---
title: Overview of the SSO flow
description: With the Apple Cloud Identity Connector, PingFederate includes an Apple authentication API in the sign-on flow.
component: apple
page_id: apple::pf_apple_cic_overview_of_the_sso_flow
canonical_url: https://docs.pingidentity.com/integrations/apple/pf_apple_cic_overview_of_the_sso_flow.html
revdate: June 28, 2024
section_ids:
  section_N1006C_N10024_N10001: Description
---

# Overview of the SSO flow

With the Apple Cloud Identity Connector, PingFederate includes an Apple authentication API in the sign-on flow.

The following figure illustrates a service provider (SP)-initiated single sign-on (SSO) scenario in which PingFederate authenticates users to an SP application using the Apple IdP Adapter.

![dpj1573071410609](_images/dpj1573071410609.png)

## Description

1. The user opens a web application and chooses the **Sign in with Apple** option.

2. The sign-on link points to the PingFederate Apple IdP Adapter, which redirects the browser…​

3. …​to Apple with the client ID and a list of requested scopes. On the Apple site, the user authenticates their identity and then authorizes the requested scopes.

4. Apple redirects the browser…​

5. …​to the PingFederate Apple IdP Adapter authorization callback endpoint with an authorization code.

   If the user fails to authenticate or does not authorize the request, the response includes an error code instead.

6. The Apple IdP Adapter generates a client secret JSON object. PingFederate sends the client secret, client ID, and nonce value to Apple.

   |   |                                                                                                                                                                                                                               |
   | - | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
   |   | For more about the client secret object, see [Creating the Client Secret](https://developer.apple.com/documentation/signinwithapplerestapi/generate_and_validate_tokens#response-codes) in the Apple Developer documentation. |

7. Apple returns an access token, refresh token, and an identity token.

   |   |                                                                                                                                                                                                                                                            |
   | - | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
   |   | For more about the identity token object, see [Retrieve the User's Information from Apple ID Servers](https://developer.apple.com/documentation/signinwithapplerestapi/authenticating_users_with_sign_in_with_apple) in the Apple Developer documentation. |

8. The Apple IdP Adapter uses the Apple public key to verify the identity token.

9. PingFederate redirects the user to the web application with the user attributes from the identity token.