Custom Short Names

The short name (also known as the account name) of a macOS local account is used to keep track of files and information about a user on Mac computers. The short name matches the user's home folder name and can also be used to log in to computers.

Jamf Connect uses the contents of a user's ID token (in JSON Web Token format) to determine the short name of a new local account. After successful authentication, Jamf Connect receives an ID token from your cloud identity provider (ldP) and looks for the following claims (similar to an attribute assertion in SAML) to use for the short name in sequence:

  1. A custom claim specified by the Short Name Attribute (OIDCShortName) setting. Common custom claims used for a short name include given_name and name.

  2. unique_name

  3. preferred_username

  4. email

  5. sub

If no claims exist, jamfconnect is used as the short name.

You can configure the Short Name Attribute (OIDCShortName) setting in your login window configuration profile to customize which claim in an ID token is used as the local account short name.

Keep the following in mind when configuring custom short names for local accounts:

  • You can only use claims sent in an ID token to configure short names.

  • If the claim you want to use is not in a standard ID token, you can receive additional claims by requesting additional scopes with the Open ID Connect Scopes (OIDCScopes) setting.

Note:

OpenID Connect's built-in profile scope contains commonly used claims with user information.

  • Standard scopes and claims sent in an ID token may vary by IdP. To see what claims are included in an ID token sent by your IdP, you can use any of the following:

    • Jamf Connect Configuration's testing feature

    • The Formatted ID Token Path (OIDCIDTokenPath) setting to store and view the token locally

    • A third party JSON Web Token (JWT) decoder.

  • If Jamf Connect is used to connect a network account to an existing local account, the custom short name is added as a local account alias (an alternate short name that can be used for local authentication).