--- title: Adding an identity provider - Apple description: Add Apple as an external identity provider in PingOne to allow users to sign on with Apple when accessing your application. component: pingone page_id: pingone:integrations:p1_add_idp_apple_prereqs canonical_url: https://docs.pingidentity.com/pingone/integrations/p1_add_idp_apple_prereqs.html revdate: May 29, 2025 page_aliases: ["p1_create_app_id.adoc", "p1_create_services_id.adoc", "p1_create_private_key.adoc", "p1_configure_email_communication.adoc", "p1_add_idp_apple.adoc", "p1_add_return_url_to_apple.adoc"] section_ids: before-you-begin: Before you begin apple_create_app_id: Creating an App ID steps: Steps apple_create_private_key: Creating a Services ID steps-2: Steps creating-a-private-key: Creating a private key steps-3: Steps configuring-email-communication: Configuring email communication steps-4: Steps adding-apple-as-an-identity-provider-in-pingone: Adding Apple as an identity provider in PingOne before-you-begin-2: Before you begin steps-5: Steps adding-the-return-url-to-the-apple-developers-site: Adding the return URL to the Apple Developers site steps-6: Steps next-steps: Next steps --- # Adding an identity provider - Apple Adding Apple as an external identity provider (IdP) *(tooltip: \
\

A service that manages identity information and provides authentication services to relying clients or SPs within a federated or distributed network.\

\
)* gives your users the option to sign on with Apple when accessing your application. ## Before you begin Ensure that you have: * A PingOne organization with an environment added. Learn more in [Starting a PingOne trial](../getting_started_with_pingone/p1_start_a_p1_trial.html). * Added your application to PingOne. Learn more in [Adding an application](../applications/p1_applications_add_applications.html). * An Apple account. ## Creating an App ID When you register your application, Apple generates an App ID to identify the application. You'll need this value to connect the application to PingOne. ### Steps 1. Go to the [Apple Developer site](https://developer.apple.com) and sign on to your Apple Developer account. If you don't have an Apple Developer account, you'll need to create one. 2. Click **Certificates, Identifiers & Profiles**. 3. On the left, click **Identifiers** and then click the **[icon: plus, set=fa]**icon. 4. In the **Register a New Identifier** section, select **App IDs**. 5. In the **Register an App ID** section, enter a value for the **Bundle ID**. 6. Copy the following values to a secure location: * **App ID prefix** (Team ID): Identifies your team or organization. * **Bundle ID**: Identifies a group of applications. 7. In the list of available capabilities, select **Sign in with Apple**. 8. Click **Continue and Register**. ## Creating a Services ID The Services ID identifies the particular instance of your application. The Services ID is equivalent to a client ID in PingOne. ### Steps 1. On the [Apple Developer site](https://developer.apple.com), sign on to your Apple Developer account and then click **Certificates, Identifiers & Profiles**. 2. In the **Register a New Identifier** section, select **Services ID**. 3. Enter the following information: * **Description**: A brief description of the application. * **Identifier**: The path to the application. This value will be used as the client ID in PingOne. 4. Click **Continue and Register**. 5. In the list, select the service you just created. 6. Select **Sign in with Apple** and click **Configure**. 7. Select the primary App ID and click the **[icon: plus, set=fa]**icon. 8. Enter a value for **Domains and subdomains**. This is the top-level domain for your application. 9. Leave the **Return URLs** blank for now. This is the path in your application that users are redirected to after they have authenticated with Apple. This value is equivalent to a callback URI. You'll enter this value after you set up your application in PingOne. 10. Click **Next**, and then click **Done**. 11. Click **Continue**, and then click **Save**. ## Creating a private key When you register your application, Apple generates a private key for client authentication. You'll need this value when you add the application to PingOne. ### Steps 1. On the Apple Developer site, click **Certificates, Identifiers & Profiles**. 2. On the left, click **Keys**. 3. To register a new key, click the **[icon: plus, set=fa]**icon. 4. Enter a value for **Key Name**. 5. Select **Sign in with Apple** and click **Configure**. 6. Select the primary App ID you created earlier. 7. Click **Save** and then click **Continue**. 8. Click **Register**. 9. Copy the **Key ID** to a secure location. You'll use this value when you add the IdP in PingOne. 10. To save the key to the local file system, click **Download**. The key is saved as a text file with a `.p8` file extension. The key will be used as the client secret signing key and its identifier will be used as the private key in PingOne. | | | | - | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | | You can download the key only once. Save the file to a secure location because the key is not saved in your developer account, and you won't be able to download it again. If the **Download** button is disabled, you already downloaded the key. | ## Configuring email communication Configuring Apple for email communication allows users to set up an account and sign on to applications with their existing Apple ID, which is required for PingOne to communicate with users and for users to receive updates from Apple. Learn more in [Configure private email relay service](https://developer.apple.com/help/account/configure-app-capabilities/configure-private-email-relay-service/) in the Apple Developer documentation. ### Steps 1. On the Apple Developer site, click **Certificates, Identifiers & Profiles**. 2. On the left, click **More** and then click **Configure**. 3. Next to **Email Sources**, click the **[icon: plus, set=fa]**icon. 4. For **Domains and subdomains**, enter `pingidentity.com`. 5. Click **Next**. 6. Click **Register** and then click **Done**. ## Adding Apple as an identity provider in PingOne Configure the IdP connection in PingOne. ### Before you begin Ensure that registration is enabled in the authentication policy. Learn more in [Editing an authentication policy](../authentication/p1_edit_auth_policy.html). You should have the following information ready: * App ID (Client ID) * Client secret signing key * Team ID * Private key ID Learn more in [Creating an App ID](#apple_create_app_id) and [Creating a Services ID](#apple_create_private_key). ### Steps 1. In the PingOne admin console, go to **Integrations > External IdPs** and click **[icon: plus, set=fa]**. 2. Click **Apple**. 3. Click **Next**. 4. On the **Add External Identity Provider** page, enter the following information: * **Name**: A unique identifier for the IdP. * **Description** (optional): A brief description of the IdP. * **Population**: A population that overrides the authentication policy's registration population and enables just-in-time registration from the IdP. | | | | - | ------------------------------------------------------------------------------------------------------- | | | You can't change the **Icon** and **Sign-on Button** in accordance with the provider's brand standards. | 5. Click **Next**. 6. Configure the connection and enter the following information: * **Service ID** (App ID): The application ID that you copied earlier from the IdP. You can find this information on the [Apple Developer site](https://developer.apple.com). * **Private key**: The application secret that you copied earlier from the IdP. You can find this information on the [Apple Developer site](https://developer.apple.com). * **Team ID**: A unique 10-character string generated by Apple that identifies your organization. The team ID is the prefix of the app ID. * **Private key ID**: Identifies the private key in the JSON Web Token (JWT). This JSON object is the client secret in PingOne. * **Callback URL**: Copy the **Callback URL** to a secure location. You'll provide this value to the IdP later. 7. Click **Next**. 8. Map the following PingOne attributes to Apple attributes: | | | | --------------------- | --------------------------------- | | **PingOne attribute** | **Apple attribute** | | Given Name | providerAttributes.name.firstName | | Family Name | providerAttributes.name.lastName | | | | | - | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | | Apple only sends an ID token with the first authentication using Sign in with Apple.Learn more about Sign in with Apple in [Authenticating users with Sign in with Apple](https://developer.apple.com/documentation/signinwithapple/authenticating-users-with-sign-in-with-apple) in the Apple documentation. | 9. Map additional attributes as needed. Learn more in [Mapping attributes](../directory/p1_editsamlattributemapping.html). | | | | - | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | | You can map additional attributes if they are in the ID token from Apple, such as `iss`, `iat`, `exp`, `aud`, `sub`, `nonce`, `nonce_supported`, `email`, and `email_verified`. Learn more about the JSON structure generated by Apple in [Configuring your webpage for Sign in with Apple](https://developer.apple.com/documentation/signinwithapple/configuring-your-webpage-for-sign-in-with-apple/) in the Apple documentation. | * Enter the PingOne user profile attribute and the external IdP attribute. Learn more about attribute syntax in [Identity provider attributes](p1_idp_attributes.html). * To add an attribute, click **[icon: plus, set=fa]Add**. * To use the advanced expression builder, click the **Gear** icon. Learn more in [Using the expression builder](../pingone_expression_language/p1_use_expression_builder.html). * Select the update condition, which determines how PingOne updates its user directory with the values from the IdP. The options are: * **Empty only**: Update the PingOne attribute only if the existing attribute is empty. * **Always**: Always update the PingOne directory attribute. 10. Click **Save**. 11. To enable the IdP, click the toggle at the top of the details panel to the right (blue). | | | | - | ------------------------------------------------------------------ | | | You can disable the IdP by clicking the toggle to the left (gray). | ## Adding the return URL to the Apple Developers site Copy the callback URL from the PingOne admin console and paste it in the [Apple Developers site](https://developer.apple.com). ### Steps 1. In the PingOne admin console, go to **Integrations > External IdPs** and browse or search for the appropriate IdP. 2. Click the IdP to open the details panel. 3. Click the **Connection** tab. 4. Copy the callback URL to a secure location. 5. On the Apple Developer site, click **Certificates, Identifiers & Profiles**. 6. Select **Sign in with Apple** and click **Configure**. 7. Select the primary app ID and click the **[icon: plus, set=fa]**icon. 8. For **Return URLs**, paste the **Callback URL** value that you copied earlier. 9. Click **Next**, and then click **Done**. ### Next steps * [Add the IdP to your authentication policy](../authentication/p1_edit_auth_policy.html). * [Apply the authentication policy to your application](../applications/p1_apply_auth_policy_to_applications.html).