SAML Claims with SharePoint 2013

Question

Looking through the documentation on configuring SharePoint 2013 to use ADFS or to use OneLogin. I noticed that in the documentation for defining the identity and role claim mappings with ADFS that they use UPN as a claim mapping. When looking at the documentation for OneLogin I see that they use the ROLE claim mapping. Samples below

$upnClaimMap = New-SPClaimTypeMapping -IncomingClaimType "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn" -IncomingClaimTypeDisplayName "UPN" –SameAsIncoming

or

$role=New-SPClaimTypeMapping -IncomingClaimType "http://schemas.microsoft.com/ws/2008/06/identity/claims/role" -IncomingClaimTypeDisplayName "Role" -SameAsIncoming

My question is what is difference between UPN and ROLE, why would one be used vs the other?

Answer 1

In its simplest form, claims are simply statements (for example, name, identity, group), made about users, that are used primarily for authorizing access to claims-based applications located anywhere on the Internet. Each statement corresponds to a value that is stored in the claim.

It is depend, A claim type provides context for the claim value. It is usually expressed as a Uniform Resource Identifier (URI). AD FS can support any claim type, and it is configured with the claim types in the following table by default.

UPN = The user principal name (UPN) of the user

Role = A role that the user has

Read this technet about more about claims types and all available claim type.

http://technet.microsoft.com/en-us/library/ee913589.aspx