Intro to federated authentication with Apple School Manager
You can use federated authentication to link Apple School Manager to the following:
Google Workspace
Microsoft Entra ID Open ID Connect (OIDC)
Any identity provider (IdP) using OIDC or System for Cross-domain Identity Management (SCIM)
Note: You can link to Google Workspace, Microsoft Entra ID, or your IdP, but only one at a time.
As a result, users can then sign in to their assigned iPhone, iPad, Mac, Apple Vision Pro, and to Shared iPad using their existing user name (generally their email address) and password. After they’ve signed in on one of those devices, they can then also sign in to iCloud on the web on a Mac (iCloud for Windows doesn’t support Managed Apple Accounts).
Important: When the connection has expired, federation and syncing user accounts stops. You need to reconnect to continue using federated authentication and syncing.
There are specific instances where you might use federated authentication:
Federated authentication only
When Apple School Manager and Google Workspace, Microsoft Entra ID, or your IdP are linked, Managed Apple Accounts are automatically created for users. They can then sign in using their existing user name (generally their email address) and password.
See the following:
Federated authentication with directory syncing
You can also sync user accounts from Google Workspace, Microsoft Entra ID, or your IdP to Apple School Manager. When you set up a directory sync connection, you can add Apple School Manager properties (such as grade level and roles) to user account data imported from one of those services. The services’ user account information is added as read-only until you turn off syncing. At that time, the accounts become manual accounts, and attributes in these accounts can then be edited. If a user account is removed from one of those services, that user account can be removed from Apple School Manager. See the following:
Federated authentication with users from a Student Information System (SIS) or with .csv files uploaded using SFTP
If you’re integrating with a SIS or importing user accounts with SFTP, and going to use federated authentication:
Turn on and configure federated authentication first.
The user’s email address in SIS needs to match their Google Workspace, Microsoft Entra ID, or IdP user name that they already use to sign in.
You can then integrate your SIS or upload .csv files with the Secure File Transfer Protocol (SFTP). All information, such as classes and rosters, are matched against users from Google Workspace, Microsoft Entra ID, or your IdP. If a user account is removed from Google Workspace, Microsoft Entra ID, or your IdP, that user account needs to be deactivated in Apple School Manager by an account with privileges to change the status of users.
Federated authentication with Shared iPad
When you use federated authentication with Shared iPad, the sign-in process varies depending on whether the user account already exists in Apple School Manager. To view the sign-in scenarios, see Sign in to Shared iPad.
The default passcode policy is standard (8 or more letters and numbers) and can be changed. See Password policy scenarios.
If the user forgets their passcode, you need to reset the Shared iPad passcode.
Before you begin
Before you use federated authentication with Google Workspace, Microsoft Entra ID, or your IdP, consider the following:
Requirements
Apple devices need to meet the following minimum operating system requirements:
iOS 15.5
iPadOS 15.5
macOS 12.4
visionOS 1.1
You need to disconnect from your Student Information System (SIS) or stop uploads using SFTP.
You need to lock and turn on the domain capture process. See Lock a domain.
There are no Managed Apple Account conflicts. See Managed Apple Account conflicts.
User accounts with the role of Administrator, Site Manager, or People Manager can’t sign in using federated authentication; they can only manage the federation process.
When using federated authentication, the Default Managed Apple Account Format setting doesn’t apply.
IdP-specific requirements
When linking to Google Workspace:
Federated authentication needs to use the user’s email address as their user name. Aliases aren’t supported.
When linking to Microsoft Entra ID:
You need to use a user with the role of Entra ID Global Administrator to complete the Approve federated authentication task, below. After the connection is successful, you can change the role of the user from Global Administrator to another role with required privileges to maintain the connection. For more information, see Microsoft default roles that support domains, directory sync, and domain read.
Federated authentication with Microsoft Entra ID requires that a user’s userPrincipalName (UPN) match their email address. userPrincipalName aliases and Alternate IDs aren’t supported.
When linking to an IdP, you need to have the following information:
A verified domain you want to use. See Add and verify a domain.
Sign-in method: Use Open ID Connect (OIDC).
Scope access: Access needs to be granted to
ssf.manageandssf.read.Shared Signals Framework (SSF) configuration URL: Consult your IdP’s documentation.
OpenID configuration URL: Consult your IdP’s documentation.
Automatic changes
For existing Apple School Manager users with an email address in the federated domain, their Managed Apple Account is automatically changed to match that email address.