Sign in with Apple Identity Provider
Note Sign in with Apple is in experimental mode which means it is not yet production ready.
Sign In with Apple makes it easy for users to sign in to your apps and websites using their Apple ID. Onegini IDP provides integration with it and allows to easily login using Apple ID with mobile or web.
What is required?
To successfully complete this topic guide you need to ensure following prerequisites:
- Onegini IDP instance must to be running, for the sake of this guide we assume it's available under http://idp-core.dev.onegini.me address
- Sign in with Apple application is registered within Apple environment (please read configuration section for information what data is required)
Configuration
Configuration of the Sign in with Apple needs to be started by enabling it within Apple Developer account. Please rely on Apple documentation for more details.
Having the Sign in with Apple configured within Apple Developer account you can continue by configuring it within Onegini IDP.
Add signing certificate
It is required to sign and encrypt client_secret which is a JSON object that contains a header and payload.
- go to the
admin panel
->System
->Key pairs
- press
+
button to add new key pair - fill in data required for the configuration
Field | Example | Description | Required |
---|---|---|---|
Name | Apple ID | Name of the key pair | yes |
Private key | -----BEGIN PRIVATE KEY----- HIGTA.. ...ExRnrw1h -----END PRIVATE KEY----- |
Private key used to sign client_secret | yes |
Public key | - | Not required for Sign in with Apple | no |
- add key pair by pressing
Save
button
Please note that currently for Sign in with Apple it is required to use private key in PKCS8 format.
Add identity provider
- go to the
admin panel
->Configuration
->Identity Providers
- press
+
button to add new identity provider - select Sign In with Apple form the list of available identity providers
- fill in data required for the configuration
Field | Example | Description | Required |
---|---|---|---|
Name | Sign In with Apple | Name of the identity provider | yes |
Authentication level | 1 | Authentication level to which account is set after being authenticated with this identity provider | yes |
Enabled | checked | Gives possiblity to disable / enable identity provider | yes |
Migration during sign up | checked | Allows to use migration sign up for this identity provider | yes |
Client ID | my-client-id | Service ID defined in Apple Developer account | yes |
Team ID | 33AG3D7HGK | The issuer registered claim key, which has the value of your 10-character Team ID, obtained from Apple Developer account | yes |
Key ID | ABM8GA3H44 | A 10-character key identifier obtained from Apple Developer account | yes |
JWKS URI | https://appleid.apple.com/auth/keys | URI to fetch Apple's public key for verifying token signature | yes |
Signing key | Sign in with Apple | Private key used to sign id_token. Select key added in Add signing certificate section. | yes |
Scopes | email, name | The amount of user information requested from Apple. Allowed values are email and name |
no |
- add identity provider by pressing
Save
button
Test Sign in with Apple
Sign in with Apple can be used in few flows depending on the requirements.
Web flow
Web flow is a way of authenticating by entering login page in Onegini IDP which is http://idp-core.dev.onegini.me. After entering the login page
please press the Sign in with Apple
button. You will be redirected to Apple ID page where credential needs to be provided and consent given.
After providing valid data you will be redirected to the Onegini IDP dashboard or .
Saml flow
You can use Sign in with Apple in Saml flow. To trigger Sign in with Apple authentication within Saml flow in your SAML authentication request please send AuthnRequest
which contains RequestedAuthnContext
set to urn:com:onegini:saml:idp:apple``AuthnRequest
which contains RequestedAuthnContext
set to urn:com:onegini:saml:idp:apple
.
Example AuthnRequest
<?xml version="1.0" encoding="UTF-8"?>
<saml2p:AuthnRequest AssertionConsumerServiceURL="http://s4-1.dev.onegini.me:8880/saml/SSO"
Destination="http://idp-core.dev.onegini.me/saml/single-sign-on" ForceAuthn="false"
ID="aj57h20g9f1i87j53e6987hd3e46d9" IsPassive="false" IssueInstant="2019-08-14T10:36:58.479Z"
ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Version="2.0"
xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol">
<saml2:Issuer xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">spring:security:saml</saml2:Issuer>
<saml2p:RequestedAuthnContext Comparison="exact">
<saml2:AuthnContextClassRef xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">urn:com:onegini:saml:idp:apple</saml2:AuthnContextClassRef>
</saml2p:RequestedAuthnContext>
</saml2p:AuthnRequest>
This flow requires additional configuration on both sides - Onegini IDP (IDP) and Service provider (SP).
- steps required on IDP side
- enter
admin panel
->Organisations
- press
+
button to add new organisation - define
Name
of the organisation and pressSave
- enter created organisation by pressing on it's name
- go to
Service Providers
tab - press
+
button to add new service provider - create new service provider by defining its data
- enter
Field | Value | Description |
---|---|---|
Type | SAML | Type of the service provider. As we want to test saml flow please select SAML |
Name | Apple ID service provider | Give a neme which identifies service provider |
Metadata | <md:EntityDescriptor ... | Service provider's metadata |
- steps required on SP side
- IDP metadata which needs to be provided to SP. It can be found in http://idp-core.dev.onegini.me/saml/metadata.
Mobile flow
Allows to use Sign in with Apple with Onegini IDP which is initiated by Onegini Mobile SDK.
Mobile flow consists of three components:
- Onegini IDP
- Onegini Mobile SDK
- Onegini Token Server
Configuration of Onegini Mobile SDK and Onegini Token Server is described in documentation for these components. This documentation covers only Onegini IDP part.
There are two steps required to complete mobile authentication.
- Mobile authentication is triggered from Onegini Mobile SDK where
code
and optionallyuser
is inserted to Onegini IDP via Storage API. This data should be inserted as json containing two fieldscode
anduser
saved as string.
Example body used for Storage API:
{
"value": "{ \"code\": \"c0c678d4746b9441d9475e06950709666.0.nryrz.A-0dKXCFK_-DmSBlhwaj0w\", \"user\": \"{\"name\":{\"firstName\":\"Andrzej\",\"lastName\":\"Nowak\"},\"email\":\"[email protected]\"}\" }"
}
- Continue with Saml flow.
AuthnRequest
should containRequestedAuthnContext
set tourn:com:onegini:saml:idp:apple
and CustomParameters that contains entry with keyauth_ref
and value equal to key obtained from Storage API response from step above
Example AuthnRequest
<?xml version="1.0" encoding="UTF-8"?>
<saml2p:AuthnRequest AssertionConsumerServiceURL="http://s4-1.dev.onegini.me:8880/saml/SSO"
Destination="http://idp-core.dev.onegini.me:8080/saml/single-sign-on" ForceAuthn="false"
ID="a99eai3c048040h52633h9h2619dgi" IsPassive="false" IssueInstant="2019-08-14T10:36:44.609Z"
ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Version="2.0"
xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol">
<saml2:Issuer xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">spring:security:saml</saml2:Issuer>
<md:Extensions xmlns:md="urn:oasis:names:tc:SAML:2.0:protocol">
<oneginicp:CustomParameters xmlns:oneginicp="urn:com:onegini:saml:CustomParameters">
<oneginicp:CustomParameter Key="auth_ref">
<oneginicp:Value>kv-store-identifier</oneginicp:Value>
</oneginicp:CustomParameter>
</oneginicp:CustomParameters>
</md:Extensions>
<saml2p:RequestedAuthnContext Comparison="exact">
<saml2:AuthnContextClassRef xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">urn:com:onegini:saml:idp:apple</saml2:AuthnContextClassRef>
</saml2p:RequestedAuthnContext>
</saml2p:AuthnRequest>