Sign in with Apple Identity Provider

Note Sign in with Apple is in experimental mode which means it is not yet production ready.

Sign In with Apple makes it easy for users to sign in to your apps and websites using their Apple ID. Onegini IDP provides integration with it and allows to easily login using Apple ID with mobile or web.

What is required?

To successfully complete this topic guide you need to ensure following prerequisites:

  • Onegini IDP instance must to be running, for the sake of this guide we assume it's available under https://idp-core.dev.onegini.me address
  • Sign in with Apple application is registered within Apple environment (please read configuration section for information what data is required)

Configuration

Configuration of the Sign in with Apple needs to be started by enabling it within Apple Developer account. Please rely on Apple documentation for more details.

When configuring SignIn with Apple in Apple's Developer Portal you will face a requirement to verify the domain on which relaying party's application (so the Onegini IDP) is running. Please provide domain name on which the Onegini IDP is running in the first field, eg. idp-core.dev.onegini.me. The other field is the return url where you should enter https://idp-core.dev.onegini.me/auth/appleid/callback. Domain verification should be continued after completing the configuration in the Onegini IDP.

Note Please note that Apple hardly requires the domain verification file to be available over HTTPS protocol.

Add signing certificate

It is required to sign and encrypt client_secret which is a JSON object that contains a header and payload.

  • go to the admin panel -> System -> Key pairs
  • press + button to add new key pair
  • fill in data required for the configuration
Field Example Description Required
Name Apple ID Name of the key pair yes
Private key -----BEGIN PRIVATE KEY-----
HIGTA..
...ExRnrw1h
-----END PRIVATE KEY-----
Private key used to sign client_secret
downloaded from Apple developer account
yes
Public key - Not required for Sign in with Apple no
  • add key pair by pressing Save button

Please note that currently for Sign in with Apple it is required to use private key in PKCS8 format.

Add identity provider

  • go to the admin panel -> Configuration -> Identity Providers
  • press + button to add new identity provider
  • select Sign In with Apple form the list of available identity providers
  • fill in data required for the configuration
Field Example Description Required
Name Sign In with Apple Name of the identity provider yes
Authentication level 1 Authentication level to which account is set after being authenticated with this identity provider yes
Enabled checked Gives possiblity to disable / enable identity provider yes
Migration during sign up checked Allows to use migration sign up for this identity provider yes
Client ID my-client-id Service ID defined in Apple Developer account yes
Team ID 33AG3D7HGK The issuer registered claim key, which has the value of your 10-character Team ID, obtained from Apple Developer account yes
Key ID ABM8GA3H44 A 10-character key identifier obtained from Apple Developer account yes
JWKS URI https://appleid.apple.com/auth/keys URI to fetch Apple's public key for verifying token signature yes
Signing key Sign in with Apple Private key used to sign id_token. Select key added in Add signing certificate section. yes
Domain verification - Upload file used to verify the Onegini IDP domain. yes
Scopes email, name The amount of user information requested from Apple. Allowed values are email and name no
  • add identity provider by pressing Save button

Test Sign in with Apple

Sign in with Apple can be used in few flows depending on the requirements.

Web flow

Web flow is a way of authenticating by entering login page in Onegini IDP which is https://idp-core.dev.onegini.me. After entering the login page please press the Sign in with Apple button. You will be redirected to Apple ID page where credential needs to be provided and consent given. After providing valid data you will be redirected to the Onegini IDP dashboard.

Saml flow

You can use Sign in with Apple in Saml flow. To trigger Sign in with Apple authentication within Saml flow in your SAML authentication request please send AuthnRequest which contains RequestedAuthnContext set to urn:com:onegini:saml:idp:apple``AuthnRequest which contains RequestedAuthnContext set to urn:com:onegini:saml:idp:apple.

Example AuthnRequest

<?xml version="1.0" encoding="UTF-8"?>
<saml2p:AuthnRequest AssertionConsumerServiceURL="http://s4-1.dev.onegini.me:8880/saml/SSO"
    Destination="https://idp-core.dev.onegini.me/saml/single-sign-on" ForceAuthn="false"
    ID="aj57h20g9f1i87j53e6987hd3e46d9" IsPassive="false" IssueInstant="2019-08-14T10:36:58.479Z"
    ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Version="2.0"
    xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol">
    <saml2:Issuer xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">spring:security:saml</saml2:Issuer>
    <saml2p:RequestedAuthnContext Comparison="exact">
        <saml2:AuthnContextClassRef xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">urn:com:onegini:saml:idp:apple</saml2:AuthnContextClassRef>
    </saml2p:RequestedAuthnContext>
</saml2p:AuthnRequest>

This flow requires additional configuration on both sides - Onegini IDP (IDP) and Service provider (SP).

  • steps required on IDP side
    • enter admin panel -> Organisations
    • press + button to add new organisation
    • define Name of the organisation and press Save
    • enter created organisation by pressing on it's name
    • go to Service Providers tab
    • press + button to add new service provider
    • create new service provider by defining its data
Field Value Description
Type SAML Type of the service provider. As we want to test saml flow please select SAML
Name Apple ID service provider Give a neme which identifies service provider
Metadata <md:EntityDescriptor ... Service provider's metadata

Mobile flow

Allows to use Sign in with Apple with Onegini IDP which is initiated by Onegini Mobile SDK.

Mobile flow consists of three components:

  • Onegini IDP
  • Onegini Mobile SDK
  • Onegini Token Server

Configuration of Onegini Mobile SDK and Onegini Token Server is described in documentation for these components. This documentation covers only Onegini IDP part.

There are two steps required to complete mobile authentication.

  • Mobile authentication is triggered from Onegini Mobile SDK where code and optionally user is inserted to Onegini IDP via Storage API. This data should be inserted as json containing two fields code and user saved as string.

Example body used for Storage API:

{
    "value": "{ \"code\": \"c0c678d4746b9441d9475e06950709666.0.nryrz.A-0dKXCFK_-DmSBlhwaj0w\", \"user\": \"{\"name\":{\"firstName\":\"Andrzej\",\"lastName\":\"Nowak\"},\"email\":\"test.email@test.com\"}\" }"
}
  • Continue with Saml flow. AuthnRequest should contain RequestedAuthnContext set to urn:com:onegini:saml:idp:apple and CustomParameters that contains entry with key auth_ref and value equal to key obtained from Storage API response from step above

Example AuthnRequest

<?xml version="1.0" encoding="UTF-8"?>
<saml2p:AuthnRequest AssertionConsumerServiceURL="http://s4-1.dev.onegini.me:8880/saml/SSO"
    Destination="https://idp-core.dev.onegini.me:8080/saml/single-sign-on" ForceAuthn="false"
    ID="a99eai3c048040h52633h9h2619dgi" IsPassive="false" IssueInstant="2019-08-14T10:36:44.609Z"
    ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Version="2.0"
    xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol">
    <saml2:Issuer xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">spring:security:saml</saml2:Issuer>
    <md:Extensions xmlns:md="urn:oasis:names:tc:SAML:2.0:protocol">
        <oneginicp:CustomParameters xmlns:oneginicp="urn:com:onegini:saml:CustomParameters">
            <oneginicp:CustomParameter Key="auth_ref">
                <oneginicp:Value>kv-store-identifier</oneginicp:Value>
            </oneginicp:CustomParameter>
        </oneginicp:CustomParameters>
    </md:Extensions>
    <saml2p:RequestedAuthnContext Comparison="exact">
        <saml2:AuthnContextClassRef xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">urn:com:onegini:saml:idp:apple</saml2:AuthnContextClassRef>
    </saml2p:RequestedAuthnContext>
</saml2p:AuthnRequest>