On the Manage Policy screen, enter the required information and configure optional settings for ID tokens issued under this policy.

  1. Enter the policy identifier in the Policy ID field.
  2. Enter the policy name in the Name field.
  3. Select an access token management instance from the Access Token Manager list.
  4. Optional: Define the expiry information (in minutes) for ID tokens issued based on this policy in the ID Token Lifetime field.

    The default value is 5 (minutes).

  5. Optional: Select the Include Session Identifier in ID Token check box to add a session identifier (pi.sri) in the ID tokens.
  6. Optional: Select the Include User Info in ID Token check box to include additional attributes in the ID tokens.

    Alternatively, OAuth clients can obtain additional attributes from the UserInfo endpoint at /idp/userinfo.openid (see UserInfo endpoint).

  7. Optional: Select the Include State Hash in ID Token check box to include the s_hash claim in ID tokens.

    A state hash protects the state parameter by binding it to the ID token. For more information, refer to Financial Services – Financial API - Part 2: Read and Write API Security Profile from OpenID Foundation (openid.net/specs/openid-financial-api-part-2.html).

  8. Optional: Select the Return ID Token On Refresh Grant checkbox to return an ID token for OpenID Connect to Salesforce and Kubernetes when the OAuth access token is refreshed.