--- title: Configure CIMD policies description: On the CIMD Policies page, configure the rules that determine which URLs from the CIMD request's client_id PingFederate accepts and which default settings PingFederate applies to CIMD clients created by that policy. component: pingfederate version: 13.1 page_id: pingfederate:administrators_reference_guide:pf_configuring_CIMD_policies canonical_url: https://docs.pingidentity.com/pingfederate/13.1/administrators_reference_guide/pf_configuring_CIMD_policies.html llms_txt: https://docs.pingidentity.com/pingfederate/llms.txt docs_for_agents: https://developer.pingidentity.com/build-with-ai/docs-for-agents.md revdate: June 22, 2026 section_ids: steps: Steps general-info: General Info oauth-settings: OAuth settings token-manager-grant-and-session-settings: Token manager, grant, and session settings demonstrate-proof-of-possession-dpop-settings: Demonstrate Proof of Possession (DPoP) settings device-authorization-grant-settings: Device authorization grant settings client-initiated-backchannel-authentication-ciba-settings: Client Initiated Backchannel Authentication (CIBA) settings token-exchange-settings: Token exchange settings advanced-settings: Advanced settings result: Result --- # Configure CIMD policies On the **CIMD Policies** page, configure the rules that determine which URLs from the CIMD request's `client_id` PingFederate accepts and which default settings PingFederate applies to CIMD clients created by that policy. ## Steps 1. In the PingFederate admin console, go to **System > OAuth Settings > CIMD Policies**. 2. Click **Add CIMD Policy**. ## General Info 1. (Required) In the **ID** field, enter a unique identifier for the CIMD policy. 2. (Required) In the **Name** field, enter a descriptive name for the CIMD policy. 3. In the **Description** field, enter a description for the policy. 4. (Required) In the **Metadata URL** field, enter the URL pattern that PingFederate uses to determine whether the policy applies to an incoming CIMD request. * Use restrictive patterns whenever possible. * The metadata URL pattern supports wildcard characters (`*`). * The input must include a valid protocol scheme and host before a wildcard can be used. | | | | - | ---------------------------------------------------------------------------------------------------------- | | | If an incoming `client_id` value does not match any enabled CIMD policy, PingFederate rejects the request. | 5. Select the **Allow Loopback Redirect URIs** checkbox to allow PingFederate to resolve CIMD clients created by this CIMD policy when they use loopback redirect URIs, such as `localhost`, `127.0.0.1`, or `::1`, when required by your use case. | | | | - | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | | PingFederate blocks loopback redirect URIs and metadata locations by default to help protect against server-side request forgery (SSRF). Enable this setting only when necessary.If this checkbox is selected and the redirect URI is a loopback address, PingFederate does not perform the same-origin check between the redirect URI and the `client_id`.To allow metadata locations that contain a loopback address, PingFederate must also be running on a loopback address, and the resolved address must match the same loopback interface. | 6. Select the **Replay Prevention** checkbox to require replay-prevention handling for supported signed request processing in CIMD clients created by this CIMD policy. 7. In the **Issuer** list, select an issuer when your deployment requires issuer-specific behavior for CIMD clients created by this CIMD policy. 8. In the **Tags** list, click **Selected Tags**. In the **Tags Selection** window, move the tags to apply from **Available Tags** to **Selected Tags**. Click **Done**. Learn more in [Tag Management](pf_tag_management.html). | | | | - | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ | | | In the following settings sections, when you select **Use Global Setting**, PingFederate uses the corresponding global value configured on the [Authorization Server Settings](help_authorizationserversettingstasklet_oauthauthorizationserversettingsstate.html) page, unless otherwise noted. | ## OAuth settings These settings work like the corresponding settings on the [Configuring OAuth clients](pf_configuring_oauth_clients.html) page. For CIMD, PingFederate applies them as defaults for dynamically created clients rather than to manually registered clients. 1. For **Require Scope=Offline\_Access to Issue Refresh Tokens**, select whether to require the authorization server to issue refresh tokens when the `offline_access` scope is requested. Select one of the following: * **Use Global Setting** is the default. * **Yes** requires the authorization server to issue refresh tokens and opens the **Offline\_Access Require Consent Prompt** dialog. * **No** doesn't require the authorization server to issue refresh tokens. 2. If you clicked **Yes**, select whether to require the `prompt` parameter value to be set to `consent` when the `offline_access` scope is requested. * **Use Global Setting** is the default. * **Yes** requires the consent prompt. * **No** doesn't require the consent prompt. 3. In the **ID Token Signing Algorithm** list, select the algorithm that PingFederate uses to sign ID tokens for CIMD clients created by this CIMD policy. 4. In the **OpenID Connect Policy** list, select a policy to apply to CIMD clients created by this CIMD policy. Learn more in [Configuring OpenID Connect policies](pf_configuring_oidc_policies.html). 5. Select the **Require Proof Key for Code Exchange (PKCE)** checkbox to require CIMD clients created by this CIMD policy to use PKCE. 6. Select the **Require JWT Secured Authorization Response Mode (JARM)** checkbox to require CIMD clients created by this CIMD policy to use JARM. JARM enhances the security of the authorization response by supporting signing and encryption. Learn more in the [JARM specification](https://openid.net/specs/openid-financial-api-jarm.html). 7. Select the **Require Signed Requests** checkbox to require CIMD clients created by this CIMD policy to transmit request parameters in a signed request object. Learn more about shared OAuth client request-object settings in [Configuring OAuth clients](pf_configuring_oauth_clients.html). ## Token manager, grant, and session settings 1. In the **Default Access Token Manager** list, select the access token manager to use for CIMD clients created by this CIMD policy. 2. Select the **Restrict to Default Access Token Manager** checkbox to restrict CIMD clients created by this CIMD policy to using only the selected access token manager. 3. For **Persistent Grants Max Lifetime**, choose one of the following: * **Use Global Setting** is the default. * **Grants Do Not Expire** allows persistent grants to remain valid until they are revoked or removed. * Enter an integer in the field and select a time unit to define the lifetime of persistent grants. 4. For **Persistent Grants Idle Timeout**, choose one of the following: * **Use Global Setting** is the default. * **Grants Do Not Timeout Due To Inactivity** allows persistent grants to remain valid until they are revoked, removed, or expire for another reason. * Enter an integer in the field and select a time unit to define how long persistent grants can remain inactive before they time out. 5. For **Refresh Token Rolling Policy**, choose one of the following: * **Use Global Setting** is the default. * **Don't Roll** continues using the current refresh token until it becomes invalid. * **Roll** generates a new refresh token when a new access token is issued. 6. For **Refresh Token Rolling Interval**, choose one of the following: * **Use Global Setting** is the default. * Enter an integer in the field and select a time unit to define the minimum time that must pass before a new refresh token can be issued. 7. For **Refresh Token Rolling Grace Period (Seconds)**, choose one of the following: * **Use Global Setting** is the default. * Enter an integer in the field to define how long a rolled refresh token remains valid if the client does not receive the updated refresh token. ## Demonstrate Proof of Possession (DPoP) settings 1. For **Require DPoP JWT Nonce**, choose one of the following: * **Use Global Setting** is the default. * **Yes** requires a nonce in the DPoP JWT. * **No** does not require a nonce in the DPoP JWT. 2. For **DPoP JWT Lifetime (Seconds)**, choose **Use Global Setting** or enter the lifetime of the DPoP JWT in seconds. 3. For **Enforce DPoP JWT Replay Prevention**, choose one of the following: * **Use Global Setting** is the default. * **Yes** requires a unique signed DPoP JWT for each request. * **No** does not require a unique signed DPoP JWT for each request. ## Device authorization grant settings 1. For **Device Authorization Grant**, select **Use Global Setting** to use the corresponding global setting or **Override**. 2. If **Device Authorization Grant** is set to **Override**, configure the following settings: * In the **User Authorization URL** field, enter the URL for device user authorization used by CIMD clients created by this CIMD policy. * In the **Pending Authorization Timeout (Seconds)** field, enter the maximum time that a device authorization request can remain pending. * In the **Device Polling Interval (Seconds)** field, enter how often a device polls for authorization status. * Select the **Bypass Activation Code Confirmation** checkbox to allow CIMD clients created by this CIMD policy to bypass activation code confirmation. ## Client Initiated Backchannel Authentication (CIBA) settings 1. In the **Polling Interval (Seconds)** field, enter how often a CIMD client created by this CIMD policy can poll for a CIBA result. 2. In the **CIBA Request Policy** list, select the request policy to apply to CIMD clients created by this CIMD policy. Learn more in [Client Initiated Backchannel Authentication (CIBA)](pf_ciba.html). 3. Select the **Require CIBA Signed Requests** checkbox to require CIMD clients created by this CIMD policy to sign CIBA requests. ## Token exchange settings 1. In the **Token Exchange Processor Policy** list, select the token exchange processor policy to apply to CIMD clients created by this CIMD policy. ## Advanced settings 1. For **Malicious Actions Count For Lockout**, choose one of the following: * **Use Global Setting** uses the global lockout setting. You can configure the global setting using the `MaxMaliciousActions` parameter in the `/pingfederate/server/default/data/config-store/com.pingidentity.common.security.AccountLockingService.xml` file. * **Do Not Lockout** disables lockout for malicious actions. * Enter an integer in the field to define the number of malicious actions that PingFederate allows before it locks out the client. 2. When you are done configuring the policy, click **Save**. ## Result PingFederate uses the enabled CIMD policy whose metadata URL best matches the incoming `client_id` to determine whether the request is allowed. It then applies that policy's default OAuth client settings to the CIMD client created for the request. If no enabled CIMD policy matches the incoming `client_id`, PingFederate rejects the request.