PingFederate Server

Configuring policy and ID token settings

Configure your OpenID Connect (OIDC) policy settings and the required and optional information for ID tokens.

Steps

  1. Go to Applications > OAuth > OpenID Connect Policy Management.

  2. Click Add Policy.

  3. Configure an OIDC policy.

    The following table describes the setting options:

    Setting Description

    Policy ID

    The ID of the policy.

    Name

    A friendly name for the policy.

    Access Token Manager

    Select an access token manager instance.

    Learn more about creating an access token manager in Configuring an access token management instance.

    ID Token Lifetime

    Enter a lifetime duration for the ID token, in minutes.

    The default value is 5 minutes.

    Include Session Identifier in ID Token

    Select to add a session identifier (pi.sri) in the ID tokens.

    Doing this could be useful for the relying parties, such as PingAccess for client session management.

    Include User Info in ID Token

    Select to include additional attributes in the ID tokens.

    OAuth clients can also obtain additional attributes from the UserInfo endpoint at /idp/userinfo.openid. For more information, see UserInfo endpoint.

    Include State Hash in ID Token

    Select to include the s_hash claim in ID tokens.

    A state hash protects the state parameter by binding it to the ID token. For more information, see Financial Services – Financial API - Part 2: Read and Write API Security Profile.

    Include X.509 Thumbprint Header in ID Token

    Select to include the x5t header parameter for the token.

    The X.509 thumbprint (x5t) is only included in the ID Token header when static keys are enabled. For more information, see Configuring static signing keys.

    ID Token Type (TYP) Header Value

    Enter the token type.

    This field indicates the value of the Type (typ) header in the JSON Web Token (JWT). If you don’t specify a header, it’s omitted.

    Use JWT in the ID Token Type (TYP) Header Value field to indicate that the object is a JWT. For compatibility with older implementations, it’s best to always spell JWT in uppercase, even though media type names are not case-sensitive.

    Return ID Token On Refresh Grant

    Select to return an ID token for OIDC to Salesforce and Kubernetes when the OAuth access token is refreshed.

    Return ID Token on Token Exchange Grant

    Select to return an ID token with an OAuth token exchange grant.

    An ID Token is issued with an access token if the following conditions are met:

    • Return ID Token on Token Exchange Grant is selected

    • The client allows the openid scope

    • The openid scope is requested

    • The requested token type is either an access token or not provided

    Reissue ID Token In Hybrid Flow

    Select to issue a new ID token at the token endpoint that is different from the first ID token issued for an authorization endpoint request.

    This is applicable only for OpenID Connect hybrid flows. Learn more information about hybrid flows in .net/specs/openid-connect-basic-1_0.html//[Protocol Elements] in the OpenID Connect Basic Client Implementer’s Guide.

    Learn more about modifying the personally identifiable information (PII) in the ID token in Configuring ID token fulfillment.

  4. Click Next.