OpenID Policy Configuration

Prepare for Single Sign-On (SSO) > PingFederate Configuration > OpenID Policy Configuration

Complete the following steps to enable and configure OpenID Connect on your PingFederate server.

1. Log in to the PingFederate administration application.

2. Select Applications from the navigation pane.

3. Select OpenID Connect Policy Management.

4. Add a new policy.

5. Specify the following values on the Manage Policy tab:

Setting	Value
POLICY ID	Enter a valid policy identifier.
NAME	Provide a descriptive name.
ACCESS TOKEN MANAGER	Select the access token manager that was created when configuring PingFederate for ThingWorx.
ID TOKEN LIFETIME	Accept the default value (5 minutes).

6. On the Attribute Contract tab, accept the default or configure the list of attributes in the Extend the Contract section.

The Experience Service does not use any attributes that are specified in the Extend the Contract section. Therefore, you can configure this section however you see fit for your circumstances.

7. Accept the default on the Attribute Scopes tab.

8. Accept the default on the Attribute Sources & User Lookup tab, as no attributes sources are required.

9. On the Contract Fulfillment tab, configure the sub attribute contract as follows:

◦ Set Source to Access Token.

◦ Set Value to Username.

If you already have an OpenID Connect Policy configured, you’ll need to note the Value that has been configured for sub.

The Experience Service only uses the sub attribute. Therefore, you are free to configure the other attributes in a way that is appropriate for your circumstances.

10. No criteria is required on the Issuance Criteria tab. You can accept the defaults.

11. Review the configuration on the Summary tab, and click Done to create the policy.

12. Now, you’ll configure scopes.