Guide: Configure SSO with Apple

In order to allow your users to login into your application using their Apple identity (i.e., SSO with Apple), you must first must register credentials to identify and authenticate your application during OAuth2 and OIDC flows. Read on to learn how.

For a full walkthrough on configuring SlashID for SSO, please check the dedicated guide.

Before You Start

To create the OAuth2 credentials you will need to use the Apple developer portal. Your organization may also need to register with Apple's Developer Program and invite you to join their Team.

Creating OAuth2 Credentials

Apple's approach to SSO (called "Sign in with Apple" in their documentation) differs from other identity providers. Rather than providing you with a client ID and a secret, Apple provides a client ID and a private key. This private key is used to sign JSON Web Tokens (JWTs), which are in turn used as client secrets. Apple uses the corresponding public key to verify the JWT and validate 'Sign in with Apple' requests coming from your client.

For security reasons, these JWTs have an expiration, and therefore they need to be regenerated periodically. As a result, when creating OAuth credentials for Apple with SlashID, you must provide all the parameters SlashID needs to regenerate the JWTs (i.e., the Apple client secrets). These parameters are encrypted and stored securely by SlashID.

There are several steps required to obtain the required parameters for Apple, which we will cover below. If you are already familiar with Sign in with Apple, you may skip to the last step of this guide, where you can register the credentials with SlashID using our API or console.

Apps, Services, and Keys

To configure 'Sign in with Apple' for the web, you will need to create the following using your Apple Developer account:

an Apple App
an Apple Service associated with that App
a Key associated with that App

If you are already developing with Apple, you may already have some or all of these. If this is case, make sure that you configure SSO using App and/or Service that will use 'Sign in with Apple'.

Step 1: Create an App

First, open the Apple Developer Portal and navigate to your Account. Under "Certificates, IDs & Profiles" open "Identifiers".

Open Certificates, IDs, & Profiles

In the dropdown menu in the top right corner, choose "App IDs". If you do not have any existing apps, create one by clicking the "+" button and choosing "App IDs", then "Continue", filling in the fields as directed.

App IDs

Otherwise, choose the existing app you wish to use with 'Sign in with Apple'.

In either case, you must ensure that "Sign in with Apple" is ticked in the list of Capabilities.

App Sign in with Apple

Click "Configure" or "Edit" to open the configuration dialogue for "Sign in with Apple", and either make your app a primary app or group it with an existing primary app.

Primary App

Make a note of the Team ID displayed with your App's information - you will need this later.

Team ID

Once you're done, click "Continue" to finish creating your new app (or navigate back to the list of identifiers).

Step 2: Create a Service

Now you need to create a Service and associate it with your App, or configure an existing Service. Return to the list of Identifiers and choose "Service IDs" from the dropdown. If you are creating a new Service, click the "+" button and choose "Services IDs", then click "Continue". Follow the instructions and click "Register". You should now see your new service in the list of Identifiers.

Service IDs

Click on the Service you wish to use, which will open its configuration page. Check "Sign in with Apple" and then click "Configure".

Service Configuration

For the Primary App ID, choose the App you created or configured in Step 1. In "Domain and Subdomains" you must include the following value:

api.slashid.com

In "Return URLs" you must include the following value:

https://api.slashid.com/oauth/callback

Service Configuration Domains

This ensures that Apple will correctly redirect your users back to SlashID after they have successfully authenticated with Apple, so that SlashID can complete the authentication process and issue a token.

Once you have entered these values, click "Next", check the values are correct, click "Done" and then "Save". The Service is now complete. Make a note of the Identifier for your Service, as you will need it later.

Service ID

Step 3: Create a Key

You now need to create a private key that can be used to generate client secrets for 'Sign in with Apple'. Return to "Certificates, IDs & Profiles" and choose "Keys" from the menu on the left-hand side. If you do not have any keys, click on the "+" to create a new key and enter a name for your key. If you are using an existing key, open it.

Keys

In the list of services to enable, check "Sign in with Apple", and then click "Configure". Choose the ID of your primary App from the dropdown menu and click "Save".

Keys Configuration

Keys Primary App

Now click "Continue", confirm the information on the next page is correct, and click "Register".

Make a note of the Key ID displayed in the key information, as you will need it later. Now click "Download". As noted in the warning dialogue, the key can only be downloaded once, so it is essential that you store it safely until you are ready to register it with SlashID. Once you have downloaded the key, click "Done".

Keys Download

Step 4: Register the credentials with SlashID

You should have to hand the following information:

Team ID
Service ID - this will be used as the client ID
Key ID
Private key

You are now ready to register OAuth credentials for Apple using the SlashID console, or our API. Note that for Apple:

You do not need to provide a client secret, as SlashID will generate one using the private key when you register the credentials (any secret provided will be ignored).
You must choose a lifetime for client secrets, after which they will expire and be automatically regenerated. This must be between 5 minutes and 6 months.

The API call to register OAuth credentials for Apple is as follows:

curl --location 'https://api.slashid.com/organizations/sso/oidc/provider-credentials' \
--header 'SlashID-OrgID: <ORGANIZATION ID>' \
--header 'SlashID-API-Key: <API KEY>' \
--header 'Content-Type: application/json' \
--data '{
    "client_id": "<SERVICE ID>",
    "provider": "apple",
    "label": "<DESCRIPTIVE LABEL>",
    "options": {
        "apple": {
            "private_key": "-----BEGIN PRIVATE KEY-----\n ... \n-----END PRIVATE KEY-----",
            "team_id": "<TEAM ID>",
            "key_id": "<KEY ID>",
            "secret_lifetime": "12h34m56s" // 12 hours, 34 minutes, and 56 seconds
        }
    }
}
'

You are now ready to start using SlashID for SSO with Apple.

Guide: Configure SSO with Apple

Before You Start​

Creating OAuth2 Credentials​

Apps, Services, and Keys​

Step 1: Create an App​

Step 2: Create a Service​

Step 3: Create a Key​

Step 4: Register the credentials with SlashID​