Adding an identity provider - Apple
Adding Apple as an external identity provider (IdP) gives your users the option to sign in with Apple when accessing your application.
Before you begin
Ensure that the application is added to PingOne.
Set the Grant Type for the application to Implicit. |
Learn more in Adding an application.
Creating an App ID
When you register your application, Apple will generate an App ID to identify the application. You’ll need this value to connect the application to PingOne.
Steps
-
Go to the Apple Developer site at https://developer.apple.com. If you haven’t created an Apple Developer account, you can do so now.
-
Click Certificates, Identifiers & Profiles.
-
On the left, click Identifiers and then click the icon.
-
In the Register a New Identifier section, select App IDs.
-
In the Register an App ID section, enter a value for the Bundle ID.
-
Copy the following values to a secure location:
-
App ID prefix: (Team ID). Identifies your team or organization.
-
Bundle ID: Identifies a group of applications.
-
-
In the list of available capabilities, select Sign in with Apple.
-
Click Continue and Register.
Creating a Services ID
The Services ID identifies the particular instance of your application. The Services ID is equivalent to a client_id
in PingOne.
Steps
-
On the Apple Developer site, click Certificates, Identifiers & Profiles.
-
In the Register a New Identifier section, select Services ID.
-
Enter the following information:
-
Description: A brief description of the application.
-
Identifier: The path to the application. This value will be used as the client ID in PingOne.
-
-
Click Continue and Register.
-
In the list, select the service you just created.
-
Select Sign in with Apple and click Configure.
-
Select the primary App ID and click the icon.
-
Enter a value for Domains and subdomains.
This is the top-level domain for your application.
-
Leave the Return URLs blank for now.
This is the path in your application that users are redirected to after they have authenticated with Apple. This value is equivalent to a callback URI. You’ll enter this value after you set up your application in PingOne.
-
Click Next, and then click Done.
-
Click Continue, and then click Save.
Creating a private key
When you register your application, Apple generates a private key for client authentication. You’ll need this value when you add the application to PingOne.
Steps
-
On the Apple Developer site, click Certificates, Identifiers & Profiles.
-
On the left, click Keys.
-
To register a new key, click the icon.
-
Enter a value for Key Name.
-
Select Sign in with Apple and click Configure.
-
Select the primary App ID you created earlier.
-
Click Save and then click Continue.
-
Click Register.
-
Copy the Key ID to a secure location.
You will use this value when you add the IdP in PingOne.
-
To save the key to the local file system, click Download.
The key is saved as a text file with a
.p8
file extension. The key will be used as the client secret signing key and its identifier will be used as the private key in PingOne.You can download the key only once. Save the file to a secure location because the key is not saved in your developer account, and you won’t be able to download it again. If the Download button is disabled, you have already downloaded the key.
Configuring email communication
Configuring Apple for email communication allows users to set up an account and sign in to applications with their existing Apple ID, which is required for PingOne to communicate with users and for users to receive updates from Apple. For more information, see Configure Private Email Relay Service.
Steps
-
On the Apple Developer site, click Certificates, Identifiers & Profiles.
-
On the left, click More and then click Configure.
-
Next to Email Sources, click the icon.
-
For Domains and subdomains, enter
pingidentity.com
. -
Click Next.
-
Click Register and then click Done.
Adding Apple as an identity provider in PingOne
Configure the identity provider connection in PingOne.
Before you begin
Ensure that registration is enabled in the authentication policy. See Editing an authentication policy.
You should have the following information ready:
-
App ID (Client ID)
-
Client secret signing key
-
Team ID
-
Private key ID
For more information, see Creating an App ID and Creating a private key.
Steps
-
In PingOne, go to Integrations → External IdPs.
-
Click Add Provider.
-
Click Apple.
-
On the Create Profile page, enter the following information:
-
Name: A unique identifier for the IdP.
-
Description: (Optional). A brief description of the IdP.
You cannot change the icon and login button, in accordance with the provider’s brand standards.
-
-
Click Next.
-
On the Configure Connection page, enter the following information:
-
Client ID: (App ID). The application ID that you copied earlier from the identity provider. You can find this information on the Apple Developers site.
-
Client secret signing key: The application secret that you copied earlier from the identity provider. You can find this information on the Apple Developers site.
-
Team ID: A unique 10-character string generated by Apple that identifies your organization. The team ID is the prefix of the App ID.
-
Private key ID: Identifies the private key in the JSON web token (JWT). This JSON object is the Client Secret in PingOne.
-
Callback URL: The URL to which the user will be redirected after authenticating. This value is read-only. You’ll provide this value to the identity provider later.
-
-
Click Save and Continue.
-
On the Map Attributes page, define how the PingOne user attributes are mapped to identity provider attributes.
For more information, see Mapping attributes.
-
Enter the PingOne user profile attribute and the external IdP attribute. For more information about attribute syntax, see Identity provider attributes.
-
To add an attribute, click Add attribute.
-
To use the expression builder, click Build and test or Advanced Expression. See Using the expression builder.
-
Select the update condition, which determines how PingOne updates its user directory with the values from the identity provider. The options are:
-
Empty only: Update the PingOne attribute only if the existing attribute is empty.
-
Always: Always update the PingOne directory attribute.
-
You can map only attributes that are in the ID token, such as
iss
,iat
,expt
,aud
,sub
,nonce
,nonce_supported
,email
, andemail_verified
. -
-
Click Save and Finish.
Adding the return URL to the Apple Developers site
Copy the callback URL and paste it in the Apple Developers site.
Steps
-
In PingOne, go to Integrations → External IdPs.
-
Locate the appropriate IdP and then click the details icon to expand the IdP.
-
Click the Connection tab.
-
Copy the callback URL and paste it in a secure location.
-
On the Apple Developer site, click Certificates, Identifiers & Profiles.
-
Select Sign in with Apple and click Configure.
-
Select the primary App ID and click the icon.
-
For Return URLs, paste the value for
Callback URL
that you copied earlier. -
Click Next, and then click Done.
Next steps
-
Enable the external IdP. See Enabling or disabling an identity provider.
-
Add the IdP to your authentication policy. See Editing an authentication policy.
-
Add the authentication policy to your application. See Applications.