---
title: Apple social identity provider
description: To configure Apple as a social identity provider (Sign in with Apple), you'll need an Apple developer account.
component: pingidm
version: 7.5
page_id: pingidm:self-service-reference:social-providers/section-apple-social
canonical_url: https://docs.pingidentity.com/pingidm/7.5/self-service-reference/social-providers/section-apple-social.html
keywords: ["Configuration", "Authentication", "Social Authentication", "Self-Service", "User Self-Service", "Social Identity"]
section_ids:
  apple-setup: Configure Apple Login
  apple-socialId: Configure an Apple identity provider
  apple-userreg: Configure user registration through Apple
  appendix-apple-social: Apple social identity provider configuration details
---

# Apple social identity provider

|   |                                                                                                                                                                                                                          |
| - | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ |
|   | Social authentication is deprecated and will be removed in a future release of IDM. For more information, refer to [Deprecation](../../release-notes/deprecated-functionality.html#deprecated-standalone-socialid-auth). |

To configure Apple as a social identity provider (Sign in with Apple), you'll need an Apple developer account.

## Configure Apple Login

You need a client ID and client secret for your application. In the Apple developer portal, the client ID is called a `Services ID`.

1. Log in to the [Apple Developer Portal](https://developer.apple.com/).

2. Select Certificates, Identifiers and Profiles > Identifiers.

3. On the Identifiers page, select Register a New Identifier, then select Services IDs.

4. Enter a Description and Identifier for this Services ID, and make sure that Sign in With Apple is enabled.

   |   |                                                               |
   | - | ------------------------------------------------------------- |
   |   | The Identifier you specify here will be your OAuth Client ID. |

5. Click Configure.

6. On the Web Authentication Configuration screen, enter the Web Domain on which IDM runs, and specify the redirect URL used during the OAuth flow (Return URLs ).

   The redirect URL must have the following format:

   ```none
   https://idm.example.com/redirect
   ```

   |   |                                                                                                                                                                 |
   | - | --------------------------------------------------------------------------------------------------------------------------------------------------------------- |
   |   | You must use a real domain (FQDN). Apple does not allow `localhost` URLs. If you enter an IP address such as `127.0.0.1`, it will fail later in the OAuth flow. |

7. Click Save > Continue > Register.

8. Generate the client secret.

   Instead of using simple strings as OAuth client secrets, Apple uses a public/private key pair, where the client secret is a signed JWT. To register the private key with Apple:

   * Select Certificates, Identifiers and Profiles > Keys, then click the + button to register a new key.

   * Enter a Key Name, and enable Sign In with Apple.

   * Click Configure, and select the primary App ID that you created previously.

   * Apple generates a new private key, in a `.p8` file.

     |   |                                                                                                                           |
     | - | ------------------------------------------------------------------------------------------------------------------------- |
     |   | You can only download this key *once*. Ensure that you save this file, because you will not be able to download it again. |

     Rename the file to `key.txt`, then locate the Key ID in that file.

   * Use this private key to generate a client secret JWT. Sign the JWT with your private key, using an ES256 algorithm.

## Configure an Apple identity provider

To configure an Apple social identity provider using the admin UI:

1. From the navigation bar, click Configure > Social ID Providers.

2. On the Social Identity Providers page, enable Apple.

3. In the Apple Provider window, enter applicable values in the fields, and click Save. For a complete list of fields, refer to [Apple Social Identity Provider Configuration Details](#appendix-apple-social).

## Configure user registration through Apple

To configure Apple social user registration using the admin UI:

1. From the navigation bar, click Configure > User Registration, and click the Social tab.

2. Enable Social Registration.

   For more information, refer to [Self-service end user UI](../end-user-ui.html).

## Apple social identity provider configuration details

You can set up the Apple social identity provider through the admin UI or in a `conf/identityProvider-apple.json` file. IDM generates the `identityProvider-apple.json` file when you configure and enable this social identity provider in the admin UI. Alternatively, you can create the file manually.

The following table includes the information shown in the admin UI Apple Provider pop-up window, along with associated information in the `identityProvider-apple.json` file.

**Apple social identity provider configuration properties**

| Property (UI)          | Property (JSON file)    | Description                                                                                                                           |
| ---------------------- | ----------------------- | ------------------------------------------------------------------------------------------------------------------------------------- |
| Client ID              | `clientId`              | The client identifier for your Apple App. In the Apple developer portal, the client ID is called a `Services ID`.                     |
| Client Secret          | `clientSecret`          | Used with the Client ID to access the applicable Apple API.                                                                           |
| Scope                  | `scope`                 | An array of strings that allows access to user data.                                                                                  |
| Authorization Endpoint | `authorizationEndpoint` | Typically, `https://appleid.apple.com/auth/authorize`.                                                                                |
| Token Endpoint         | `tokenEndpoint`         | Endpoint that receives a one-time authorization code, and returns an access token. Typically, `https://appleid.apple.com/auth/token`. |
| Well-Known Endpoint    | `wellKnownEndpoint`     | Access for other URIs. Typically, `https://appleid.apple.com/.well-known/openid-configuration`.                                       |
| Issuer                 | `issuer`                | The token issuer. Typically, `https://appleid.apple.com`.                                                                             |
| Not in the admin UI    | `provider`              | Name of the social identity provider.                                                                                                 |
| Not in the admin UI    | `configClass`           | Configuration class for the authentication module.                                                                                    |
| Not in the admin UI    | `basicAuth`             | Whether to use basic authentication.                                                                                                  |
| Not in the admin UI    | `propertyMap`           | Mapping between Apple and IDM.                                                                                                        |

For information on social identity provider buttons and badges, refer to [Social identity provider button and badge properties](appendix-social-badges.html).