
Sync user accounts from your identity provider in Apple Business Essentials
In Apple Business Essentials, you can use OpenID Connect (OIDC) or System for Cross-domain Identity Management (SCIM) to sync user accounts from your identity provider (IdP). Using this system, you merge Apple Business Essentials properties (such as roles) with user account data imported from your IdP. When you use SCIM to sync users, the account information is added as read-only until you disconnect. At that time, the accounts become manual accounts, and attributes in these accounts (such as user names) can then be edited. The initial sync takes longer to perform than subsequent cycles do. Consult your IdP’s documentation to learn how often they sync users to Apple Business Essentials.
Important: You have only 4 calendar days to complete the token transfer to your IdP and successfully establish a connection, or you need to begin the process again.
Sign in to your IdP
- Sign in to your IdP as an administrator, then do one of the following: - Locate the app created by your IdP. You may be able to skip several steps in this task. 
- Navigate to where you can create an app or connection. 
 
- Create the app with the following information: - Important: Remember the name of the SCIM app because you may need it for the authorization callback URL. - Apple Business Essentials: Use AppleBusinessEssentialsSCIM. 
- App type: Use SCIM. 
- Authentication method: Use SAML 2.0. 
- Single sign-on URL used for recipient and destination: Consult your IdP’s documentation. 
- Audience URI: Use Entity ID. 
 
- Save the changes. 
Configure the SCIM app provisioning settings
- Locate the provisioning section of your IdP SCIM app, then enter the following values: - SCIM connector base URL: https://federation.apple.com/feeds/business/scim 
- Access token URI: https://appleaccount.apple.com/auth/oauth2/v2/token 
- Authorization URI: https://appleaccount.apple.com/auth/oauth2/v2/authorize 
- Client ID: 123 
- Client secret: 123 - Important: Because you don’t yet know the actual SCIM Client ID and Client secret, 123 is used as a placeholder. You replace these values in a later task. 
- Authentication mode: OAuth 2. 
- Unique identifier field for users: Consult your IdP’s documentation. - Important: Make sure you match the case of the identifier. 
- Supported provisioning actions: - Import new users and profile updates. 
- Push new users. 
- Push profile updates. 
 
 
- Save the changes. 
Create the authorization callback URL
You need to create an authorized callback URL for Apple Business Essentials to get user records from your IdP using SCIM. This callback URL is based on the name of the SCIM app you created in your IdP.
- Remember the name for your SCIM app. For example: - Apple Business Essentials: AppleBusinessEssentialsSCIM 
 
- Paste the app name inside the following URL. For example: - https://identity-provider.com/admin/app/AppleBusinessEssentialsSCIM/oauth/callback 
 
- Save the authorization callback URL. - You paste it into Apple Business Essentials in the next task. 
Create and copy SCIM client information to your IdP
- In Apple Business Essentials, sign in with a user who has the role of Administrator or People Manager. 
- Select your name at the bottom of the sidebar, select Preferences  , then select Managed Apple Accounts , then select Managed Apple Accounts . .
- Select Enable next to Custom Sync. 
- Paste in the authorization callback URL from the previous task, then select Create. 
- Select SCIM Application, then select Create. 
- Open a new text file or spreadsheet, then enter the following values from Apple Business Essentials: - For the OIDC client ID, paste the SCIM client ID. 
- For the OIDC client secret, paste the SCIM client secret. 
 
- Select Copy next to Client ID, then paste the client ID in the file. 
- Select Client Secret, choose how long the secret needs to be active before it expires (6, 9, or 12 months), then paste the client secret in the file. - Important: If you delete or forget the client secret before you paste it into your IdP SCIM app, you need to create a new client secret. 
- Select Done. 
Paste the client ID and client secret in your IdP SCIM app and verify the connection
- Return to the provisioning section of your IdP SCIM app, then paste in the following values: - Apple Business Essentials SCIM Client ID 
- Apple Business Essentials SCIM Client secret 
 
- Save the changes. 
- If your IdP allows you to test authentication using an IdP administrator account, you can test it now. For example, there might be a button “Authenticate with [AppleSchoolManagerSCIM], [AppleBusinessManagerSCIM],[AppleBusinessEssentialsSCIM],” or whatever you named your SCIM app. 
- Enter your IdP administrator name and password, then enter the two-factor authentication value. 
- Read any authorization information carefully. If you agree, select Continue. 
- If necessary, you can now turn on federated authentication for this domain. 
Your IdP and Apple Business Essentials are now configured to sync specific user attribute changes from your IdP to Apple Business Essentials.