Friday, January 18, 2013
ADFS : objectGUID as a claim
You may have a business requirement to pass some unique key to the application that is not readily identifiable or editable. There are two possibilities in AD viz. objectSID and objectGUID.
As per SID vs. GUID, objectGUID is the better choice because:
“globally unique identifier (GUID), which is a 128-bit value is unique not only in the enterprise but also across the world” and
“the values of other object properties can change, but the object-GUID never changes. When an object is assigned a GUID, it keeps that value for life”.
So you configure the claim in the normal LDAP attribute manner and when you look at the claims, you see:
WTF – that ain’t no GUID? The two equal signs at the end would seem to indicate Base64?
Mr. Google to the rescue and viola Issuing objectGUID as an ADFS Claim.
So lets test it out. Couldn’t be bothered to create a VS project just for this so the inestimable LINQPad to the rescue.
And the GUID at the bottom is indeed what is displayed in AD.