Merge pull request #6128 from MicrosoftDocs/main

11/29/2024 AM Publish

docs/external-id/customers/how-to-apple-federation-customers.md

@@ -0,0 +1,112 @@
+---
+title: Add Apple for customer sign-in
+description: Learn how to add Apple as an identity provider for your external tenant.
+
+author: csmulligan
+manager: celestedg
+ms.service: entra-external-id
+
+ms.subservice: customers
+ms.topic: how-to
+ms.date: 11/29/2024
+ms.author: cmulligan
+ms.custom: it-pro
+
+#Customer intent: As a dev, devops, or it admin, I want to learn how to add Apple as an identity provider for my external tenant.
+---
+# Add Apple as an identity provider (preview)
+
+[!INCLUDE [applies-to-external-only](../includes/applies-to-external-only.md)]
+
+By setting up federation with Apple, you can allow customers to sign in to your applications with their own Apple accounts. After you've added Apple as one of your application's sign-in options, on the sign-in page, customers can sign-in to Microsoft Entra External ID with an Apple account. (Learn more about [authentication methods and identity providers for customers](concept-authentication-methods-customers.md).)
+
+## Create an Apple application
+
+To enable sign-in for customers with an Apple ID, you need to create an application in [Apple Developer panel](https://developer.apple.com/). If you don't already have an Apple ID, you can create one at Certificates, Identifiers & Profiles section.
+
+> [!NOTE]
+> This document was created using the state of the provider’s developer page at the time of creation, and changes may occur.
+1. Sign in to the Apple Developer Portal with your account credentials.
+2. From the menu, select **Certificates, IDs, & Profiles**, and then select **(+)**.
+3. In the Register a New Identifier section, select **App IDs**, and then select **Continue**.
+4. For Select a type, select **App**, and then select **Continue**.
+5. To Register your App ID:
+   1. Enter a Description.
+   1. Enter the Bundle ID, such as `com.contoso.azure-ad`. Explicit naming such as `com.myappdomain.myappname` recommended.
+   1. For Capabilities, select **Sign in with Apple** from the capabilities list.
+   1. Take note of your Team ID (App ID Prefix) from this step. You'll need it later.
+   1. Select **Continue** and then **Register**.
+6. From the menu, select **Certificates, IDs, & Profiles**, and then select **(+)**.
+7. In the **Register a new identifier** section, select **Services IDs**, and then select **Continue**.
+8. In Register a Services ID:
+   1. Enter a **Description**. The description is shown to the user on the consent screen.
+   1. Enter the **Identifier**, such as `com.contoso.entra-service`. Explicit naming such as `com.myappdomain.myappname.service` is recommended. Take note of your Service ID identifier. The identifier is your Client ID.
+   1. Select **Continue**, and then select **Register**.
+9. From **Identifiers**, select the Service ID identifier you created.
+10. Select **Sign In with Apple**, and then select **Configure**.
+    1. Select the Primary App ID you want to configure Sign in with Apple with.
+    2. In **Domains and Subdomains**, enter the following by replacing
+      - `<tenant-id>` with your tenant ID or your primary domain name, and
+      - `<tenant-name>` with your tenant name. All characters should be in lower-case.
+         As an example:
+         - `<tenant-name>.ciamlogin.com`
+         - `<tenant-id>.ciamlogin.com`
+
+    3. In **Return URLs**, enter the following by replacing `<tenant-id>`with your tenant ID or your primary domain name, and `<tenant-name>` with your tenant name. All characters should be in lower-case.
+
+         As an example:
+         - `https://<tenant-id>.ciamlogin.com/<tenant-id>/federation/oauth2`
+         - `https://<tenant-id>.ciamlogin.com/<tenant-name>/federation/oauth2`
+         - `https://<tenant-name>.ciamlogin.com/<tenant-id>/federation/oauth2`
+    4. Select **Next**, and then select **Done**.
+    5. When the pop-up window is closed, select **Continue**, and then select **Save**.
+
+## Create an Apple client secret
+
+1. From the Apple Developer portal menu, select **Keys**, and then select **(+)**.
+2. To Register a New Key:
+    1. Type a **Key Name**.
+    1. Select **Sign in with Apple**, and then select **Configure**.
+    1. For the Primary App ID, select the app you created previously, and then select **Save**.
+3. Select **Continue**, and then select **Register** to finish the key registration process.
+4. Take note of the **Key ID**. This key is required when you configure the identity provider.
+5. To Download Your Key, select **Download** to download the `.p8` file that contains your key.
+6. Select **Done**.
+
+> [!IMPORTANT]
+> Sign in with Apple requires the admin to renew their client secret every 6 months. You'll need to manually renew the Apple client secret if it expires and store the new value in the policy key. We recommend you set your own reminder within 6 months to generate a new client secret.
+
+## Configure Apple federation in Microsoft Entra External ID
+
+After you create the Apple app, in this step you set the Apple app details in Microsoft Entra External ID. You can use the Microsoft Entra admin center to do so. To configure Apple federation in the Microsoft Entra admin center, follow these steps:
+
+1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com).
+1. Browse to **Identity** > **External Identities** > **All identity providers**.
+1. Under the Built-in tab, select **Apple**.
+
+    :::image type="content" source="media/how-to-apple-federation-customers/configure-apple-identity-provider.png" alt-text="Screenshot that shows how to add Apple identity provider.":::
+
+1. The **Name** *Apple* is autopopulated. It cannot be changed.
+1. Enter the following details: 
+    - **Client (Apple service) ID**: The client ID of the Apple application you created in the previous step.
+    - **Apple developer team ID**: The Apple developer team ID related to the Apple application you created in the previous step.
+    - **Key ID**: The key ID of the Apple application you created in the previous step.
+    - **Client secret (.p8) key**: The client secret key of the Apple application you created in the previous step.
+1. Select **Save**. You’ll see Apple listed as a configured identity provider.
+
+    :::image type="content" source="media/how-to-apple-federation-customers/configured-apple-identity-provider.png" alt-text="Screenshot that shows that Apple is added to the identity providers list.":::
+
+## Add Apple identity provider to a user flow
+
+At this point, the Apple identity provider has been set up in your Microsoft Entra External ID, but it's not yet available in any of the sign-in pages. To add the Apple identity provider to a user flow:
+
+1. In your customer tenant, browse to **Identity** > **External Identities** > **User flows**.
+1. Select the user flow where you want to add the Apple identity provider.
+1. Under Settings, select **Identity providers**.
+1. Under **Other Identity Providers**, select **Apple**.
+1. Select **Save**.
+
+## Related content
+
+- [Add Google as an identity provider](how-to-google-federation-customers.md)
+- [Add Facebook as an identity provider](how-to-facebook-federation-customers.md)

docs/external-id/customers/how-to-b2c-federation-customers.md

@@ -58,32 +58,22 @@ To create an application:
 1. Under **Supported account types**, select **Accounts in any identity provider or organizational directory (for authenticating users with user flows)**.
 1. Under **Redirect URI**, select **Web**, and then enter the following URL in all lowercase letters, where `your-B2C-tenant-name` is replaced with the name of your Azure AD B2C tenant (for example, Contoso):
 
-  ```http
-  https://<tenant-subdomain>.ciamlogin.com/<tenant-ID>/federation/oauth2
-  ```
-
-  ```http
-  https://<tenant-subdomain>.ciamlogin.com/<tenant-subdomain>.onmicrosoft.com/federation/oauth2
-  ```
-
-  For example:
-
-  ```http
-  https://contoso.ciamlogin.com/00aa00aa-bb11-cc22-dd33-44ee44ee44ee/federation/oauth2
-  ```
-
-  ```http
-  https://contoso.ciamlogin.com/contoso.onmicrosoft.com/federation/oauth2
-  ```
-
-  If you use a custom domain, enter:
-
-  ```http
-  https://your-domain-name/your-tenant-name.onmicrosoft.com/oauth2/authresp
-  ```
-
-  Replace `your-domain-name` with your custom domain, and `your-tenant-name` with the name of your tenant.
-
+    `https://<tenant-subdomain>.ciamlogin.com/<tenant-ID>/federation/oauth2`
+
+    `https://<tenant-subdomain>.ciamlogin.com/<tenant-subdomain>.onmicrosoft.com/federation/oauth2`
+
+    For example:
+
+    `https://contoso.ciamlogin.com/00aa00aa-bb11-cc22-dd33-44ee44ee44ee/federation/oauth2`
+
+    `https://contoso.ciamlogin.com/contoso.onmicrosoft.com/federation/oauth2`
+
+    If you use a custom domain, enter:
+
+    `https://<your-domain-name>/<your-tenant-name>.onmicrosoft.com/oauth2/authresp`
+
+    Replace `your-domain-name` with your custom domain, and `your-tenant-name` with the name of your tenant.
+
 6. Under **Permissions**, select the **Grant admin consent to openid and offline_access permissions** check box.
 7. Select **Register**.
 8. In the Azure AD B2C - App registrations page, select the application you created and record the **Application (client) ID** shown on the application overview page. You need this ID when you configure the identity provider in the next section.
@@ -100,17 +90,13 @@ Construct your OpenID Connect `well-known` endpoint: replace `<your-B2C-tenant-n
 
 If you're using a custom domain name, replace `<custom-domain-name>` with your custom domain. Replace the `<policy>` with the policy name you configured in your B2C tenant. If you're using the starter pack, it's the `B2C_1A_signup_signin` file.
 
-``http
-https://<your-B2C-tenant-name>.b2clogin.com/<your-B2C-tenant-name>.onmicrosoft.com/<policy>/v2.0/.well-known/openid-configuration
-``
+`https://<your-B2C-tenant-name>.b2clogin.com/<your-B2C-tenant-name>.onmicrosoft.com/<policy>/v2.0/.well-known/openid-configuration`
 
 OR
 
-``http
-https://<custom-domain-name>/<your-B2C-tenant-name>.onmicrosoft.com/<policy>/v2.0/.well-known/openid-configuration
-``
+`https://<custom-domain-name>/<your-B2C-tenant-name>.onmicrosoft.com/<policy>/v2.0/.well-known/openid-configuration`
 
-1. Configure the issuer URI as: `https://your-b2c-tenant-name.b2clogin.com/your-b2c-tenant-id/v2.0/`, or if you're using a custom domain, use your custom domain, domain instead of `your-b2c-tenant-name.b2clogin.com`.
+1. Configure the issuer URI as: `https://<your-b2c-tenant-name>.b2clogin.com/<your-b2c-tenant-id>/v2.0/`, or if you're using a custom domain, use your custom domain, domain instead of `your-b2c-tenant-name.b2clogin.com`.
 1. For **Client ID**, enter the application ID that you previously recorded.
 1. Select **Client authentication** as `client_secret`.
 1. For **Client secret**, enter the client secret that you previously recorded.

docs/external-id/customers/how-to-custom-oidc-federation-customers.md

@@ -35,9 +35,9 @@ To be able to federate users to your identity provider, you first need to prepar
 
 Before moving to next step, populate your redirect URIs as follows:
 
-`https://\<tenant-subdomain\>.ciamlogin.com/\<tenant-ID\>/federation/oauth2`
+`https://<tenant-subdomain>.ciamlogin.com/<tenant-ID>/federation/oauth2`
 
-`https://\<tenant-subdomain\>.ciamlogin.com/\<tenant-subdomain\>.onmicrosoft.com/federation/oauth2`
+`https://<tenant-subdomain>.ciamlogin.com/<tenant-subdomain>.onmicrosoft.com/federation/oauth2`
 
 ## Enable sign-in and sign-up with your identity provider
 

docs/external-id/customers/toc.yml

@@ -348,6 +348,8 @@ items:
             href: how-to-google-federation-customers.md
           - name: Facebook federation
             href: how-to-facebook-federation-customers.md
+          - name: Apple federation
+            href: how-to-apple-federation-customers.md
           - name: OIDC federation
             items:
               - name: Custom OIDC federation

docs/identity-platform/single-sign-on-saml-protocol.md

@@ -84,7 +84,28 @@ Microsoft Entra ID ignores the `AllowCreate` attribute.
 
 ### RequestedAuthnContext
 
-The `RequestedAuthnContext` element specifies the desired authentication methods. It's optional in `AuthnRequest` elements sent to Microsoft Entra ID. Microsoft Entra ID supports `AuthnContextClassRef` values such as `urn:oasis:names:tc:SAML:2.0:ac:classes:Password`.
+The `RequestedAuthnContext` element specifies the desired authentication methods. It's optional in `AuthnRequest` elements sent to Microsoft Entra ID. 
+
+> [!NOTE] 
+> If the `RequestedAuthnContext` is included in the SAML request, the `Comparison` element must be set to `exact`. 
+
+Microsoft Entra ID supports following `AuthnContextClassRef` values. 
+
+| Authentication method| Authentication context class URI |
+|---|---|
+|Kerberos|urn:oasis:names:tc:SAML:2.0:ac:classes:Kerberos|
+|User name and password|urn:oasis:names:tc:SAML:2.0:ac:classes:Password|
+|PGP Public Key Infrastructure|urn:oasis:names:tc:SAML:2.0:ac:classes:PGP|
+|Secure Remote Password|urn:oasis:names:tc:SAML:2.0:ac:classes:SecureRemotePassword|
+|XML Digital Signature|urn:oasis:names:tc:SAML:2.0:ac:classes:XMLDSig|
+|Simple public-key infrastructure|urn:oasis:names:tc:SAML:2.0:ac:classes:SPKI|
+|Smartcard|urn:oasis:names:tc:SAML:2.0:ac:classes:Smartcard|
+|Smartcard with enclosed private key and a PIN|urn:oasis:names:tc:SAML:2.0:ac:classes:SmartcardPKI|
+|Transport Layer Security (TLS) client|urn:oasis:names:tc:SAML:2.0:ac:classes:TLSClient|
+|Unspecified|urn:oasis:names:tc:SAML:2.0:ac:classes:Unspecified|
+|X.509 certificate|urn:oasis:names:tc:SAML:2.0:ac:classes:X509|
+|Integrated Windows authentication|urn:federation:authentication:windows|
+
 
 ### Scoping