PingFederate Server

Configuring policy and ID token settings

Configure your OpenID Connect policy settings and the required and optional information for ID tokens.

Steps

  1. Go to Applications → OAuth → OpenID Connect Policy Management and click Add Policy.

  2. In the Policy ID field, enter the policy identifier.

  3. In the Name field, enter the policy name.

  4. In the Access Token Manager list, select an access token management instance.

  5. Optional: In minutes, define the expiry information for ID tokens issued based on this policy in the ID Token Lifetime field.

    The default value is 5 minutes.

  6. Optional: Select the Include Session Identifier in ID Token check box to add a session identifier (pi.sri) in the ID tokens.

    Doing this might be useful for the relying parties, such as PingAccess, for client session management.

  7. Optional: Select the Include User Info in ID Token check box to include additional attributes in the ID tokens.

    OAuth clients can also obtain additional attributes from the UserInfo endpoint at /idp/userinfo.openid. For more information, see UserInfo endpoint.

  8. Optional: Select the Include State Hash in ID Token check box to include the s_hash claim in ID tokens.

    A state hash protects the state parameter by binding it to the ID token. For more information, see Financial Services – Financial API - Part 2: Read and Write API Security Profile.

  9. Optional: Select the Include X.509 Thumbprint Header in ID Token check box to include the x5t header parameter for the token.

    The X.509 thumbprint (x5t) is only included in the ID Token header when static keys are enabled. For more information, see Configuring static signing keys.

  10. Optional: In the ID Token Type (TYP) Header Value field, enter the token type. This field indicates the value of the Type (typ) header in the JSON Web Token (JWT). If you do not specify a header, it is omitted.

    Use JWT in the ID Token Type (TYP) Header Value field to indicate that the object is a JWT. For compatibility with older implementations, it’s best to always spell JWT in uppercase, even though media type names are not case-sensitive.

  11. Optional: Select the Return ID Token On Refresh Grant check box to return an ID token for OpenID Connect to Salesforce and Kubernetes when the OAuth access token is refreshed.

  12. Optional: Select the Reissue ID Token In Hybrid Flow check box to issue a new ID token at the token endpoint that is different from the first ID token issued for an authorization endpoint request.

    This is applicable only for OpenID Connect hybrid flows. For more information about hybrid flows, see Protocol Elements in the OpenID Connect Basic Client Implementer’s Guide.

    To modify the personally identifiable information (PII) in the ID token, see Configuring ID token fulfillment.