Home
%3CLINGO-SUB%20id%3D%22lingo-sub-566489%22%20slang%3D%22en-US%22%3EAzure%20AD%20Mailbag%3A%20Use%20Azure%20Active%20Directory%20B2C%20to%20enable%20%E2%80%98Sign%20in%20with%20Apple%E2%80%99%20in%20your%20apps%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-566489%22%20slang%3D%22en-US%22%3E%3CP%3EGreetings!%20We%20are%20going%20to%20start%20highlighting%20Azure%20AD%20B2C%20more%20in%20the%20mailbag%20series%20since%20there%20has%20been%20a%20lot%20of%20interest.%20Since%20Apple%20recently%20announced%20a%20new%20app%20sign-in%20button%20called%20%E2%80%98Sign%20In%20With%20Apple%E2%80%99%2C%20we%E2%80%99ve%20received%20questions%20whether%20it%20works%20with%20Azure%20AD%20B2C.%20Since%20B2C%20leverages%20open%20standards%2C%20the%20answer%20is%20Yes!%20Adam%20Stoffel%20is%20going%20to%20answer%20the%20most%20common%20questions%20we%E2%80%99ve%20heard%20so%20far%20around%20Sign%20In%20With%20Apple.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E-Sue%20Bohn%3C%2FP%3E%3CP%3E---%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EHi%2C%20I%E2%80%99m%20Adam%20Stoffel%20from%20the%20Identity%20Customer%20Experience%20team.%20I%20spend%20my%20time%20working%20with%20customers%20who%20are%20using%20or%20plan%20to%20use%20Azure%20AD%20B2C%20%E2%80%93%20our%20customer%20identity%20and%20access%20management%20solution.%20Recently%2C%20we%20received%20some%20questions%20about%20Apple%E2%80%99s%20announcement%20for%20their%20new%20single%20sign-on%20service.%20In%20this%20edition%20of%20Mailbag%2C%20we%E2%80%99ll%20look%20at%20what%20the%20%E2%80%98%3CA%20href%3D%22https%3A%2F%2Fdeveloper.apple.com%2Fsign-in-with-apple%2F%22%20rel%3D%22nofollow%20noopener%20noreferrer%20noopener%20noreferrer%22%20target%3D%22_blank%22%3ESign%20in%20with%20Apple%3C%2FA%3E%E2%80%98%20service%20is%20and%20how%20you%20can%20get%20ready%20for%20its%20public%20debut%20later%20this%20year.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EQ1%3A%20What%20is%20Sign%20in%20with%20Apple%3F%3C%2FP%3E%3CP%3ESign%20in%20with%20Apple%20is%20a%20single%20sign-on%20service%20which%20allows%20users%20to%20use%20their%20Apple%20ID%20to%20sign%20into%20website%20and%20mobile%20applications.%20You%20can%20think%20of%20this%20the%20same%20way%20Facebook%20Sign-in%20works%20in%20many%20apps%20you%20might%20already%20use.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EUsers%20will%20also%20have%20the%20option%20to%20mask%20their%20email%20address%20when%20they%20sign%20into%20an%20application.%20Apple%20will%20maintain%20a%20mapping%20of%20these%20masked%20email%20addresses%20back%20to%20the%20actual%20user%20profile%20and%20relay%20email%20messages%20on%20the%20user%E2%80%99s%20behalf.%20Users%20will%20also%20need%20to%20setup%20multi-factor%20authentication%20to%20use%20Sign%20in%20with%20Apple%20%E2%80%93%20a%20feature%20of%20Apple%20ID%20that%2C%20today%2C%20requires%20a%20user%20to%20have%20an%20iOS%20or%20Mac%20device.%26nbsp%3B%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EQ2%3A%20Do%20I%20need%20to%20care%20about%20Sign%20in%20with%20Apple%3F%3C%2FP%3E%3CP%3EUsing%20Sign%20in%20with%20Apple%20will%20be%20soon%20be%20required%20for%20all%20apps%20in%20the%20Apple%20App%20Store%20which%20support%20third-party%20sign-in.%20This%20is%20indicated%20at%20the%20very%20bottom%20of%20Apple%E2%80%99s%20%3CA%20href%3D%22https%3A%2F%2Fdeveloper.apple.com%2Fnews%2F%3Fid%3D06032019j%22%20rel%3D%22nofollow%20noopener%20noreferrer%20noopener%20noreferrer%22%20target%3D%22_blank%22%3Erecent%20update%3C%2FA%3E%20to%20its%20App%20Store%20review%20guidelines.%20This%20requirement%20will%20be%20enforced%20once%20the%20service%20is%20out%20of%20beta%20and%20commercially%20available.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThis%20new%20policy%20means%20that%20if%20you%20implement%20any%20third-party%20or%20social%20login%20(like%20Facebook%2C%20LinkedIn%2C%20or%20Twitter)%20in%20your%20iOS%20or%20Mac%20apps%2C%20those%20apps%20will%20also%20need%20to%20include%20Sign%20in%20with%20Apple%20as%20an%20option.%20By%20using%20Azure%20AD%20B2C%20to%20enable%20social%20login%20in%20your%20applications%2C%20you%20can%20be%20ready%20for%20this%20requirement%20when%20it%20becomes%20mandatory%20later%20this%20year.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EQ3%3A%20What%20protocol%20does%20Sign%20in%20with%20Apple%20use%3F%3C%2FP%3E%3CP%3EAlthough%20the%20service%20is%20in%20beta%2C%20Apple%20has%20published%20some%20documentation%20on%20how%20to%20integrate%20Sign%20in%20with%20Apple%20into%20mobile%20and%20web%20applications.%20This%20documentation%20reveals%20that%20the%20service%20implements%20endpoints%20that%20are%20similar%20to%20OAuth2%20or%20OpenID%20Connect.%20Our%20investigations%20have%20experimentally%20revealed%20that%20it%20is%20possible%20to%20build%20a%20basic%20OIDC%20flow%20atop%20the%20current%20Sign%20in%20with%20Apple%20API%20surface.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EQ4%3A%20How%20can%20I%20get%20ready%20for%20Sign%20in%20with%20Apple%3F%3C%2FP%3E%3CP%3EAzure%20AD%20B2C%20can%20help%20you%20enable%20this%20service%20in%20your%20applications.%20Since%20Sign%20in%20with%20Apple%20implements%20the%20basics%20of%20OpenID%20Connect%2C%20that%E2%80%99s%20enough%20to%20configure%20it%20as%20an%20OpenID%20Connect%20identity%20provider%20in%20Azure%20AD%20B2C.%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ETo%20configure%20Azure%20AD%20B2C%20to%20use%20Sign%20in%20with%20Apple%2C%20you%E2%80%99ll%20need%20to%20have%20an%20Apple%20Developer%20account%2C%20setup%20your%20application%20in%20the%20Apple%20Developer%20portal%2C%20and%20collect%20some%20configuration%20values.%20Because%20Apple%E2%80%99s%20implementation%20of%20the%20authentication%20protocol%20is%20somewhat%20incomplete%2C%20there%20are%20some%20steps%20which%20deviate%20from%20a%20typical%20OpenID%20Connect%20identity%20provider%20configuration%20process.%3C%2FP%3E%3CP%3EFor%20more%20information%20on%20how%20to%20obtain%20the%20appropriate%20OpenID%20Connect%20configuration%20values%20from%20the%20Apple%20Developer%20portal%20and%20for%20instructions%20on%20how%20to%20integrate%20Azure%20AD%20B2C%20with%20Sign%20in%20with%20Apple%2C%20check%20out%20the%20%3CA%20href%3D%22https%3A%2F%2Fgithub.com%2Fazure-ad-b2c%2Fsamples%2Ftree%2Fmaster%2Fpolicies%2Fsign-in-with-apple%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%22%20target%3D%22_blank%22%3Eguide%20on%20GitHub%3C%2FA%3E.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EFor%20any%20questions%2C%20you%20can%20reach%20us%20at%20AskAzureADBlog%40microsoft.com%2C%26nbsp%3BTech%20Communities%26nbsp%3Bor%20on%20Twitter%26nbsp%3B%40AzureAD%2C%26nbsp%3B%40MarkMorow%26nbsp%3Band%26nbsp%3B%3Ca%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F283126%22%3E%40Alex_A%3C%2Fa%3E_Simons.%20You%20can%20also%20ask%20questions%20in%20the%20comments%20of%20this%20post.%20Check%20out%20our%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Ftag%2Fmailbag%2Ftg-p%2Ftag-id%2F13018%22%20target%3D%22_blank%22%3Eprevious%20mailbag%20posts%3C%2FA%3E!%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-TEASER%20id%3D%22lingo-teaser-566489%22%20slang%3D%22en-US%22%3E%3CP%3E%3C%2FP%3E%3CP%3EIn%20this%20edition%20of%20Mailbag%2C%20we%20look%20at%20what%20the%20'Sign%20in%20with%20Apple'%20service%20is%20and%20how%20it%20works%20with%20Azure%20AD%20B2C!%3C%2FP%3E%3C%2FLINGO-TEASER%3E
Microsoft

Greetings! We are going to start highlighting Azure AD B2C more in the mailbag series since there has been a lot of interest. Since Apple recently announced a new app sign-in button called ‘Sign In With Apple’, we’ve received questions whether it works with Azure AD B2C. Since B2C leverages open standards, the answer is Yes! Adam Stoffel is going to answer the most common questions we’ve heard so far around Sign In With Apple.

 

-Sue Bohn

---

 

Hi, I’m Adam Stoffel from the Identity Customer Experience team. I spend my time working with customers who are using or plan to use Azure AD B2C – our customer identity and access management solution. Recently, we received some questions about Apple’s announcement for their new single sign-on service. In this edition of Mailbag, we’ll look at what the ‘Sign in with Apple‘ service is and how you can get ready for its public debut later this year.

 

Q1: What is Sign in with Apple?

Sign in with Apple is a single sign-on service which allows users to use their Apple ID to sign into website and mobile applications. You can think of this the same way Facebook Sign-in works in many apps you might already use.

 

Users will also have the option to mask their email address when they sign into an application. Apple will maintain a mapping of these masked email addresses back to the actual user profile and relay email messages on the user’s behalf. Users will also need to setup multi-factor authentication to use Sign in with Apple – a feature of Apple ID that, today, requires a user to have an iOS or Mac device.  

 

Q2: Do I need to care about Sign in with Apple?

Using Sign in with Apple will be soon be required for all apps in the Apple App Store which support third-party sign-in. This is indicated at the very bottom of Apple’s recent update to its App Store review guidelines. This requirement will be enforced once the service is out of beta and commercially available.

 

This new policy means that if you implement any third-party or social login (like Facebook, LinkedIn, or Twitter) in your iOS or Mac apps, those apps will also need to include Sign in with Apple as an option. By using Azure AD B2C to enable social login in your applications, you can be ready for this requirement when it becomes mandatory later this year.

 

B2CSignInWithAppleFlow.gif‘Sign in with Apple’ as an identity provider in Azure Active Directory B2C

 

Q3: What protocol does Sign in with Apple use?

Although the service is in beta, Apple has published some documentation on how to integrate Sign in with Apple into mobile and web applications. This documentation reveals that the service implements endpoints that are similar to OAuth2 or OpenID Connect. Our investigations have experimentally revealed that it is possible to build a basic OIDC flow atop the current Sign in with Apple API surface.

 

Q4: How can I get ready for Sign in with Apple?

Azure AD B2C can help you enable this service in your applications. Since Sign in with Apple implements the basics of OpenID Connect, that’s enough to configure it as an OpenID Connect identity provider in Azure AD B2C. 

 

To configure Azure AD B2C to use Sign in with Apple, you’ll need to have an Apple Developer account, setup your application in the Apple Developer portal, and collect some configuration values. Because Apple’s implementation of the authentication protocol is somewhat incomplete, there are some steps which deviate from a typical OpenID Connect identity provider configuration process.

For more information on how to obtain the appropriate OpenID Connect configuration values from the Apple Developer portal and for instructions on how to integrate Azure AD B2C with Sign in with Apple, check out the guide on GitHub.

 

For any questions, you can reach us at AskAzureADBlog@microsoft.com, Tech Communities or on Twitter @AzureAD@MarkMorow and @Alex_A_Simons. You can also ask questions in the comments of this post. Check out our previous mailbag posts!