
Use federated authentication with your identity provider in Apple Business Manager
In Apple Business Manager, you can link to your identity provider (IdP) using federated authentication to allow users to sign in to Apple devices with their IdP user name (generally their email address) and password.
As a result, your users can leverage their IdP credentials as a Managed Apple Account. They can then use those credentials to sign in to their assigned iPhone, iPad, Mac, Apple Vision Pro, and to Shared iPad. After they’ve signed in to one of those devices, they can then also sign in to iCloud on the web.
Federated authentication process
This process involves four main steps:
- Add and verify a domain. 
- Create a new Open ID Connect (OIDC) app or connection. 
- Configure federated authentication and test authentication with a single IdP user account. 
- Turn on federated authentication. 
Important: Review the following before you configure federated authentication.
Step 1: Verify a domain
Before you can view your IdP user accounts with Apple Business Manager, you need to add and verify the domain you want to use.
The verification process ensures that your organization is the one that has authority to modify the domain name service (DNS) records for your domain. For example, to use betterbag.com as your domain, you add a specific TXT record to your domain name server’s zone file within 14 calendar days of beginning the verification process (which begins when you select the Verify button).
Note: If you’re attempting to federate a domain you’ve already verified but another organisation has already federated the identical domain, you need to contact that organisation to determine who has the authority to federate the domain. See Domain conflicts.
Step 2: Create a new OIDC app or connection
To connect to Apple Business Manager, your IdP needs to have or create an app, that contains specific settings to link to Apple Business Manager. Because each IdP has a different method for creating an app and a place where specific settings are located, consult your IdP’s documentation on how to complete this process.
- Sign in to your IdP as an administrator, then do one of the following: - Locate the app created by your IdP. You may be able to skip several steps in this task. 
- Navigate to where you can create an app or connection. 
 
- Create the app or connection with the following information: - Apple Business Manager: AppleBusinessManagerOIDC. 
- Sign-in method: OIDC. 
- App type: Web app. 
- Grant type: Refresh token. 
- Sign-in redirects URI: https://gsa-ws.apple.com/grandslam/GsService2/acs. 
- Access: Allow specific user accounts. 
- Scope access: Access needs to be granted to - ssf.manageand- ssf.read.
 
- Save the changes. - Later on this page, you need to paste certain information in Apple Business Manager. This next task is to copy that information to a text or spreadsheet file. 
- Open a new text file or spreadsheet, then enter the following values from the IdP: - For the OIDC client ID, paste the OIDC client ID. 
- For the OIDC client secret, paste the OIDC client secret. 
 
- Save the file to a secure location. 
Step 3: Configure federated authentication and test authentication with a single IdP user account
This step is to establish a trust relationship between your IdP and Apple Business Manager.
Note: After you complete this step, users cannot create new unmanaged (personal) Apple Accounts on the domain that you configure. This could affect other Apple services that your users access. See Transfer Apple services.
- In Apple Business Manager  , sign in with a user who has the role of Administrator or People Manager. , sign in with a user who has the role of Administrator or People Manager.
- Select your name at the bottom of the sidebar, select Preferences  , select Managed Apple Accounts , select Managed Apple Accounts , then select Get Started under “User sign in and directory sync.” , then select Get Started under “User sign in and directory sync.”
- Select Custom Identity Provider, then select Continue. 
- Enter a name for your federated authentication connection. - You can use up to 128 characters. 
- Copy the client ID and client secret values into Apple Business Manager from the text file or spreadsheet you saved in the previous section. 
- Contact your IdP to get URLs for the following two configurations: - Shared Signals Framework (SSF) 
- OpenID 
 
- Select Continue. - If all the values you provided were valid, you’re presented with the login page of your IdP. Proceed to step 8. 
- Sign in with an IdP administrator user name and password. 
- Select Done. 
Step 4: Turn on federated authentication
- In Apple Business Manager  , sign in with a user who has the role of Administrator or People Manager. , sign in with a user who has the role of Administrator or People Manager.
- Select your name at the bottom of the sidebar, select Preferences  , then select Managed Apple Accounts , then select Managed Apple Accounts . .
- In the Domains section, select Manage next to the domain you want to federate, then select “Turn on Sign in with your Identity Provider.” 
- Turn on “Sign in with your Identity Provider.” - If necessary, you can now sync user accounts to Apple Business Manager. See Sync user accounts from your identity provider.