PingOne Platform APIs

Create Identity Provider Attribute (Apple)

   

POST {{apiPath}}/environments/{{envID}}/identityProviders/{{providerID}}/attributes

The POST {{apiPath}}/environments/{{envID}}/identityProviders/{{providerID}}/attributes operation adds a new identity provider attribute mapping resource for the specified identity provider.

For APPLE type attribute mappings, supported Apple attributes can be mapped to any searchable PingOne user attribute. The administrator must know the name/path of the Apple provider attribute that is mapped.

If Apple is specified as the the external identity provider, a subset of Apple provider attributes can be used as the mapping attribute placeholder value.

The placeholder value must use the following syntax:

${providerAttributes.<Apple attribute name>}

When you create a new Apple identity provider entity, the POST request automatically maps the PingOne username attribute to the Apple sub attribute. The username attribute is the core mapping attribute; the default Apple attribute value is sub. It is also recommended that you map the PingOne email attribute to the Apple email attribute.

The request body for the email-to-email mapping looks like this, with the value attribute showing the Apple email attribute expressed using the placeholder syntax:

{
    "name": "email",
    "update": "EMPTY_ONLY",
    "value": "${providerAttributes.email}"
}

Refer to Identity Provider Attributes for more information. Refer also to Base IdP data model for the properties available to all of the supported identity providers.

Apple sends only an ID token with the first authentication of SIWA (Sign In With Apple), and the name object can be grabbed from this token. This behavior is noted in the Apple documentation in Authenticating users with Sign in with Apple. To get the name, you need to map the given name (name.given property in PingOne) to providerAttributes.name.firstName and the family name (name.family property in PignOne) to providerAttributes.name.lastName from Apple. This structure is show in the Apple documentation in Configuring your webpage for Sign in with Apple.

Prerequisites

Property Type Required?

name

String

Required

value

String

Required

update

String

Required
Request Model

Apple identity provider attribute settings data model

Apple core attributes

Property Description

sub

A string that specifies the core Apple attribute. The default value is ${providerAttributes.sub} and the default update value is EMPTY_ONLY.

Apple provider attributes

Permission Provider attributes

name

Options are: sub, iss, iat, expt, aud, nonce, nonce_supported

email

Options are: email, email_verified

Headers

Authorization      Bearer {{accessToken}}

Content-Type      application/json

Body

raw ( application/json )

{
    "name": "email",
    "update": "EMPTY_ONLY",
    "value": "${providerAttributes.user.email}"
}

Example Request

  • cURL

  • C#

  • Go

  • HTTP

  • Java

  • jQuery

  • NodeJS

  • Python

  • PHP

  • Ruby

  • Swift

curl --location --globoff '{{apiPath}}/environments/{{envID}}/identityProviders/{{providerID}}/attributes' \
--header 'Content-Type: application/json' \
--header 'Authorization: Bearer {{accessToken}}' \
--data '{
    "name": "email",
    "update": "EMPTY_ONLY",
    "value": "${providerAttributes.user.email}"
}'
var options = new RestClientOptions("{{apiPath}}/environments/{{envID}}/identityProviders/{{providerID}}/attributes")
{
  MaxTimeout = -1,
};
var client = new RestClient(options);
var request = new RestRequest("", Method.Post);
request.AddHeader("Content-Type", "application/json");
request.AddHeader("Authorization", "Bearer {{accessToken}}");
var body = @"{" + "\n" +
@"    ""name"": ""email""," + "\n" +
@"    ""update"": ""EMPTY_ONLY""," + "\n" +
@"    ""value"": ""${providerAttributes.user.email}""" + "\n" +
@"}";
request.AddStringBody(body, DataFormat.Json);
RestResponse response = await client.ExecuteAsync(request);
Console.WriteLine(response.Content);
package main

import (
  "fmt"
  "strings"
  "net/http"
  "io"
)

func main() {

  url := "{{apiPath}}/environments/{{envID}}/identityProviders/{{providerID}}/attributes"
  method := "POST"

  payload := strings.NewReader(`{
    "name": "email",
    "update": "EMPTY_ONLY",
    "value": "${providerAttributes.user.email}"
}`)

  client := &http.Client {
  }
  req, err := http.NewRequest(method, url, payload)

  if err != nil {
    fmt.Println(err)
    return
  }
  req.Header.Add("Content-Type", "application/json")
  req.Header.Add("Authorization", "Bearer {{accessToken}}")

  res, err := client.Do(req)
  if err != nil {
    fmt.Println(err)
    return
  }
  defer res.Body.Close()

  body, err := io.ReadAll(res.Body)
  if err != nil {
    fmt.Println(err)
    return
  }
  fmt.Println(string(body))
}
POST /environments/{{envID}}/identityProviders/{{providerID}}/attributes HTTP/1.1
Host: {{apiPath}}
Content-Type: application/json
Authorization: Bearer {{accessToken}}

{
    "name": "email",
    "update": "EMPTY_ONLY",
    "value": "${providerAttributes.user.email}"
}
OkHttpClient client = new OkHttpClient().newBuilder()
  .build();
MediaType mediaType = MediaType.parse("application/json");
RequestBody body = RequestBody.create(mediaType, "{\n    \"name\": \"email\",\n    \"update\": \"EMPTY_ONLY\",\n    \"value\": \"${providerAttributes.user.email}\"\n}");
Request request = new Request.Builder()
  .url("{{apiPath}}/environments/{{envID}}/identityProviders/{{providerID}}/attributes")
  .method("POST", body)
  .addHeader("Content-Type", "application/json")
  .addHeader("Authorization", "Bearer {{accessToken}}")
  .build();
Response response = client.newCall(request).execute();
var settings = {
  "url": "{{apiPath}}/environments/{{envID}}/identityProviders/{{providerID}}/attributes",
  "method": "POST",
  "timeout": 0,
  "headers": {
    "Content-Type": "application/json",
    "Authorization": "Bearer {{accessToken}}"
  },
  "data": JSON.stringify({
    "name": "email",
    "update": "EMPTY_ONLY",
    "value": "${providerAttributes.user.email}"
  }),
};

$.ajax(settings).done(function (response) {
  console.log(response);
});
var request = require('request');
var options = {
  'method': 'POST',
  'url': '{{apiPath}}/environments/{{envID}}/identityProviders/{{providerID}}/attributes',
  'headers': {
    'Content-Type': 'application/json',
    'Authorization': 'Bearer {{accessToken}}'
  },
  body: JSON.stringify({
    "name": "email",
    "update": "EMPTY_ONLY",
    "value": "${providerAttributes.user.email}"
  })

};
request(options, function (error, response) {
  if (error) throw new Error(error);
  console.log(response.body);
});
import requests
import json

url = "{{apiPath}}/environments/{{envID}}/identityProviders/{{providerID}}/attributes"

payload = json.dumps({
  "name": "email",
  "update": "EMPTY_ONLY",
  "value": "${providerAttributes.user.email}"
})
headers = {
  'Content-Type': 'application/json',
  'Authorization': 'Bearer {{accessToken}}'
}

response = requests.request("POST", url, headers=headers, data=payload)

print(response.text)
<?php
require_once 'HTTP/Request2.php';
$request = new HTTP_Request2();
$request->setUrl('{{apiPath}}/environments/{{envID}}/identityProviders/{{providerID}}/attributes');
$request->setMethod(HTTP_Request2::METHOD_POST);
$request->setConfig(array(
  'follow_redirects' => TRUE
));
$request->setHeader(array(
  'Content-Type' => 'application/json',
  'Authorization' => 'Bearer {{accessToken}}'
));
$request->setBody('{\n    "name": "email",\n    "update": "EMPTY_ONLY",\n    "value": "${providerAttributes.user.email}"\n}');
try {
  $response = $request->send();
  if ($response->getStatus() == 200) {
    echo $response->getBody();
  }
  else {
    echo 'Unexpected HTTP status: ' . $response->getStatus() . ' ' .
    $response->getReasonPhrase();
  }
}
catch(HTTP_Request2_Exception $e) {
  echo 'Error: ' . $e->getMessage();
}
require "uri"
require "json"
require "net/http"

url = URI("{{apiPath}}/environments/{{envID}}/identityProviders/{{providerID}}/attributes")

http = Net::HTTP.new(url.host, url.port);
request = Net::HTTP::Post.new(url)
request["Content-Type"] = "application/json"
request["Authorization"] = "Bearer {{accessToken}}"
request.body = JSON.dump({
  "name": "email",
  "update": "EMPTY_ONLY",
  "value": "\${providerAttributes.user.email}"
})

response = http.request(request)
puts response.read_body
let parameters = "{\n    \"name\": \"email\",\n    \"update\": \"EMPTY_ONLY\",\n    \"value\": \"${providerAttributes.user.email}\"\n}"
let postData = parameters.data(using: .utf8)

var request = URLRequest(url: URL(string: "{{apiPath}}/environments/{{envID}}/identityProviders/{{providerID}}/attributes")!,timeoutInterval: Double.infinity)
request.addValue("application/json", forHTTPHeaderField: "Content-Type")
request.addValue("Bearer {{accessToken}}", forHTTPHeaderField: "Authorization")

request.httpMethod = "POST"
request.httpBody = postData

let task = URLSession.shared.dataTask(with: request) { data, response, error in
  guard let data = data else {
    print(String(describing: error))
    return
  }
  print(String(data: data, encoding: .utf8)!)
}

task.resume()

Example Response

201 Created

{
    "_links": {
        "self": {
            "href": "https://api.pingone.com/v1/environments/abfba8f6-49eb-49f5-a5d9-80ad5c98f9f6/identityProviders/a6e6e9f3-5b01-4a9c-858c-5264b581a52f/attributes/43eeab55-7e37-481f-9e19-6d88f5ff13b2"
        },
        "identityProvider": {
            "href": "https://api.pingone.com/v1/environments/abfba8f6-49eb-49f5-a5d9-80ad5c98f9f6/identityProviders/a6e6e9f3-5b01-4a9c-858c-5264b581a52f"
        }
    },
    "name": "email",
    "value": "${providerAttributes.email}",
    "update": "EMPTY_ONLY",
    "id": "43eeab55-7e37-481f-9e19-6d88f5ff13b2",
    "mappingType": "CUSTOM",
    "environment": {
        "id": "abfba8f6-49eb-49f5-a5d9-80ad5c98f9f6"
    },
    "identityProvider": {
        "id": "a6e6e9f3-5b01-4a9c-858c-5264b581a52f"
    },
    "createdAt": "2020-04-23T23:12:16.485Z",
    "updatedAt": "2020-04-23T23:12:16.485Z"
}