Use federated authentication with your identity provider in Apple Business Manager
In Apple Business Manager, you can link to your identity provider (IdP) using federated authentication to allow users to sign in to Apple devices with their IdP user name (generally their email address) and password.
As a result, your users can leverage their IdP credentials as Managed Apple Accounts. They can then use those credentials to sign in to their assigned iPhone, iPad, or Mac, and even to iCloud on the web.
Before you begin
Before you link to your IdP, consider the following:
You must lock and turn on domain capture before you can federate. See Lock a domain.
Federated authentication should use the user’s email address as their user name. Aliases aren’t supported.
For existing users with an email address in the federated domain, their Managed Apple Account is automatically changed to match that email address.
Configure and verify the domain you want to use. See Add and verify a domain.
User accounts with the role of Administrator or People Manager can’t sign in using federated authentication; they can only manage the federation process.
When the IdP connection has expired, federation and syncing user accounts with your IdP stops. You must reconnect to your IdP to continue using federation and syncing.
For federated authentication, have the following information:
Sign-in method: Use Open ID Connect (OIDC).
Scope access: Access must be granted to
ssf.manage
andssf.read
.Shared Signals Framework (SSF) configuration URL: Consult your IdP’s documentation.
OpenID configuration URL: Consult your IdP’s documentation.
Federated authentication process
This process involves four main steps:
Add and verify a domain.
Create a new OIDC app or connection.
Configure federated authentication and test authentication with a single IdP user account.
Turn on federated authentication.
Step 1: Verify a domain
Before you can view your IdP user accounts with Apple Business Manager, you must add and verify the domain you want to use.
The verification process ensures that your organization is the one that has authority to modify the domain name service (DNS) records for your domain. For example, to use betterbag.com as your domain, you add a specific TXT record to your domain name server’s zone file within 14 calendar days of beginning the verification process (which begins when you select the Verify button).
Note: If you’re attempting to federate a domain you’ve already verified but another organization has already federated the identical domain, you must contact that organization to determine who has the authority to federate the domain. See Domain conflicts.
Step 2: Create a new OIDC app or connection
To connect to Apple Business Manager, your IdP must have or create an app, that contains specific settings to link to Apple Business Manager. Because each IdP has a different method for creating an app and a place where specific settings are located, consult your IdP’s documentation on how to complete this process.
Sign in to your IdP as an administrator, then do one of the following:
Locate the app created by your IdP. You may be able to skip several steps in this task.
Navigate to where you can create an app or connection.
Create the app or connection with the following information:
Apple Business Manager: AppleBusinessManagerOIDC.
Sign-in method: Open ID Connect (OIDC).
App type: Web app.
Grant type: Refresh token.
Sign-in redirects URI: https://gsa-ws.apple.com/grandslam/GsService2/acs.
Access: Allow specific user accounts.
Scope access: Access must be granted to
ssf.manage
andssf.read
.
Save the changes.
Later on this page, you must paste certain information in Apple Business Manager. This next task is to copy that information to a text or spreadsheet file.
Open a new text file or spreadsheet, then enter the following values from the IdP:
For the OIDC client ID, paste the OIDC client ID.
For the OIDC client secret, paste the OIDC client secret.
Save the file to a secure location.
Step 3: Configure federated authentication and test authentication with a single IdP user account
This step is to establish a trust relationship between your IdP and Apple Business Manager.
Note: After you complete this step, users can’t create new personal Apple Accounts on the domain you configure. This could affect other Apple services your users access. See Transfer Apple services to a Managed Apple Account.
In Apple Business Manager , sign in with a user that has the role of Administrator or People Manager.
Select your name at the bottom of the sidebar, select Preferences , select Managed Apple Accounts , then select Get Started under “User sign in and directory sync.”
Select Custom Identity Provider, then select Continue.
Enter a name for your federated authentication connection.
You can use up to 128 characters.
Copy the client ID and client secret values into Apple Business Manager from the text file or spreadsheet you saved in the previous section.
Contact your IdP to get URLs for the following two configurations:
Shared Signals Framework (SSF)
OpenID
Select Continue.
If all the values you provided were valid, you’re presented with the login page of your IdP. Proceed to step 8.
Sign in with an IdP administrator user name and password.
Select Done.
Step 4: Turn on federated authentication
In Apple Business Manager , sign in with a user that has the role of Administrator or People Manager.
Select your name at the bottom of the sidebar, select Preferences , then select Managed Apple Accounts .
In the Domains section, select Manage next to the domain you want to federate, then select “Turn on Sign in with your Identity Provider.”
Turn on “Sign in with your Identity Provider.”
If necessary, you can now sync user accounts to Apple Business Manager. See Sync user accounts from your identity provider.