Hey, I know this question is old, but I find the documentation here is a little lacking at the moment so I'll give a step-by-step guide for how it is now (May 2022).
First, create your primary App ID (Found under "Identifiers" category).
Go through the steps and once you get to configuration scroll down in the "Capabilities" section and check the box "Sign In with Apple".
You can configure a url to receive user account events for accounts who've signed in to your service (for instance it they delete their Apple ID) but this isn't mandatory.
Now it is very important that you click the blue "Save" button in the upper right corner.
Next, go back to the "Identifiers" category, but this time use the dropdown in the upper right to select "Service IDs".
Create a new one and go through the steps.
Once created, check the box "Sign in with Apple" that appears on the bottom of the section and then click "Configure".
In the top part of this dialog box you must choose the App ID we created in the first step. If you cannot see it or it says "No App ID available" you missed something in the first step. Don't waste your time trying to fill it in if you don't see your App ID in the top! Go back and check the configuration on your App ID, make absolutely sure you check the "Sign in with Apple" box and click save!
Finally, enter your domains. In the middle box "Domains and subdomains" Enter your domains WITHOUT protocol (https://).
In the bottom box enter your full, exact return URL that the browser can redirect to after a sign in, this time with protocol and full path.
Depending on your use case you next probably need to generate a secret key for the app and sign a JWT token with it, but those parts are a little better documented and outside the scope of the original question.
Hope it helps someone
