Custom Short Names

The short name (also known as the account name) of a macOS local account is used to keep track of files and information about a user on Mac computers. The short name matches the user's home folder name and can also be used to log in to computers.

Jamf Connect uses the contents of a user's ID token (in JSON Web Token format) to determine the short name of a new local account. After successful authentication, Jamf Connect receives an ID token from your cloud identity provider (ldP) and looks for the following claims (similar to an attribute assertion in SAML) to use for the short name in sequence:

  1. A custom claim specified by the Short Name Attribute (OIDCShortName) setting. Common custom claims used for a short name include given_name and and name

  2. unique_name

  3. preferred_username

  4. email

  5. sub

If no claims exist, "jamfconnect" is used as the short name.

Custom Short Names

You can configure the Short Name Attribute (OIDCShortName) setting in your login window configuration profile to customize which claim in an ID token is used as the local account short name.

Keep the following in mind when configuring custom short names for local accounts:

  • You can only use claims sent in an ID token to configure short names.

  • If the claim you want to use is not in a standard ID token, you can receive additional claims by requesting additional scopes with the Open ID Connect Scopes (OIDCScopes) setting.

    Note: OpenID Connect's built-in profile scope contains commonly used claims with user information.

  • Standard scopes and claims sent in an ID token may vary by IdP. To see what claims are included in an ID token sent by your IdP, you can use any of the following:

    • Jamf Connect Configuration's testing feature

    • The Formatted ID Token Path (OIDCIDTokenPath) setting to store and view the token locally

    • A third party JSON Web Token (JWT) decoder.

  • If Jamf Connect is used to connect a network account to an existing local account, the custom short name is added as a local account alias (an alternate short name that can be used for local authentication).

Advanced Login Authentication Settings

Domain: com.jamf.connect.login

Description: Used to configure advanced authentication settings and use custom claims in an ID token.

Key

Description

Example

OIDCAuthServer

Custom Okta Authorization Server

(Okta Only) Specifies a custom authorization server in your Okta tenant, which can be used to send custom scopes and claims in a user’s ID token (stored via the OIDCTokenPath key) during local account creation.

To set this value, use the custom authorization server ID, which can be found as a string at the end of your custom authorization server's issuer URI. In the issuer URI below "aus9o8wzkhckw9TLa0h7z" is the authorization server ID.

Example: https://your-custom-auth-server.okta.com/oauth2/aus8o8wzjhckw9TLa0t8q

This setting should only be used if your Okta tenant has a separate authorization server that manages OpenID Connect apps and ID token attributes. If this setting is configured with the same value as your primary tenant used with the Auth Server (AuthServer), authentication with Okta may cause unexpected errors.

For more information about creating a custom authorization server, see the following resource from Okta: https://developer.okta.com/docs/guides/customize-authz-server/overview/

<key>OIDCAuthServer</key>

<string>aus8o8wzjhckw9TLa0t8q</string>

OIDCIgnoreCookies

Ignore Cookies

Ignores any cookies stored by the loginwindow application

<key>OIDCIgnoreCookies</key>

<false/>

OIDCScopes

OpenID Connect Scopes

Specifies custom scopes, which return additional claims in a user’s ID token during authorization. Standard scopes include openid, profile, and offline_access. If you include multiple scopes, add a "+" to separate them.

<key>OIDCScopes</key>

<string>openid+profile</string>

OIDCShortName

Short Name

Specifies which claim from a user's ID token to use as the account short name. The short name is added as an alias to the user's local account.

Note: If the claim you want to use is not in the standard ID token, you can receive additional claims in an ID token by specifying additional claims with the OIDCScopes preference key.

<key>OIDCShortName</key>

<string>given_name</string>

OIDCIDTokenPath

Formatted ID Token Path

Specifies the file path that can be used to store a user’s formatted ID token.

Note: This key requires the RunScript mechanism to be enabled. For more information, see Login Scripts.

<key>OIDCIDTokenPath</key>

<string>/tmp/token</string>

OIDCIDTokenPathRaw

Raw ID Token Path

Specifies the file path that can be used to store a user’s raw ID token.

Note: This key requires the RunScript mechanism to be enabled. For more information, see Login Scripts.

<key>OIDCIDTokenPathRaw</key>

<string>/tmp/token-raw</string>

Related Information

For related information, see the following:

Copyright     Privacy Policy     Terms of Use     Security
© copyright 2002-2020 Jamf. All rights reserved.