Use federated authentication with your identity provider in Apple Business Manager
In Apple Business Manager, you can link to your identity provider (IdP) to allow users to sign in to Apple devices with their IdP username and password. As a result, your users can leverage their IdP usernames and passwords as Managed Apple IDs. They can then use those credentials to sign in to their assigned iPhone, iPad or Mac, and even to iCloud on the web.
This process involves four main steps:
1. Verify a domain
2. Sign in to your IdP and create a new Open ID Connect (OIDC) app or connection
3. Configure and test the app or connection
4. Enable federated authentication
Before you begin
Before you begin, know whether you plan to sync to your IdP using SCIM or whether you plan to use federation authentication only. If you plan to sync to your IdP using SCIM, wait to turn on federated authentication until after the SCIM connection is successful.
For federated authentication only, have the following information:
Sign-in method: Use Open ID Connect (OIDC).
Scope access: Access must be granted to
ssf.manage
andssf.read
.Shared Signals Framework (SSF) configuration URL: Consult your IdP’s documentation.
OpenID configuration URL: Consult your IdP’s documentation.
Step 1: Verify a domain
Before you can view your IdP users with Apple Business Manager, you must add and verify the domain you want to use. You add and verify domains in Apple Business Manager.
See Link to new domains.
Note: The verification process ensures that your organisation is the one that has authority to modify the domain name service (DNS) records for your domain. For example, to use betterbag.com as your domain, you add a specific TXT record to your domain name server’s zone file within 14 calendar days of beginning the verification process (which begins when you select the Verify button).
Step 2: Create a new OIDC app or connection
To connect to Apple Business Manager, your IdP must have or create an app, that contains specific settings to link to Apple Business Manager. Because each IdP has a different method for creating an app and a place where specific settings are located, consult your IdP’s documentation on how to complete this process.
Sign in to your IdP as an administrator, then do one of the following:
Locate the app created by your IdP. You may be able to skip several steps in this task.
Navigate to where you can create an app or connection.
Create the app or connection with the following information:
Apple Business Manager: AppleBusinessManagerOIDC.
Sign-in method: Open ID Connect (OIDC).
App type: Web app.
Grant type: Refresh token.
Sign-in redirects URI: https://gsa-ws.apple.com/grandslam/GsService2/acs.
Access: Allow specific users.
Scope access: Access must be granted to
ssf.manage
andssf.read
.
Save the changes.
Later on this page, you must paste certain information in Apple Business Manager. This next task is to copy that information to a text or spreadsheet file.
Open a new text file or spreadsheet, then enter the following values from the IdP:
For the OIDC client ID, paste the OIDC client ID.
For the OIDC client secret, paste the OIDC client secret.
Save the file to a secure location.
Step 3: Configure and test the connection
In Apple Business Manager , sign in as a user that has the role of Administrator or People Manager.
Select your name at the bottom of the sidebar, select Preferences , then select Accounts .
Next to Federated Authentication, select Edit, select Custom Identity Provider, then select Connect.
Enter a name for your federated authentication connection.
You can use up to 128 characters.
Copy the client ID and client secret values into Apple Business Manager from the text file or spreadsheet you saved in the previous section.
Contact your IdP to get URLs for the following two configurations:
Shared Signals Framework (SSF)
OpenID
Select Continue.
If all the values you provided were valid, you are presented with the login page of your IdP. Proceed to step 8.
Sign in with the usename and password of an IdP administrator.
Select Done.
Step 4: Enable federated authentication
In Apple Business Manager , sign in as a user that has the role of Administrator or People Manager.
Select your name at the bottom of the sidebar, select Preferences , then select Accounts .
Select Edit in the Domains section, then select Federate next to the domain you want to federate with your IdP.
Wait for the process to complete.