...
a. Authentication time REQUIRED claim in the id_token is REQUIRED: (require_auth_time) True/False
b. Maximum Authentication Age: If auth(default_time > max_auth_age then prompt user for interactive loginmax_age) Specifies that the End-User MUST be actively authenticated if the End-User was authenticated longer ago than the specified number of seconds. The max_age request parameter overrides this default value. If omitted, no default Maximum Authentication Age is specified.
c. A grant_type of refresh_token is prohibited in this profile. (This was in the GSA profile but, I can't think of a good reason to prohibit it.)
...