Just thought I would share this in case anyone else was struggling with it (thanks to lucasjhall on macadmins slack for the solution!)
I was going crazy trying to get the OIDCSecondaryLoginClientID functionality working as described in the docs. Like most other setups we had 1-2 local accounts created as part of our DEP/prestage enrollment flow. There's a hidden config key you need to configure in order to ignore those accounts (ExistingUsersHide), it takes an array of strings which are the usernames to ignore for the purposes of determining if a Mac 'Primary' user has logged in or not.
example:
<key>ExistingUsersHide</key>
<array><string>localadmin1</string><string>localadmin2</string></array>
Hope that helps someone out there!
