The configuration of Apple ID authentication method requires Ubisecure SSO 8.10.x or later
Table of Contents
Register with Apple ID to obtain client ID (Service ID), client secret, and register redirect URI. Information how to register can be found in Sign in with Apple Developer Documentation.
Note: The redirect URI will be constructed by SSO in the format: https://<sso base url>/uas/return/<method name>/redirect
The <sso base url> must be accessible to the Sign in with Apple servers
The method can be configured either through SSO Management Console or SSO Management API. Here you can find instructions for configuration with SSO Management Console. API instructions can be found from the link at the bottom of the page.
Login to SSO Management Console. Go to Global Method Settings → New method… and create the method. Remember to give the right name to the method as it is in the registered redirect URI.
|Create new method for Apple OIDC|
- Go to Open ID Connect tab, and upload the Provider Metadata. Apple ID metadata can be found from here: https://appleid.apple.com/.well-known/openid-configuration
Upload the Provider Keys, which can be found from the
jwks_uri in the provider metadata:
|Apple OIDC - Authentication Provider configuration|
- Upload Client Metadata, where you specify your client ID and secret, and define scope, based on the claims you want to receive from Apple ID.
- If you don’t have client metadata already, you can download a template, which can be modified and uploaded:
Press Create next to Registration Request. This will download a JSON file.
- Modify the file based on your needs. Remember to add at least:
- Upload the file as Registration Response or Client Metadata.
If you have your client metadata, you can simply upload it by clicking Upload next to Client metadata.
- You should see your client ID as Client identifier and a new field Client secret (already set).
|Apple OIDC method configuration|
Go to Main tab, select Enabled box and add configuration strings:
and press Update.
|Apple method settings - enabling and configuring|
- The configuration of the method is now done. Next you need to add it to your application.
First, add the method on site level of your application. Go to Site methods → Add method... and choose “Apple ID” method.
|Add Apple method to the site methods|
- Create a dynamic group for access control, where membership is based on the authentication method used to log in. In the site view, go to Groups → New Group..., and create a group, e.g “Apple ID users”. Then, in the group view, go to Allowed Methods tab, select the authentication method “Apple ID” and press Update.
Go to your application and in Allowed Methods tab select “Apple ID” method and press Update.
|Add Apple method to the Allowed Methods of the application|
Go to the Allowed To tab, press Add... and add the group “Apple ID users”.
|Add the group created in step 9 (associated with Apple method) to the allowed for the application|
- Since Apple OIDC uses
response_mode=form_post, cross-domain communication occurs. Google Chrome (version 80 and higher) has changed its default cookie behavior. To ensure proper communication between different top-level domains, please take the following actions described in our SameSite cookies changes technical announcement.
- Now the configuration is done, users should be able to log in using Apple ID to your application.
SSO Management API
OpenID Connect authentication method
Configuring authentication method's logo
Apple Developer Account
Sign in with Apple REST API
SameSite cookies changes technical announcement