1. Go to Applications > OAuth > OpenID Connect Policy Management and click Add Policy.
  2. In the Policy ID field, enter the policy identifier.
  3. In the Name field, enter the policy name.
  4. In the Access Token Manager list, select an access token management instance.
  5. Optional: In minutes, define the expiry information for ID tokens issued based on this policy in the ID Token Lifetime field.

    The default value is 5 minutes.

  6. Optional: Select the Include Session Identifier in ID Token check box to add a session identifier (pi.sri) in the ID tokens.
    Doing this might be useful for the relying parties, such as PingAccess, for client session management.
  7. Optional: Select the Include User Info in ID Token check box to include additional attributes in the ID tokens.

    OAuth clients can also obtain additional attributes from the UserInfo endpoint at /idp/userinfo.openid. For more information, see UserInfo endpoint.

  8. Optional: Select the Include State Hash in ID Token check box to include the s_hash claim in ID tokens.

    A state hash protects the state parameter by binding it to the ID token. For more information, see Financial Services – Financial API - Part 2: Read and Write API Security Profile.

  9. Optional: Select the Return ID Token On Refresh Grant check box to return an ID token for OpenID Connect to Salesforce and Kubernetes when the OAuth access token is refreshed.
  10. Optional: Select the Reissue ID Token In Hybrid Flow check box to issue a new ID token at the token endpoint that is different from the first ID token issued for an authorization endpoint request.
    This is applicable only for OpenID Connect hybrid flows. For more information about hybrid flows, see Protocol Elements in the OpenID Connect Basic Client Implementer's Guide.

    To modify the personally identifiable information (PII) in the ID token, see Configuring ID token fulfillment.