Loading
Salesforce now sends email only from verified domains. Read More
Identify Your Users and Manage Access
Table of Contents
Filter by (0)Add
Select Filters

          No results
          No results
          Here are some search tips

          Check the spelling of your keywords.
          Use more general search terms.
          Select fewer filters to broaden your search.

            Search all of Salesforce Help
            Search all of Salesforce Help
            Configure an Apple Authentication Provider

            You are here:

            1. Salesforce Help
            2. Docs
            3. Identify Your Users and Manage Access

            Configure an Apple Authentication Provider

            Configure Apple as an authentication provider to allow users to log in to Salesforce or Experience Cloud using their Apple ID.

            Required Editions

            Available in: Lightning Experience and Salesforce Classic
            Available in: Enterprise, Performance, Unlimited, and Developer Editions
            User Permissions Needed
            To view the settings: View Setup and Configuration
            To edit the settings:

            Customize Application

            AND

            Manage Auth. Providers

            Complete these steps to configure Apple as an authentication provider.

            Note
            Note Keep your Salesforce Setup page and Apple configuration page open so that you can easily switch between them.
            • Set up a registration handler.
            • Configure your app with Apple.
            • Create an Apple auth. provider in Salesforce, and establish a registration handler.
            • Update the Apple configuration with the callback URL generated after creating the Apple auth. provider in Salesforce.
            • Test the connection.
            • Test Salesforce SSO with Apple.
            • Manage Apple Auth. Provider and Private Key
              After you create your Apple Auth. Provider, you can edit it to change settings or upload a new Apple key. Upload a new Apple key, for example, if you suspect that the key is compromised. After uploading the new Apple key, revoke the old one.

            Set Up a Registration Handler

            To use an authentication provider for single sign-on, you must create a registration handler. The registration handler creates users and updates existing users who access Salesforce via the identity provider. You can set up a registration handler with Apex or Flow Builder. For more information, see Create an Authentication Provider Registration Handler.

            Configure Your App with Apple

            Configure Sign In with Apple from your Apple developer account. Keep in mind that the Apple API sends the user’s name and email to your app the first time that the user logs in only.

            1. Sign in to your Apple developer account.
            2. Register an App ID for your app according to Register an Apple ID in Apple Help.
              Note
              Note From your App ID configuration page, notice that the Team ID is the same as the App ID Prefix. You need the Team ID later.
            3. Associate your website to your app according to Configure Sign In with Apple for the web in Apple Help.
              You’re prompted to supply these values:
              • Website name
              • Unique identifier for your website, which becomes the Apple Services ID
              • The domain associated with your app
              • You can get the fully qualified domain name from the Domains Setup page in Salesforce. For employees, specify your My Domain login URL. For customers and partners, specify your site URL.
              • Return URLs
              • For now, enter a placeholder. Later, you populate this field with the Salesforce callback URL.

            Create an Apple Auth. Provider in Salesforce

            1. From Setup, in the Quick Find box, enter Auth. Providers, and then click Auth. Providers.
            2. Click New.
            3. For Provider Type, select Apple.
            4. Enter a name for your Auth. Provider.
            5. Enter a URL suffix, which is used in the client configuration URLs. For example, if the URL suffix of your provider is MyAppleProvider, your SSO URL is similar to https://mydomain_login_url or site_url/services/auth/sso/MyAppleProvider.
            6. Enter the Team ID from Apple. It appears on the Apple App ID configuration page.
            7. Enter your Services ID from Apple. It appears on the Services ID configuration page under the Identifier field.
            8. Create Key ID and Key according to Create a private key to access a capability in Apple Help.
              1. From Apple, create a private key, choosing Sign In with Apple capability.
                Apple generates a Key ID, which appears on Apple’s Key Details page.
              2. From Apple’s Key Details page, download an Apple-generated file to your computer.
                This file, which ends in .p8, contains a private key used to sign your JSON authentication tokens.
                Note
                Note Download the key. Apple’s instructions suggest downloading the key is optional, but Salesforce requires the key.
              3. Return to your Salesforce Auth. Provider Setup page. Click Upload Key, and select the .p8 file.
            9. For Default Scopes, enter the scopes to send along with the request to the authorization endpoint. See Apple Developer Help for Apple’s default scopes.
              Note
              Note If you don’t supply default scopes, Salesforce uses email name.
            10. To direct callbacks to your subdomain instead of login.salesforce.com, select Use subdomain in callback URLs.
            11. For Custom Error URL, enter the URL for the Apple provider to use to report any errors.
            12. For Custom Logout URL, enter a URL to provide a specific destination for authenticated users after they log out.
            13. To use an Apex registration handler, take these steps.
              1. For Registration Handler Type, select Apex.
              2. For Registration Handler, select an existing Apex class that implements the Auth.RegistrationHandler interface. Or, to create an template for the registration handler, click Automatically create a registration handler template. Edit this class later, and modify the default content before using it.
            14. To use a flow for your registration handler, take these steps.
              1. For Registration Handler Type, select Flow.
              2. For Registration Handler, select an existing flow of the Identity User Registration flow type.
              3. Select a default profile. A default profile is required to run the registration handler. If you don't specify a default profile here, set the default profile in the flow itself.

                If you use the Authentication Provider User Registration flow template, the profile that you set here is automatically stored in the defaultProfileId variable.

              4. Select a default account. If you use your authentication provider for Experience Cloud sites, this account stores new internal users.

                If you use the Authentication Provider User Registration flow template, the profile that you set here is automatically stored in the defaultAccountId variable.

            15. For Execute Registration As, select an execution user to run the Apex class or flow. The user must have the Manage Users permission.

              Execute Registration As provides the context in which the registration handler runs. In production, you typically create a system user for the Execute Registration As user. This way, operations performed by the handler are easily traced back to the registration process. For example, if a contact is created, the system user creates it.

            16. To use a portal with your provider, select the portal from the Portal dropdown.
            17. For Icon URL, select Choose one of our sample icons to open a list of available icons. Select an Apple icon, copy the URL, and then enter it under Icon URL.
              This icon shows up on your site’s login page. Users click it to log in with their Apple ID.
            18. To use the Salesforce multi-factor authentication (MFA) functionality instead of your identity provider’s MFA service, select Use Salesforce MFA for this SSO provider. This setting triggers MFA only for users who have MFA applied to them directly. For more information, see Use Salesforce MFA for SSO.
            19. Save your work.

            Salesforce displays the Auth. Provider details page, which lists the client configuration URLs generated after creating the Apple auth. provider.

            Apple auth. provider return URLs
            • Test-Only Initialization URL—Use this URL to ensure that the third-party provider is set up correctly. The admin opens this URL in a browser, signs in to Apple, and is redirected back to Salesforce with a map of attributes.
            • Single Sign-On Initialization URL—Use this URL to perform single sign-on (SSO) into Salesforce from Apple using Apple credentials. The user opens this URL in a browser and signs in to the third party. Apple either creates a user or updates an existing user. Then Apple signs the user into Salesforce as that user.
            • Existing User Linking URL—Use this URL to link existing Salesforce users to their Apple account. The user opens this URL in a browser, signs in to Apple, logs in to Salesforce, and approves the link.
            • OAuth-Only Initialization URL—Use this URL to obtain OAuth access tokens for Apple. Users must authenticate with Salesforce for the Apple service to get a token. This flow doesn’t provide for future SSO functionality.
            • Callback URL—Use this URL for the endpoint that the Sign In with Apple service uses to call back to Salesforce. Apple redirects to the callback URL with information for each client configuration URL.

            Update the Apple Configuration with the Callback URL

            After creating the Apple authentication provider in Salesforce, return to your Services ID configuration page in Apple. Update the Return URL to use the Callback URL from the Apple auth. provider generated in Salesforce.

            Test the SSO Connection

            In a browser, open the Test-Only Initialization URL on the Auth. Provider detail page. It redirects you to Apple and asks you to sign in. You’re then asked to authorize your app. After you authorize, you’re redirected to Salesforce.

            Test Single Sign-On with Apple ID

            Now it’s time to test the SSO configuration and log in to Salesforce.

            1. Test SSO into Salesforce.
              1. From Setup, in the Quick Find box, enter Domain, and then select My Domain.
              2. Under Authentication Configuration, click Edit.
              3. Select Apple as your authentication service, and save the settings.
                select the authentication service
              4. Log out, and then go to the Salesforce login page for your subdomain.
              5. Choose the Apple authentication service, and enter your Apple credentials.
            2. Test SSO into your Experience Cloud site.
              1. If you haven’t done so already, create the Apple authentication service account.
              2. Make sure that you have enough licenses for site users.
              3. From Setup, in the Quick Find box, enter Digital Experiences, and then click All Sites. Next to your site, select Workspaces.
              4. Select Administration, and then select Login & Registration.
                Configure login with Apple ID for the community
              5. Under Login, select the option to display your Apple auth. provider, and save the settings.
              6. Log out, and open your site login page.
              7. Click the Apple icon, and log in with your Apple credentials.
                Sample community login page with Apple ID
             
            Loading
            Salesforce Help | Article