Configure OpenID Connect Sign in with Apple

The configuration of Apple ID authentication method requires Ubisecure SSO 8.10.x or later

Table of Contents

Step-by-step guide

Prerequisite

Register with Apple ID to obtain client ID (Service ID), client secret, and register redirect URI. Information how to register can be found in Sign in with Apple Developer Documentation

Note: The redirect URI will be constructed by SSO in the format: https://<sso base url>/uas/return/<method name>/redirect

The <sso base url> must be accessible to the Sign in with Apple servers


Configuration

The method can be configured either through SSO Management Console or SSO Management API. Here you can find instructions for configuration with SSO Management Console. API instructions can be found from the link at the bottom of the page.

  1. Login to SSO Management Console. Go to Global Method Settings → New method… and create the method. Remember to give the right name to the method as it is in the registered redirect URI.

    Create new method for Apple OIDC
  2. Go to Open ID Connect tab, and upload the Provider Metadata. Apple ID metadata can be found from here: https://appleid.apple.com/.well-known/openid-configuration
  3. Upload the Provider Keys, which can be found from the jwks_uri in the provider metadata:

    Apple OIDC - Authentication Provider configuration
  4. Upload Client Metadata, where you specify your client ID and secret, and define scope, based on the claims you want to receive from Apple ID.
    1. If you don’t have client metadata already, you can download a template, which can be modified and uploaded:
      1. Press Create next to Registration Request. This will download a JSON file.

      2. Modify the file based on your needs. Remember to add at least:
        • your client ID (Service ID) and secret,
        • your redirect URI
        • add new attribute id_token_max_lifetime set to 86400 (in order to SSO accept Apple id_token with the lifetime set to 24 hours),
        • add attribute ubisecure_request_parameters to define response_mode as form_post:

          Client metadata for Apple example
          {
              "client_id": "<client id>",
              "client_secret": "<client secret>",
              "redirect_uris": [
                  "https://<sso base url>/uas/return/<method name>/redirect"
              ],
              ...
              "id_token_max_lifetime": 86400,
              "ubisecure_request_parameters": {
                  "response_mode":"form_post"
              },
              ...
          }
      3. Upload the file as Registration Response or Client Metadata.
    2. If you have your client metadata, you can simply upload it by clicking Upload next to Client metadata.

    3. You should see your client ID as Client identifier and a new field Client secret (already set).
  5. Press Update.

    Apple OIDC method configuration
  6. Go to Main tab, select Enabled box and add configuration strings:

    Compatibility=AppleId
    OperationMode=private 

    and press Update

    Apple method settings - enabling and configuring
  7. The configuration of the method is now done. Next you need to add it to your application.
  8. First, add the method on site level of your application. Go to Site methods → Add method... and choose “Apple ID” method.

    Add Apple method to the site methods
  9. Create a dynamic group for access control, where membership is based on the authentication method used to log in. In the site view, go to Groups → New Group..., and create a group, e.g “Apple ID users”. Then, in the group view, go to Allowed Methods tab, select the authentication method “Apple ID” and press Update.
  10. Go to your application and in Allowed Methods tab select “Apple ID” method and press Update.

    Add Apple method to the Allowed Methods of the application
  11. Go to the Allowed To tab, press Add... and add the group “Apple ID users”.

    Add the group created in step 9 (associated with Apple method) to the allowed for the application
  12. Since Apple OIDC uses response_mode=form_post, cross-domain communication occurs. Google Chrome (version 80 and higher) has changed its default cookie behavior. To ensure proper communication between different top-level domains, please take the following actions described in our SameSite cookies changes technical announcement.
  13. Now the configuration is done, users should be able to log in using Apple ID to your application.

SSO Management API

OpenID Connect authentication method

Configuring authentication method's logo

Apple Developer Account 

Sign in with Apple REST API

SameSite cookies changes technical announcement