PingOne

Adding Apple as an identity provider in PingOne

Configure the IdP connection in PingOne.

Before you begin

Ensure that registration is enabled in the authentication policy. Learn more in Editing an authentication policy.

You should have the following information ready:

  • App ID (Client ID)

  • Client secret signing key

  • Team ID

  • Private key ID

Learn more in Creating an App ID and Creating a private key.

Steps

  1. In PingOne, go to Integrations > External IdPs.

  2. Click Add Provider.

  3. Click Apple.

  4. On the Create Profile page, enter the following information:

    • Name: A unique identifier for the IdP.

    • Description (optional): A brief description of the IdP.

    You can’t change the icon and login button, in accordance with the provider’s brand standards.

  5. Click Next.

  6. On the Configure Connection page, enter the following information:

    • Client ID (App ID): The application ID that you copied earlier from the identity provider. You can find this information on the Apple Developers site.

    • Client secret signing key: The application secret that you copied earlier from the identity provider. You can find this information on the Apple Developers site.

    • Team ID: A unique 10-character string generated by Apple that identifies your organization. The team ID is the prefix of the App ID.

    • Private key ID: Identifies the private key in the JSON web token (JWT). This JSON object is the Client Secret in PingOne.

    • Callback URL: The URL to which the user will be redirected after authenticating. This value is read-only. You’ll provide this value to the identity provider later.

  7. Click Save and Continue.

  8. On the Map Attributes page, map the following PingOne attributes to Apple attributes:

    PingOne attribute

    Apple attribute

    Given Name

    providerAttributes.name.firstName

    Family Name

    providerAttributes.name.lastName

    Apple only sends an ID token with the first authentication using Sign in with Apple.

    Learn more about Sign in with Apple in the Apple documentation.

  9. Map additional attributes as needed.

    Learn more in Mapping attributes.

    You can map additional attributes if they are in the ID token from Apple, such as iss, iat, exp, aud, sub, nonce, nonce_supported, email, and email_verified. Learn more about the JSON structure generated by Apple in Configuring your webpage for Sign on with Apple.

    • Enter the PingOne user profile attribute and the external IdP attribute. Learn more about attribute syntax in Identity provider attributes.

    • To add an attribute, click Add attribute.

    • To use the expression builder, click Build and test or Advanced Expression. Learn more in Using the expression builder.

    • Select the update condition, which determines how PingOne updates its user directory with the values from the identity provider. The options are:

      • Empty only: Update the PingOne attribute only if the existing attribute is empty.

      • Always: Always update the PingOne directory attribute.

  10. Click Save and Finish.