI for a claim that specifies a user principal name (UPN).

Should UPN and email be the same?

IT Admin: Office 365 – Why Your User Principal Name (UPN) Should Match Your Email Address. In the Windows operating system's Active Directory, a User Principal Name (UPN) is the name of a user. The User Principal Name is basically the ID of the user in Active Directory and sometimes might not be same as users' email.

What happens when you change UPN?

After a UPN change, users will need to browse to re-open active OneDrive files in their new location. Any links to the files (including browser favorites, desktop shortcuts, and "Recent" lists in Office apps and Windows) will no longer work.

What are claims in Azure AD?

When a user signs in, Azure AD sends an ID token that contains a set of claims about the user. A claim is simply a piece of information, expressed as a key/value pair. For example, email = [email protected] .


1 Answers

  1. UPN is the User Principal Name. It is always in the format which looks like an email address. Essentially it has 3 parts. User account name, the separator (i.e. @ symbol) and UPN suffix or Domain name. Its primary purpose is to use during the authentication. Whereas the Name is supposed to be for display purposes. The Name and UPN can be same or different. Depending upon your objective you should use one vs the other.

Refer User Name Formats

  1. The first answers the second question to some part. UPN will change based on the domain. Domain is the UPN suffix. The Name is the display name and may not change unless you specify the rules when migrating AD users from one domain to another.

  2. NameIdentifier is the unique "SAML name identifier of the user". In other terms its just the ID of the user object. Purpose: When trying to identify a user uniquely this should be your go-to choice.

Refer:

  • The Role of Claims
  • Ealier question on Stackoverflow regarding purpose of NameIdentifier
like image 124
Aman Sharma Avatar answered Sep 20 '22 20:09

Aman Sharma