I’ve only tested the remove operation, but I’m assuming the get operation operates the same way.
In my testing, the loginName parameter must be the full claim name, for example (i:0#.w|wingtipmdebakey) instead of the friendlier WingtipMDebakey. This severely limits the usefulness of these functions because, unless you are going to hard code the claim token and provider information (the i:0#.w| part) and then tack the user-friendly login name on the end, which is probably a bad idea as it restricts your code from working across different claim types or providers, you’re going to have to get the user object first and get the login name from there (via user.get_loginName), at which point, you might as well just use the remove method on the UserCollection object.
In other words, instead of this:
var user = web.ensureUser(“Wingtip\MDebakey”);
Just do this:
var user = web.ensureUser("Wingtip\MDebakey");