Allow Log in with Federated Apple ID

[radloffl]

Tell us how we can improve Xcodes At larger organizations that have enrolled in the Federated Authentication it's not possible to log in to Xcodes.

Is your feature request related to a problem? Please describe. Unable to log in with federated Apple ID

What would you like to see? How would you like it to work? It'd be good to check if the email address is enrolled in federated authentication first and redirect to the IDP.

[radloffl]

Did some playing around with curl and figured out the path used to identify/initiate federated account log in. I replaced tokens and email addresses with examples for privacy.

Example of account without federation

$ curl -H "Accept: application/json, text/javascript" -H "Content-Type: application/json" -H "X-Requested-With: XMLHttpRequest" -H "X-Apple-Widget-Key: < itcServiceKey >" -d '{ "accountName": "[email protected]", "rememberMe": "true" }' -X POST "https://idmsa.apple.com/appleauth/auth/federate" 
{
  "showFederatedIdpConfirmation" : false,
  "federated" : false
} 

Example of account with federation (Microsoft is IDP in this case)

$ curl -H "Accept: application/json, text/javascript" -H "Content-Type: application/json" -H "X-Requested-With: XMLHttpRequest" -H "X-Apple-Widget-Key: < itcServiceKey >" -d '{ "accountName": "[email protected]", "rememberMe": "true" }' -X POST "https://idmsa.apple.com/appleauth/auth/federate"
{
  "federatedIdpRequest" : {
    "idPUrl" : "https://login.microsoftonline.com/common/[email protected]",
    "requestParams" : {
      "SAMLRequest" : "<base 64 encoded SAML string>",
      "RelayState" : "<base 64 encoded SAML string>",
      "AccountName" : "[email protected]"
    }
  },
  "federatedAuthIntro" : {
    "orgType" : "enterprise",
    "orgName" : "Big Company Corporation",
    "accountManagementUrl" : "https://login.microsoftonline.com",
    "idpName" : "https://login.microsoftonline.com",
    "idpUrl" : "https://login.microsoftonline.com"
  },
  "showFederatedIdpConfirmation" : true,
  "federated" : true
}

[radloffl]

After some more playing and reading the SAML spec if federated, the next step would be to do an HTTP GET to the idPUrl with query parameters for the requestParams

Notes

• SAMLRequest must be base 64 decoded to get XML -> deflated -> base64 encoded -> URL encoded
• RelayState and AccountName are just passed through as query parameters URL encoded

[radloffl]

Apple.paw.txt

[ursforrer]

Is there any plan to support the feraded apple id for xcodes?

[dnedrow]

I'm going to take a shot at implementing this.

[MattKiazyk]

As of v1.8 we no longer require apple accounts to download Xcode. 🥳 I'm going to close this issue as I believe the main concern was around username/password.

[testableapple]

Hey @MattKiazyk, I'm on v.1.9, but Xcodes says that I'm not authorised to download/install Xcode 🤔

[MattKiazyk]

@alteral. Did you sign in to your apple account in Xcode? Tap the icon

[testableapple]

@MattKiazyk, I'm logged in in Xcode, but not in Xcodes because it does not allow to log in with Federated Apple ID. This is the screenshot after tapping on the icon:

[dazigna]

Any updates on this thread ? this would unblock all account managed by a company

[shadone]

Hello there. It seems to be still an issue, we are hit by the same. Our accounts are enrolled with Apple Business Manager and hence we cannot download Xcode neither via "xcodes" cli app neither with Xcodes.app :( We get the same error as everybody else in this thread.

Is this being tracked, are you aware that "xcodes" are unusable for Federated accounts? What can we do to raise awareness and fix the issue?

Unfortunately this is outside of my own comfort zone, I cannot fix it myself and send a PR :)

FYI here is the GitHub issue in "xcodes" project - https://github.com/RobotsAndPencils/xcodes/issues/260