1. Go to Applications > OAuth > OpenID Connect Policy Management.
  2. Click Add Policy.
  3. On the Manage Policy tab:
    1. In the Policy ID field, enter the policy identifier.
    2. In the Name field, enter the policy name.
    3. In the Access Token Manager menu, select your JWT access token manager.
    4. Click Next.
  4. On the Attribute Contract tab, add the admin_role, iss, and memberOf attribute contracts.
    1. In the Extend the Contract field, enter admin_role, and click Add.
    2. Repeat step a. to add the iss and memberOf attributes.
    3. Click the Edit action for admin_role. Select the Override Default Delivery and ID Token check boxes, then click the Update action.
    4. Repeat step c for iss, selecting the ID Token check box, and for memberOf, selecting the UserInfo check box.
      SCreen capture of the Attribute Contract tab, on which you extend the contract to include the admin_role, iss, and memberOf attributes.
    5. Click Next.
  5. On the Attribute Scopes tab, add the admin_role and iss attributes to the openid scope and the memberOf attribute to the profile scope.
    Screen capture of the Attribute Scopes tab, on which you add the admin_role and iss attributes to the openid scope and the memberOf attribute to the profile scope.
    1. In the Scope menu, select openid. Select the admin_role attribute's check box, and click Add. The iss attribute should already be selected.
    2. In the Scope menu, select profile. Select the memberOf attribute's check box, and click Add.
    3. Click Next.
  6. On the Attribute Sources & User Lookup tab, click Next.
  7. On the Contract Fulfillment tab, select a Source and a Value to map into the admin_role, iss, memberOf, and sub items in the Attribute Contract list.
    Screen capture of the Contract Fulfillment tab, on which you select a source and a value for the admin_role, iss, memberOf, and sub attributes.
    1. For the admin_role attribute contract, select Access Token in the Source menu and admin_role in the Value menu.
    2. For the iss attribute contract, select Access Token in the Source menu and iss in the Value menu.
    3. For the memberOf attribute contract, select Access Token in the Source menu and memberOf in the Value menu.
    4. For the sub attribute contract, select Access Token in the Source menu and sub in the Value menu.
    5. Click Next.
  8. On the Issuance Criteria tab, click Next.
  9. On the Summary tab, review your configuration. Click Save.