PingOne

Adding an identity provider - Apple

Adding Apple as an external identity provider (IdP) gives your users the option to sign in with Apple when accessing your application.

Before you begin

Ensure that the application is added to PingOne.

Set the Grant Type for the application to Implicit.

Learn more in Adding an application.

Creating an App ID

When you register your application, Apple will generate an App ID to identify the application. You’ll need this value to connect the application to PingOne.

Steps

  1. Go to the Apple Developer site at https://developer.apple.com and sign on with your Apple Developer account. If you don’t have an Apple Developer account, you’ll need to create one.

  2. Click Certificates, Identifiers & Profiles.

  3. On the left, click Identifiers and then click the icon.

  4. In the Register a New Identifier section, select App IDs.

  5. In the Register an App ID section, enter a value for the Bundle ID.

  6. Copy the following values to a secure location:

    • App ID prefix (Team ID): Identifies your team or organization.

    • Bundle ID: Identifies a group of applications.

  7. In the list of available capabilities, select Sign in with Apple.

  8. Click Continue and Register.

Creating a Services ID

The Services ID identifies the particular instance of your application. The Services ID is equivalent to a client_id in PingOne.

Steps

  1. On the Apple Developer site, click Certificates, Identifiers & Profiles.

  2. In the Register a New Identifier section, select Services ID.

  3. Enter the following information:

    • Description: A brief description of the application.

    • Identifier: The path to the application. This value will be used as the client ID in PingOne.

  4. Click Continue and Register.

  5. In the list, select the service you just created.

  6. Select Sign in with Apple and click Configure.

  7. Select the primary App ID and click the icon.

  8. Enter a value for Domains and subdomains.

    This is the top-level domain for your application.

  9. Leave the Return URLs blank for now.

    This is the path in your application that users are redirected to after they have authenticated with Apple. This value is equivalent to a callback URI. You’ll enter this value after you set up your application in PingOne.

  10. Click Next, and then click Done.

  11. Click Continue, and then click Save.

Creating a private key

When you register your application, Apple generates a private key for client authentication. You’ll need this value when you add the application to PingOne.

Steps

  1. On the Apple Developer site, click Certificates, Identifiers & Profiles.

  2. On the left, click Keys.

  3. To register a new key, click the icon.

  4. Enter a value for Key Name.

  5. Select Sign in with Apple and click Configure.

  6. Select the primary App ID you created earlier.

  7. Click Save and then click Continue.

  8. Click Register.

  9. Copy the Key ID to a secure location.

    You’ll use this value when you add the IdP in PingOne.

  10. To save the key to the local file system, click Download.

    The key is saved as a text file with a .p8 file extension. The key will be used as the client secret signing key and its identifier will be used as the private key in PingOne.

    You can download the key only once. Save the file to a secure location because the key is not saved in your developer account, and you won’t be able to download it again. If the Download button is disabled, you already downloaded the key.

Configuring email communication

Configuring Apple for email communication allows users to set up an account and sign on to applications with their existing Apple ID, which is required for PingOne to communicate with users and for users to receive updates from Apple. Learn more in Configure private email relay service in the Apple Developer documentation.

Steps

  1. On the Apple Developer site, click Certificates, Identifiers & Profiles.

  2. On the left, click More and then click Configure.

  3. Next to Email Sources, click the icon.

  4. For Domains and subdomains, enter pingidentity.com.

  5. Click Next.

  6. Click Register and then click Done.

Adding Apple as an identity provider in PingOne

Configure the IdP connection in PingOne.

Before you begin

Ensure that registration is enabled in the authentication policy. Learn more in Editing an authentication policy.

You should have the following information ready:

  • App ID (Client ID)

  • Client secret signing key

  • Team ID

  • Private key ID

Learn more in Creating an App ID and Creating a private key.

Steps

  1. In PingOne, go to Integrations > External IdPs.

  2. Click Add Provider.

  3. Click Apple.

  4. On the Create Profile page, enter the following information:

    • Name: A unique identifier for the IdP.

    • Description (optional): A brief description of the IdP.

    You can’t change the icon and login button, in accordance with the provider’s brand standards.

  5. Click Next.

  6. On the Configure Connection page, enter the following information:

    • Client ID (App ID): The application ID that you copied earlier from the identity provider. You can find this information on the Apple Developers site.

    • Client secret signing key: The application secret that you copied earlier from the identity provider. You can find this information on the Apple Developers site.

    • Team ID: A unique 10-character string generated by Apple that identifies your organization. The team ID is the prefix of the App ID.

    • Private key ID: Identifies the private key in the JSON web token (JWT). This JSON object is the Client Secret in PingOne.

    • Callback URL: The URL to which the user will be redirected after authenticating. This value is read-only. You’ll provide this value to the identity provider later.

  7. Click Save and Continue.

  8. On the Map Attributes page, map the following PingOne attributes to Apple attributes:

    PingOne attribute

    Apple attribute

    Given Name

    providerAttributes.name.firstName

    Family Name

    providerAttributes.name.lastName

    Apple only sends an ID token with the first authentication using Sign in with Apple.

    Learn more about Sign in with Apple in the Apple documentation.

  9. Map additional attributes as needed.

    Learn more in Mapping attributes.

    You can map additional attributes if they are in the ID token from Apple, such as iss, iat, exp, aud, sub, nonce, nonce_supported, email, and email_verified. Learn more about the JSON structure generated by Apple in Configuring your webpage for Sign on with Apple.

    • Enter the PingOne user profile attribute and the external IdP attribute. Learn more about attribute syntax in Identity provider attributes.

    • To add an attribute, click Add attribute.

    • To use the expression builder, click Build and test or Advanced Expression. Learn more in Using the expression builder.

    • Select the update condition, which determines how PingOne updates its user directory with the values from the identity provider. The options are:

      • Empty only: Update the PingOne attribute only if the existing attribute is empty.

      • Always: Always update the PingOne directory attribute.

  10. Click Save and Finish.

Adding the return URL to the Apple Developers site

Copy the callback URL and paste it in the Apple Developers site.

Steps

  1. In PingOne, go to Integrations > External IdPs.

  2. Locate the appropriate IdP and then click the details icon to expand the IdP.

  3. Click the Connection tab.

  4. Copy the callback URL and paste it in a secure location.

  5. On the Apple Developer site, click Certificates, Identifiers & Profiles.

  6. Select Sign in with Apple and click Configure.

  7. Select the primary App ID and click the icon.

  8. For Return URLs, paste the value for Callback URL that you copied earlier.

  9. Click Next, and then click Done.

Next steps