Page created: 16 Jul 2021 |
Page updated: 18 May 2022
Configure your OpenID Connect policy settings and the required and optional information for ID tokens.
- Go to Add Policy. and click
- In the Policy ID field, enter the policy identifier.
- In the Name field, enter the policy name.
- In the Access Token Manager list, select an access token management instance.
In minutes, define the expiry information for ID tokens issued based on this policy
in the ID Token Lifetime field.
The default value is
Select the Include Session Identifier in ID Token check box
to add a session identifier (pi.sri) in the ID tokens.
Doing this might be useful for the relying parties, such as PingAccess, for client session management.
Select the Include User Info in ID Token check box to
include additional attributes in the ID tokens.
OAuth clients can also obtain additional attributes from the UserInfo endpoint at /idp/userinfo.openid. For more information, see UserInfo endpoint.
Select the Include State Hash in ID Token check box to
include the s_hash claim in ID tokens.
A state hash protects the state parameter by binding it to the ID token. For more information, see Financial Services – Financial API - Part 2: Read and Write API Security Profile.
- Optional: Select the Return ID Token On Refresh Grant check box to return an ID token for OpenID Connect to Salesforce and Kubernetes when the OAuth access token is refreshed.
Select the Reissue ID Token In Hybrid Flow check box to
issue a new ID token at the token endpoint that is different from the first ID token
issued for an authorization endpoint request.
This is applicable only for OpenID Connect hybrid flows. For more information about hybrid flows, see Protocol Elements in the OpenID Connect Basic Client Implementer's Guide.Tip:
To modify the personally identifiable information (PII) in the ID token, see Configuring ID token fulfillment.