If Apple is specified as the the external identity provider, a subset of Apple provider attributes can be used as the mapping attribute placeholder value.

The placeholder value must use the following syntax:

${providerAttributes.<Apple attribute name>}

When you create a new Apple identity provider entity, the POST request automatically maps the PingOne username attribute to the Apple sub attribute. The username attribute is the core mapping attribute; the default Apple attribute value is sub. It is also recommended that you map the PingOne email attribute to the Apple email attribute.

The request body for the email-to-email mapping looks like this, with the value attribute showing the Apple email attribute expressed using the placeholder syntax:

{
    "name": "email",
    "update": "EMPTY_ONLY",
    "value": "${providerAttributes.email}"
}

The POST /environments/{environmentId}/identityProviders operation adds a new identity provider resource to the specified environment.

When the type property value is set to APPLE, Apple’s clientId and clientSecret property values are required in the request body. The request also requires a clientSecretSigningKey, which is a PKCS #8 private key in the PEM base64-encoded format obtained from your Apple client developer account. It is used to generate a client secret. The teamId, which is a ten-character Team ID value obtained from your Apple client developer account, and a keyId, which is a ten-character Key ID obtained from your Apple client developer account.

Apple identity provider settings data model

Property Description
clientId A string that specifies the application ID from Apple. This is the identifier obtained after registering a services ID in the Apple developer portal. This is a required property.
clientSecretSigningKey A string that specifies the private key that is used to generate a client secret. This is a required property.
keyId A 10-character string that Apple uses to identify an authentication key. This is a required property.
teamId A 10-character string that Apple uses to identify teams. This is a required property.

Apple core attributes

Property Description
sub A string that specifies the core Apple attribute. The default value is ${providerAttributes.sub} and the default update value is EMPTY_ONLY.

Apple provider attributes

Permission Provider attributes
name Options are: sub, iss, iat, expt, aud, nonce, nonce_supported
email Options are: email, email_verified