Sign in with Apple Identity Provider¶

Sign In with Apple makes it easy for users to sign in to your apps and websites using their Apple ID. Onegini IdP provides integration with it and allows to easily login using Apple ID with mobile or web.

Prerequisites¶

To successfully complete this topic guide you need to ensure following prerequisites:

Onegini IdP instance must to be running, for the sake of this guide we assume it's available under https://idp-core.dev.onegini.me address
Sign in with Apple application is registered within Apple environment (please read configuration section for information what data is required)

Configuration¶

Configuration of the Sign in with Apple needs to be started by enabling it within Apple Developer account. Please rely on Apple documentation for more details.

When configuring SignIn with Apple in Apple's Developer Portal you will face a requirement to verify the domain on which relaying party's application (so the Onegini IdP) is running. Please provide domain name on which the Onegini IdP is running in the first field, eg. idp-core.dev.onegini.me. The other field is the return url where you should enter https://idp-core.dev.onegini.me/auth/appleid/callback. Domain verification should be continued after completing the configuration in the Onegini IdP.

Note

Please note that Apple requires the domain verification file to be available over HTTPS protocol.

Add signing certificate¶

It is required to sign and encrypt client_secret which is a JSON object that contains a header and payload.

go to the admin panel -> System -> Certificates
press + button to add a new key
fill in data required for the configuration:

Field	Example	Description
Name	Apple ID	Name of the key pair
Type	Other	The type of the key pair has to be `Other`
Private key	file containing private key	Private key used to sign `client_secret` downloaded from the Apple developer account
Public key		Leave the public key field empty as there is no public key for sign in with Apple

add key pair by pressing Save button

Please note that currently for Sign in with Apple it is required to use private key in PKCS8 format.

Add identity provider¶

go to the admin panel -> Configuration -> Identity Providers
press + button to add new identity provider
select Sign In with Apple form the list of available identity providers
fill in data required for the configuration

Field	Example	Description	Required
Name	Sign In with Apple	Name of the identity provider	yes
Authentication level	1	Authentication level to which account is set after being authenticated with this identity provider	yes
Enabled	checked	Gives possiblity to disable / enable identity provider	yes
Migration during sign up	checked	Allows to use migration sign up for this identity provider	yes
Client ID	my-client-id	Service ID defined in Apple Developer account	yes
Team ID	33AG3D7HGK	The issuer registered claim key, which has the value of your 10-character Team ID, obtained from Apple Developer account	yes
Key ID	ABM8GA3H44	A 10-character key identifier obtained from Apple Developer account	yes
JWKS URI	https://appleid.apple.com/auth/keys	URI to fetch Apple's public key for verifying token signature	yes
Signing key	Sign in with Apple	Private key used to sign id_token. Select key added in Add signing certificate section.	yes
Domain verification	-	Upload file used to verify the Onegini IdP domain.	yes
Scopes	email, name	The amount of user information requested from Apple. Allowed values are `email` and `name`	no

add identity provider by pressing Save button

Sign in with Apple can be used in few flows depending on the requirements.

Web flow¶

Web flow is a way of authenticating by entering login page in Onegini IdP which is https://idp-core.dev.onegini.me. After entering the login page please press the Sign in with Apple button. You will be redirected to Apple ID page where credential needs to be provided and consent given. After providing valid data you will be redirected to the Onegini IdP dashboard.

Saml flow¶

You can use Sign in with Apple in Saml flow. To trigger Sign in with Apple authentication within Saml flow in your SAML authentication request please send AuthnRequest which contains RequestedAuthnContext set to urn:com:onegini:saml:idp:apple``AuthnRequest which contains RequestedAuthnContext set to urn:com:onegini:saml:idp:apple.

Example AuthnRequest:

<?xml version="1.0" encoding="UTF-8"?>
<saml2p:AuthnRequest AssertionConsumerServiceURL="http://s4-1.dev.onegini.me:8880/saml/SSO"
    Destination="https://idp-core.dev.onegini.me/saml/single-sign-on" ForceAuthn="false"
    ID="aj57h20g9f1i87j53e6987hd3e46d9" IsPassive="false" IssueInstant="2019-08-14T10:36:58.479Z"
    ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Version="2.0"
    xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol">
    <saml2:Issuer xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">spring:security:saml</saml2:Issuer>
    <saml2p:RequestedAuthnContext Comparison="exact">
        <saml2:AuthnContextClassRef xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">urn:com:onegini:saml:idp:apple</saml2:AuthnContextClassRef>
    </saml2p:RequestedAuthnContext>
</saml2p:AuthnRequest>

This flow requires additional configuration on both sides - Onegini IdP (IDP) and Service provider (SP).

steps required on IDP side

enter admin panel -> Organisations
press + button to add new organisation
define Name of the organisation and press Save
enter created organisation by pressing on it's name
go to Service Providers tab
press + button to add new service provider

create new service provider by defining its data:

Field	Value	Description
Type	SAML	Type of the service provider. As we want to test saml flow please select SAML
Name	Apple ID service provider	Give a neme which identifies service provider
Metadata	<md:EntityDescriptor ...	Service provider's metadata

steps required on SP side
- IDP metadata which needs to be provided to SP. It can be found in https://idp-core.dev.onegini.me/saml/metadata.

Mobile flow¶

Allows to use Sign in with Apple with Onegini IdP which is initiated by Onegini Mobile SDK.

Mobile flow consists of three components:

Onegini IdP
Onegini Mobile SDK
Onegini Token Server

Configuration of Onegini Mobile SDK and Onegini Token Server is described in documentation for these components. This documentation covers only Onegini IdP part.

There are two steps required to complete mobile authentication. * Mobile authentication is triggered from Onegini Mobile SDK where id_token, client_id and optionally user is inserted to Onegini IdP via Storage API. This data should be inserted as json containing at least two fields id_token and client_id saved as string.

Example body used for Storage API:

{
    "value": "{ \"id_token\": \"c0c678d4746b9441d9475e06950709666.0.nryrz.A-0dKXCFK_-DmSBlhwaj0w\", \"client_id\": \"com.onegini.idp-local-development\", \"user\": \"{\"name\":{\"firstName\":\"Andrzej\",\"lastName\":\"Nowak\"},\"email\":\"[email protected]\"}\" }"
}

Continue with Saml flow. AuthnRequest should contain RequestedAuthnContext set to urn:com:onegini:saml:idp:apple and CustomParameters that contains entry with key auth_ref and value equal to key obtained from Storage API response from step above