Apple Login Integration Kit

Overview of the SSO flow

With the Apple Cloud Identity Connector, PingFederate includes an Apple authentication API in the sign-on flow.

The following figure illustrates a service provider (SP)-initiated single sign-on (SSO) scenario in which PingFederate authenticates users to an SP application using the Apple IdP Adapter.

dpj1573071410609

Description

  1. The user opens a web application and chooses the Sign in with Apple option.

  2. The sign-on link points to the PingFederate Apple IdP Adapter, which redirects the browser…​

  3. …​to Apple with the client ID and a list of requested scopes. On the Apple site, the user authenticates their identity and then authorizes the requested scopes.

  4. Apple redirects the browser…​

  5. …​to the PingFederate Apple IdP Adapter authorization callback endpoint with an authorization code.

    If the user fails to authenticate or does not authorize the request, the response includes an error code instead.

  6. The Apple IdP Adapter generates a client secret JSON object. PingFederate sends the client secret, client ID, and nonce value to Apple.

    For more about the client secret object, see Creating the Client Secret in the Apple Developer documentation.

  7. Apple returns an access token, refresh token, and an identity token.

    For more about the identity token object, see Retrieve the User’s Information from Apple ID Servers in the Apple Developer documentation.

  8. The Apple IdP Adapter uses the Apple public key to verify the identity token.

  9. PingFederate redirects the user to the web application with the user attributes from the identity token.