Login to MacOS using Classlink SSO?

New Contributor III

Hi there,

I'm not sure if this functionality exists for MacOS, but it does for Chromebooks, and it's pretty amazing, so we'd like to leverage it for our iMac labs at the very least, and if it works there maybe go org-wide with it. The problem is I'm not sure what method to attack this problem with.

Currently our iMacs (like the rest of our Apple computers) are AD bound. Users log in with a mobile account, and use Enterprise Connect for password management.

I know that Macs support Kerb/SSO authentication, and also that Google's SecureLDAP can work for macOS as well, but what I really want is for the login screen to show me a Classlink login page so users can sign in with a QR code badge.

Since our Google accounts use Classlink as their IDP and show the splash page when you try to log into them via web browser, I started going down the rabbit hole of getting a test machine bound to Google Secure LDAP, thinking it might spawn a splash page for Classlink login. But now I'm realizing that mechanism probably won't happen.

I realize I'm sort of rambling here, but I'd be interested in anyone else's experience getting to an IDP login screen on MacOS where you can scan in using a badge, regardless of platform or mechanism.


New Contributor

Stumbled across this feed. With the CVE-2021-42287 issue with AD Bindings this may become more prevalent I would definitely be interested in this as well. 

We can dream, friendo. We can dream. πŸ˜…

This might be possible with XCreds. Kind of like a more modern version of NoMAD. Link: https://twocanoes.com/products/mac/xcreds/

I've seen two people on the #MacAdmins slack get it halfway working, but couldn't quite get it fully working.

Tidbits from them trying to get XCreds working with ClassLink at macOS sign-in window (XCreds does support 'JIT' aka 'Just In Time' local account creation, like NoMAD does).

"We had the same problem, and we use Classlink as an IDP for Google. I could only get an account created with a manually defined username in the config profile. Since Google takes us to the separate classlink page, I think thats why the username isn't getting pulled. It would be nice if we could do the same thing as passwords, defining the elementID field, since there is no @email.com part in our login, though I'm not 100% thats the best solution."

"I am testing xCreds with Google. We are using Google as a Single sign-on (SSO) with a third-party identity provider --> Classlink.com. XCreds will go to Google then to Classlink back to Google without passing the authenication back to xCreds. How can I get xCreds to see the authenication?"

Both those posts were 2 - 3 months ago. I asked them if they ever made any more progress but haven't heard back.

We're personally looking to get rid of NoMAD this year so this is something I will test myself in the next few months. NoMAD is still working great for us in a K-12 shared lab setting, even on the latest Ventura.. I just don't like how it's kind of a ghost project at this point. It would also be nice to use our ClassLink IdP. XCreds is all written in Swift and a modern solution (if not cutting-edge).