How XCreds Maps Cloud Authentication to a Local User Account
When a user signs in for the first time to a Mac running XCreds, XCreds will create a macOS user account for them. XCreds does this using the authentication event returned from the cloud authentication provider. After a successful cloud login event XCreds will receive data from the cloud provider containing several values about the cloud user account. If the user identified already exists on the Mac, the user is signed in. Otherwise XCreds creates a new macOS user account for them.
When creating or finding this macOS user account, XCreds by default will look in the cloud authentication data for a field named
unique_name. If that does not exist, then
sub is used. Once the username is figured out, the local system will be checked to see if that user exists. If not, it will be created. If it does, that will be used for the local user. For most organizations the first part of the email is unique. If that is the case there will be no conflicts.
If an organization administrator needs to change default behavior, XCreds provides a field called
map_username that can be set using Profile Creator as explained in the XCreds Admin Guide. This field can be set to a different field name in the cloud authentication event data. The field name specified will be used instead of the