---
title: Configuring an OpenID Connect policy (Windows login)
description: Create an OpenID Connect policy, and then map the policy to the specific OAuth client.
component: pingid
page_id: pingid:pingid_integrations:pid_configuring_openid_connect_policy_windows_login
canonical_url: http://docs.pingidentity.com/pingid/pingid_integrations/pid_configuring_openid_connect_policy_windows_login.html
revdate: January 28, 2024
section_ids:
  about-this-task: About this task
  steps: Steps
  result: Result:
  result-2: Result:
  result-3: Result:
---

# Configuring an OpenID Connect policy (Windows login)

Create an OpenID Connect policy, and then map the policy to the specific OAuth client.

## About this task

## Steps

1. In PingFederate, before creating a policy, make sure an Open ID Connect (OIDC) scope is defined:

   1. In PingFederate, go to Scope Management:

      * PingFederate 10.1 or later: Go to **System → OAuth Settings** and then click **Scope Management**.

      * PingFederate 10 or earlier: On the **OAuth Server** tab, in the **Authorization Server** section, click **Scope Management**.

   2. Create an OpenID Connect scope:

      1. In the **Scope Value** field, type `openid`.

      2. In the **Scope Description** field, type`OpenID Connect login`.

      3. Click **Add**, and then click **Save**.

         ### Result:

         The new scope is added to the Common Scopes list, and the entry is saved.

2. In PingFederate, create an OpenID connect policy:

   1. Go to OpenID Connect Policy Management:

      * PingFederate 10.1 or later: Go to **Applications → OAuth** and then click **OpenID Connect Policy Management**.

      * PingFederate 10 or earlier: On the **OAuth Server** tab, in the **Token Mapping** section, click **OpenID Connect Policy Management**.

   2. Click **Add Policy**.

   3. In the **Manage Policy** tab, enter the following:

      * **Policy ID**: Enter a unique ID for the policy.

      * **Name**: Enter a name for the policy.

      * **Access Token Manager**: Select the access token manager that you created earlier from the drop-down list.

      * Select the **Include User Info in ID Token** check box.

   4. Click **Next**.

   5. On the **Attribute Contract**tab, in the **Extend the Contract** section, for each attribute listed, click **Delete** in the relevant row, until all attributes are deleted.

   6. In a new row, enter` winlogin.auth.response`, and click **Add**.

      ### Result:

      The new attribute is added to the **Extend the Contract**list.

   7. Click **Next**.

   8. In the **Attribute Scopes** tab, make an association between the OpenID scope, and the `winlogin.auth.response` attribute:

      * In the **Scope** column, select **Open ID** from the drop-down list.

      * In the **Attributes** column, select the `winlogin.auth.response` check box and then click **Add**.

   9. Click **Next**, and then on the **Attribute Sources & User Lookup** tab, click **Next**.

   10. In the **Contract Fulfillment** tab:

       * `sub` attribute: From the **Source** list, select **Access Token**. From the **Value** list, select **subject**.

       * `winlogin.auth.response `attribute: From the **Source** list select **Access Token**. From the **Value** list, select `winlogin.auth.response`.

   11. Click **Next**, and on the**Issuance Criteria** tab, click **Next**.

   12. On the **Summary** tab click **Save**.

       ### Result:

       The new OpenID Connect policy is listed in the**OpenID Connect Policy Management**window.

3. If more than one policy exists, click **Default** to make this policy your default policy.