fleetdm
Setup experience: Use credentials from end-user IdP authentication to create first user on macOS
- @noahtalerman: User requested this because they want to streamline the macOS Setup Assistant experience by auto-creating the local user account using the same credentials (username and password) entered during IdP authentication. This avoids asking the user to input their password twice and ensures better alignment with identity provider credentials. Currently, Fleet only populates the username.
- @noahtalerman: In the interim they manually direct users to set their password again during setup, which creates friction, increases confusion, and raises support burden.
- @noahtalerman: Would Platform SSO achieve this?
- @allenhouchins: Not for the first time user account creation. With Platform SSO, the end user would have to type in their password more than once.
- @noahtalerman: Would Platform SSO achieve this?
- @noahtalerman: Eventually Fleet could capture the user’s password during IdP authentication and pass it through in the
AccountConfiguredMDM command, so that the account is automatically created with those credentials and skips the account creation UI, as supported by Apple.
- @noahtalerman: In the interim they manually direct users to set their password again during setup, which creates friction, increases confusion, and raises support burden.
User story
- Research story: how can we get the password from the IdP
This is related to and similar to #27933, but IMO distinct enough to be tracked in a separate request
Gong snippet: Customer does not allow recordings
Problem
Currently, with end-user authentication during enrollment in the macOS setup assistant, Fleet can autofill the account primary name and username retrieved from the IdP. However, the password field still needs to be set by the user despite just having provided it to the IdP.
customer-numa would like Fleet to take the credentials passed to the IdP during end user authentication and use them to create the local user account on the Mac. This workflow seems to be supported by Apple in the AccountConfiguration MDM command:
If the user’s password is also available from authentication through ConfigurationURL, Setup Assistant automatically creates the primary account with that information and skips showing the user interface to view or edit these fields.
What have you tried?
I checked the code to see if the password was returned to Fleet after the end-user IdP authentication, but it doesn't seem to be. We appear to be populating the primary account name and username properties of the AccountConfigured command from the mdm_idp_accounts table in the database. The password is not stored here.
Potential solutions
Per Apple’s documentation, Fleet could take the password that is provided during the end-user IdP authentication and use it in the AccountConfigured command. This would skip local account creation and create the first account using the username and password provided during end-user authentication.
What is the expected workflow as a result of your proposal?
An IT admin would configure their team to use credentials provided during the end-user authentication to create the primary account on the computer. The end user would skip the account creation screen during the setup experience. This would ensure the local account password for the Mac is the same as the IdP password. The end user would be brought to the login screen and be able to log into their computer using the same password as their IdP account.
UPDATE: @gillespi314: FYI draft PR https://github.com/fleetdm/fleet/pull/34096 has a report on PoC results (tl;dr we implemented the simplified flow to install the PSSO app and confirmed that final portions of the flow are still not fully supported by Entra/Company Portal; time box did not allow us to test Okta directly, but signs point to the same issue there)
FYI @kennyb-222 @zayhanlon thanks to Sarah, we confirmed that Company Portal doesn't support this feature yet. So, we decided to deprioritize this request for now.
I added a ritual for myself to check Company Portal docs daily.
