What’s New in XCreds 4.0

Created On
Last Updated On
byDave Lebbing
You are here:

Select Existing User Account During Account Creation

Using the new preference key shouldPromptForMigration, when a new login is detected and there are existing standard user accounts on the system, the user will be prompted for a username and password.

If the username and password are successfully entered for an existing account, this local account will then be used when logging in with this cloud account. The local account has 2 new DS attributes added:

dsAttrTypeNative:_xcreds_oidc_sub – Subscriber. Unique identifier for account within the current issuer.

dsAttrTypeNative:_xcreds_oidc_iss – Issuer

In subsequent logins, the user account is selected by matching the sub and iss from the identity token to the values in the local account.

Note that the user will only be prompted if there are existing standard accounts on the system and the login does not have a locally mapped account.

The dialog for migration has a “Create New Account” button that will allow them to skip migration and create a local account. If a local account using the prior logic exists, it will be mapped.

Allow Admin to Reset User Password at Login

When logging in at the cloud login window and the local password is not the same as the cloud password, the user is prompted to enter the local password. If the user does not know the password, a prompt will be shown allowing an admin to enter credentials to approve a password reset. If admin credentials are entered correctly, the user account will be changed to the new password. A new keychain will be created (and the old one moved aside). This a separate option from using an override script to handle this situation with the preferences for localAdminUserName and localAdminPassword.

Key Combination for Showing Standard and Mac Login Window

Setting the new preference key shouldAllowKeyComboForMacLoginWindow allows switching login between cloud and standard/Mac login using a key combination regardless of the hidden state of the Switch Login Window button (#121). The keys are as follows:

Option-Control-Return: Switch between cloud and standard login window.
Command-Option-Control-Return: Switch between cloud and Mac login window.

Account Alias

When a new preference is set aliasName to a claim in the identity token, the value in that claim is used to set an alias to the user account, allowing them to log in with it. See issue.

An example: Set the preferences to have aliasName = “upn”. Log in as barney@twocanoes.com. The identity token has a claim called “upn” whose value was barney@twocanoes.com. XCreds then adds barney@twocanoes.com that is an alias and the user can login with either barney or barney@twocanoes.com at the local and Mac login window. This gives the user a consistent way to log in at the cloud login or the standard / Mac login window.

Saving Groups to Account Attributes

When logging in as a member of groups, XCreds will add a new attribute to the local account called _xcreds_groups that will have a value of the name or ID of the user’s assigned groups as a comma separated list. For Active Directory this attribute value will be the group names, whereas for Azure it will be group IDs. Note that for Active Directory the primary group “Domain User” is not a direct membership and will not be included.

CreateAdminIfGroupMember Checked At Each Login

Previously the preference key CreateAdminIfGroupMember would only give a user account admin status if the user was a group member at the first time the user logged in. This preference key is now checked at each login and admin status is added or removed based on current group membership.

Add Arbitrary Claims to Local DS User Account

A new preference key claimsToAddToLocalUserAccount with an array of strings as values was added. Adding in a claim will result in that claim be added to the user’s local DS account on next login. By default, if this key is not defined, the groups claim will be added automatically.

Refactored Preferences for ROPG

Configuring ROPG now uses the same preference keys as other authentication configs: clientID and clientSecret. This allows deprecating the preference keys for ropgClientID, ropgClientSecret, and shouldVerifyPasswordWithRopg. Instead there are now the following preference keys to use ROPG for each of the separate use cases:

1. shouldUseROPGForLoginWindowLogin
2. shouldUseROPGForMenuLogin
3. shouldUseROPGForPasswordChangeChecking

Allowed Users

User login can now be restricted by setting the preference key allowedUsersArray to a whitelist of allowed users. This list is then matched against the value returned by the claim specified with the preference key allowUsersClaim. As an example, allowUsersClaim could be set to upn and the value for allowedUsersArray could be set to a list of user IDs. Then when an XCreds user tries to sign in, they would only succeed if the idP value returned for the claim upn matched their username.

Other New Features and Fixes

  1. Removed logging messages that had a local path from the build system. 
  2. Updated postinstall to better handle the setup assistant and userland install scenarios. Thanks to Clkw0rk for the pull request. 
  3. Reload login window on network changes. Thanks to Clkw0rk for the pull request and credit to @hurricanehrndz and the CPE Team at Yelp.
  4. Reload login window after wifi connected. Thanks to Clkw0rk for the pull request. 
  5. Add encoding for special characters to tokenmanager. Thanks to Clkw0rk for the pull request. 
  6. Use default desktop from CoreServices. Thanks to Clkw0rk and the CPE Team at Yelp for the pull request. 
  7. Updated animation when logging in.
  8. Fixed behavior for preference key shouldAllowKeyComboForMacLoginWindow.
  9. Fixed documented minimum for loginWindowWidth and loginWindowHeight. Minimum is 150. Anything less than that will change it to 150.
  10. Fixed issue with Active Directory sign-in after password change that caused later sign-in to fail.
  11. Added new preference keys loadPageTitle and loadPageInfo to customize info shown at login window when internet is not available
  12. Added new preference key shouldPromptForADPasswordChange to prompt the user when the Active Directory domain controller indicates that the password is expired or needs to be changed.
  13. Added new preference key hideIfPathExists for special use-cases to hide the login window UI entirely when desired.
Tags: