What’s New in XCreds 4.0
Select Existing User Account During Account Creation
Using the new preference key
shouldPromptForMigration, when a new login is detected and there are existing standard user accounts on the system, the user will be prompted for a username and password.
If the username and password are successfully entered for an existing account, this local account will then be used when logging in with this cloud account. The local account has 2 new DS attributes added:
dsAttrTypeNative:_xcreds_oidc_sub – Subscriber. Unique identifier for account within the current issuer.
dsAttrTypeNative:_xcreds_oidc_iss – Issuer
In subsequent logins, the user account is selected by matching the sub and iss from the identity token to the values in the local account.
Note that the user will only be prompted if there are existing standard accounts on the system and the login does not have a locally mapped account.
The dialog for migration has a “Create New Account” button that will allow them to skip migration and create a local account. If a local account using the prior logic exists, it will be mapped.
Allow Admin to Reset User Password at Login
When logging in at the cloud login window and the local password is not the same as the cloud password, the user is prompted to enter the local password. If the user does not know the password, a prompt will be shown allowing an admin to enter credentials to approve a password reset. If admin credentials are entered correctly, the user account will be changed to the new password. A new keychain will be created (and the old one moved aside). This a separate option from using an override script to handle this situation with the preferences for
Key Combination for Showing Standard and Mac Login Window
Setting the new preference key
shouldAllowKeyComboForMacLoginWindow allows switching login between cloud and standard/Mac login using a key combination regardless of the hidden state of the Switch Login Window button (#121). The keys are as follows:
Option-Control-Return: Switch between cloud and standard login window.
Command-Option-Control-Return: Switch between cloud and Mac login window.
When a new preference is set
aliasName to a claim in the identity token, the value in that claim is used to set an alias to the user account, allowing them to log in with it. See issue.
An example: Set the preferences to have aliasName = “upn”. Log in as
email@example.com. The identity token has a claim called “upn” whose value was
firstname.lastname@example.org. XCreds then adds
email@example.com that is an alias and the user can login with either
firstname.lastname@example.org at the local and Mac login window. This gives the user a consistent way to log in at the cloud login or the standard / Mac login window.
Saving Groups to Account Attributes
When logging in as a member of groups, XCreds will add a new attribute to the local account called
_xcreds_groups that will have a value of the name or ID of the user’s assigned groups as a comma separated list. For Active Directory this attribute value will be the group names, whereas for Azure it will be group IDs. Note that for Active Directory the primary group “Domain User” is not a direct membership and will not be included.
CreateAdminIfGroupMember Checked At Each Login
Previously the preference key
CreateAdminIfGroupMember would only give a user account admin status if the user was a group member at the first time the user logged in. This preference key is now checked at each login and admin status is added or removed based on current group membership.
Add Arbitrary Claims to Local DS User Account
A new preference key
claimsToAddToLocalUserAccount with an array of strings as values was added. Adding in a claim will result in that claim be added to the user’s local DS account on next login. By default, if this key is not defined, the groups claim will be added automatically.
Refactored Preferences for ROPG
Configuring ROPG now uses the same preference keys as other authentication configs:
clientSecret. This allows deprecating the preference keys for
shouldVerifyPasswordWithRopg. Instead there are now the following preference keys to use ROPG for each of the separate use cases:
User login can now be restricted by setting the preference key
allowedUsersArray to a whitelist of allowed users. This list is then matched against the value returned by the claim specified with the preference key
allowUsersClaim. As an example,
allowUsersClaim could be set to
upn and the value for
allowedUsersArray could be set to a list of user IDs. Then when an XCreds user tries to sign in, they would only succeed if the idP value returned for the claim
upn matched their username.
Other New Features and Fixes
- Removed logging messages that had a local path from the build system.
- Updated postinstall to better handle the setup assistant and userland install scenarios. Thanks to Clkw0rk for the pull request.
- Reload login window on network changes. Thanks to Clkw0rk for the pull request and credit to @hurricanehrndz and the CPE Team at Yelp.
- Reload login window after wifi connected. Thanks to Clkw0rk for the pull request.
- Add encoding for special characters to tokenmanager. Thanks to Clkw0rk for the pull request.
- Use default desktop from CoreServices. Thanks to Clkw0rk and the CPE Team at Yelp for the pull request.
- Updated animation when logging in.
- Fixed behavior for preference key
- Fixed documented minimum for loginWindowWidth and loginWindowHeight. Minimum is 150. Anything less than that will change it to 150.
- Fixed issue with Active Directory sign-in after password change that caused later sign-in to fail.
- Added new preference keys
loadPageInfoto customize info shown at login window when internet is not available
- Added new preference key
shouldPromptForADPasswordChangeto prompt the user when the Active Directory domain controller indicates that the password is expired or needs to be changed.
- Added new preference key
hideIfPathExistsfor special use-cases to hide the login window UI entirely when desired.