Add Apple login

You can add Apple login to your applications using Asgardeo and enable users to log in with their Apple IDs.

Follow this guide for instructions.

Register Asgardeo on Apple

Before you begin

You need a paid subscription to get access to an Apple developer account.

To register Asgardeo on Apple, you need to create the following components on Apple's Developer Portal:

Step 1: Register an App ID

To register an App ID:

1. On the Apple Developer portal (opens new window), go to Program resources > Certificates, Identifiers & Profiles > Identifiers.
2. Click + to register an App ID.
3. Select App IDs and click Continue.
4. Select App as the type and click Continue.
5. Enter the values for the following parameters.

   Parameter	Definition
   Description	A description for the services ID.
   Bundle ID	A unique identifier for the application. It is usually a string of characters in reverse domain name notation. Example: io.asgardeo.myorg

   
6. Under the Capabilities tab, select Sign in with Apple.
7. Click Continue and then click Register.

Step 2: Register a Services ID

To register a services ID:

1. On the Apple Developer portal (opens new window), go to Program resources > Certificates, Identifiers & Profiles > Identifiers.
2. Click + and select Services IDs and click Continue.
3. Enter values for the following parameters:

   Parameter	Definition
   Description	A description for the services ID.
   Identifier	A unique identifier for the application. It is usually a string of characters in reverse domain name notation. This value is considered the client ID of the application. Example: io.asgardeo.myorg

4. Click Continue and then click Register.
5. Go back to the Identifiers section and click on the Services ID you created.
6. Enable Sign in with Apple and click Configure.
7. Under Web Authentication Configuration, select the App ID you created as the Primary App ID.
8. Enter the following values under Register Website URLs.

   Parameter	Value
   Domain	api.asgardeo.io
   Return URL	https://api.asgardeo.io/t/{organization_name}/commonauth

9. Click Continue and then click Save.

Step 3: Register a new key

To register a new key:

1. On Apple Developer portal (opens new window), go to Program resources > Certificates, Identifiers & Profiles > Keys.
2. Click + to register a new key.
3. Enter a name for the key, enable Sign in with Apple, and click Configure.
4. Under Configure Keys, select the App ID you created previously and click Save. Then click Continue.
5. Click Register.

   You will now see that your app's Private key is ready to be downloaded. Download and save it securely, as you cannot download it again. Also, take note of the Key ID that is displayed on this page.

6. Click Done.

Note down the Team ID displayed in the top right corner under your name.

You can follow the Apple documentation (opens new window) for detailed instructions.

A client secret is required to integrate the Apple application with Asgardeo. Usually, the external IdP generates a client secret, but in this scenario, Apple expects Asgardeo to generate the client secret.

Register the Apple IdP

Now, let's register the Apple IdP in Asgardeo.

1. On the Asgardeo Console, go to Connections.

2. Click New Connections and select Apple.

3. Enter the following details of the Apple identity provider and click Finish:

   

   Parameter	Description
   Name	A unique name for this Apple identity provider.
   Services ID	The services ID obtained from Apple..
   Team ID	Apple developer team ID obtained from Apple.
   Key ID	Key identifier of the private key generated for the app.
   Private Key	Private key generated for the app.

Claim syncing for JIT-provisioned users

JIT user provisioning is enabled by default for your external identity provider. If required, you can disable JIT user provisioning.

When a user with a local Asgardeo account uses the same email address to log in through an external identity provider, Asgardeo syncs the claims from the JIT-provisioned user account and the local account.

According to the default behavior of Asgardeo, when JIT user provisioning is enabled, the user claims of the local user account are overridden by the user claims received from the external identity provider.

You can use Asgardeo's identity provider APIs to configure claim syncing between the external identity provider and the local user accounts. This gives you the flexibility to customize the claim syncing behavior according to your specific requirements.

After creating the Apple identity provider, go to the Settings tab and see the list of scopes to which Apple has granted permissions.

• email: Allows to view the user's email address.
• name: Allows to view the user’s name fields.

Asgardeo needs these scopes to get user information. Asgardeo checks the attribute configurations of the application and sends the relevant attributes received from Apple to the app. You can read the Apple documentation (opens new window) to learn more.

Update the client secret validity period

Asgardeo generates a client secret for the IdP. This client secret has the default maximum validity period of six months.

If you wish to reduce the validity period:

1. On the Asgardeo Console, go to Connections.
2. Click Setup on your Apple IdP.
3. On the Settings tab update the value of the Client Secret Validity Period.

Enable Apple login

Before you begin

You need to register an application with Asgardeo. You can register your own application or use one of the sample applications provided.

1. On the Asgardeo Console, go to Applications.

2. Select your application, go to its Login Flow tab and add Apple login from your preferred editor:

   Recommendations

   Asgardeo recommends adding your social and enterprise connections to the first authentication step as they are used for identifying the user.

   Using the Classic Editor

   To add Apple login using the classic editor:

   1. If you haven't already defined a sign-in flow, click Start with Default configuration to get started.

   2. Click Add Authentication on the step, select your Apple identity provider, and click Add.

   Using the Visual Editor

   To add Apple login using the Visual Editor:

   1. Switch to the Visual Editor tab, by default the Username & Password login flow will be added onto the Visual Editor's workspace.

   2. Click on + Add Sign In Option to add a new authenticator to the same step and select your Apple connection.

      

3. Click Update to save your changes.

Try it out

Follow the steps given below.

1. Access the application URL.

2. Click Login to open the Asgardeo login page.

3. On the Asgardeo login page, click Sign in with Apple.

   

4. Log in to Apple with an existing Apple ID.

When a user successfully logs in with Apple for the first time,

• Apple will prompt you to create an account for the Apple IDP application.
• A user account is created in the Asgardeo Console with the Apple username. Apple will manage this new user account.

Delete a connection

Before you begin

If your connection has applications associated with it, you will not be able to delete the connection.

Before deleting such connections:

1. Check the associated applications from the Connected Apps tab of the connection.
2. Click on an application that uses the connection and you will be redirected to the Sign-in Method tab of the respective application.
3. Remove the connection from the sign-in flow of the associated applications.
4. Repeat steps 2 and 3 for all listed applications.
5. Proceed to delete the connection.

To delete a connection that does not have any applications using it:

1. On the Asgardeo Console, go to Connections.

2. Click Set up and navigate to the General tab.

3. At the bottom of the page, click the button in the Delete connection.

   You cannot delete connections that are available by default.

4. Select the checkbox and confirm your action.