Apple SSO extension Attribute

akw0045
New Contributor III

We are in the process of moving away from Enterprise Connect and pushing out the built in SSO. I was hoping there would be a way for me to see the logged in user for the SSO like I do with Enterprise Connect. I know it's just an extension attribute that grabs the logged in user from the EC app but I don't know where that data is stored for SSO. I just want another line like in the picture below but instead of Enterprise Connect, I want SSO Logged in User
0c954fb80fb244959a8f8cb0a1487277

11 REPLIES 11

dan-snelson
Valued Contributor II

@akw0045 Please let me know if the following proves helpful. (You'll need to adjust /usr/local/bin/eccl to something like /Applications/Enterprise Connect.app/Contents/SharedSupport/eccl and update domain.com for your domain.)

#!/bin/bash

####################################################################################################
# Extension Attribute to determine the logged-in user's UPN
####################################################################################################

# Variables
loggedInUser=$( /usr/bin/stat -f %Su "/dev/console" )


if  [[ ${loggedInUser} == "root" ]]  || 
    [[ ${loggedInUser} == "_mbsetupuser" ]] ; then

    result="${loggedInUser}"

else

    if [[ -L "/usr/local/bin/eccl" ]] ; then

        adUsername=$( /usr/bin/su - "${loggedInUser}" -c "/usr/local/bin/eccl -p adUsername" | /usr/bin/sed 's/adUsername: //' )

        if [[ ${adUsername} == "missing value" ]]; then   # Enterprise Connect installed, but user is NOT logged in

            result="${loggedInUser} NOT logged into Enterprise Connect"

        else    # Enterprise Connect installed and the user is logged in

            result="${adUsername}"

        fi

    else

        # Attempt to obtain the user's UPN via the Single Sign-on Extension …

        /usr/bin/su - "${loggedInUser}" -c "/usr/bin/app-sso -i domain.com" > /private/var/tmp/app-sso.plist

        ssoLoginTest=$( /usr/libexec/PlistBuddy -c "Print:login_date" /private/var/tmp/app-sso.plist 2>&1 )

        if [[ ${ssoLoginTest} == *"Does Not Exist"* ]]; then

            # User NOT logged into the single sign-on extension

            result="${loggedInUser} NOT logged into Single Sign-on Extension"

        else

            result=$( /usr/libexec/PlistBuddy -c "Print:upn" /private/var/tmp/app-sso.plist | /usr/bin/awk -F@ '{print $1}' )

        fi

        /bin/rm -f /private/var/tmp/app-sso.plist

    fi

fi

echo "<result>${result}</result>"

exit 0

inoland
New Contributor II

This is an older thread but I am just setting this up now.  Not sure what I am doing wrong.  I can get the SSO to work but I have some computers on EC still and the script is not working for them.

akw0045
New Contributor III

I already have Enterprise Connect working as an Extension Attribute. I'm looking for the same thing but with the new Apple SSO that will replace EC.
70e60dc9f4554d4289a19d924b6d1058

sdagley
Esteemed Contributor II

@akw0045 The EA that @dan-snelson posted will handle both older versions of EC and the SSO extension.

akw0045
New Contributor III

@sdagley @dan-snelson I see now. I saw the EC parts and assumed I didn't explain myself correctly. If I had read further, I would have read the sso parts. Thanks guys! I'll give it a try.

levans
New Contributor II

Ive just tested the above EA and its works a treat, many thanks @dan-snelson

cc_rider
New Contributor III

Hi @dan-snelson, I have a problem with testing part of your script and I'm trying to get a sense of what I'm doing wrong in the following, because the .txt file is created as empty:

#!/bin/bash

#read the current logged in user
loggedInUser=$( /usr/bin/stat -f %Su "/dev/console" )

#list the REALM currently assigned to that Mac (we have 2 domains in our company)
/usr/bin/su - "${loggedInUser}" -c /usr/bin/app-sso -l -j | grep -- '"' | cut -d'"' -f2 > /private/var/tmp/app-sso-realm.txt
realm=$( cat /private/var/tmp/app-sso-realm.txt )

#extract the user_name value from the info associated with the REALM
SSOUserName=$( /usr/bin/su - "${loggedInUser}" -c /usr/bin/app-sso -i "$realm" -j | grep user_name | cut -d'"' -f4 )

echo "<result>Logged in user is $loggedInUser
Domain is $realm
SSO user is $SSOUserName</result>"

dan-snelson
Valued Contributor II

@cc_rider Does the output of klist and / or /usr/bin/app-sso -l -j look as expected? (When I'm off-campus, I have to first establish a VPN connection.)

A quick spot-check on your code works for me:

/usr/bin/app-sso -l -j | grep -- '"' | cut -d'"' -f2 > /private/var/tmp/app-sso-realm.txt
cat /private/var/tmp/app-sso-realm.txt

cc_rider
New Contributor III

Yes, it does the correct output...The thing is that if I'll run locally, it sure does get the info in the .txt file; it's when I'm using it through EA it doesn't.

dan-snelson
Valued Contributor II

@cc_rider Please let me know if the following works:

#!/bin/bash

#read the current logged in user
loggedInUser=$( /usr/bin/stat -f %Su "/dev/console" )

#list the REALM currently assigned to that Mac (we have 2 domains in our company)
/usr/bin/su - "${loggedInUser}" -c "/usr/bin/app-sso -l -j" | grep -- '"' | cut -d'"' -f2  > /private/var/tmp/app-sso-realm.txt
realm=$( cat /private/var/tmp/app-sso-realm.txt )

#extract the user_name value from the info associated with the REALM
SSOUserName=$( /usr/bin/su - "${loggedInUser}" -c "/usr/bin/app-sso -i "$realm" -j" | grep user_name | cut -d'"' -f4 )

echo "<result>Logged in user is $loggedInUser
Domain is $realm
SSO user is $SSOUserName</result>"

cc_rider
New Contributor III

@dan-snelson It actually worked! :) So, the quotes were the issue with mine, eh! Thank you so much!!!