Pass the Ping Identity PingAM PT-AM-CPE Questions and answers with ExamsMirror

In PingAM 8.0.2, the OpenID Connect (OIDC) Claims Script is the specific extensibility point designed to govern how user information is mapped and transformed into claims within an OIDC ID token or the UserInfo response. While PingAM supports standard scopes like profile and email out of the box, specialized business requirements—such as including an "employee number" which might be stored as employeenumber in an LDAP directory—require a custom transformation.

According to the "OIDC Claims Script" reference in the PingAM documentation:

The script acts as a bridge between the Identity Store (the source of truth) and the OIDC Provider (the issuer). When a client requests a token, PingAM executes this script, providing it with a claimObjects map and the userProfile. The developer can then write Groovy or JavaScript logic to retrieve the employeeNumber attribute from the user's profile and add it to the resulting claims set.

The script typically follows this logical flow:

Identify the requested claims from the OIDC scope.

Fetch the corresponding raw attributes from the Identity Store (e.g., PingDS or AD).

Format and name the claim as per the OIDC specification or the specific client requirement (e.g., mapping LDAP employeenumber to OIDC claim emp_id).

Return the claims to be signed and embedded into the JWT.

Why other options are incorrect: Options A, C, and D reference script types that do not exist under those specific names in the standard PingAM 8.0.2 scripting engine. While there are "Access Token Modification" scripts and "Client Registration" scripts, theOIDC Claims Scriptis the only one authorized and designed to manage the payload of the id_token.

In a Cross-Domain Single Sign-On (CDSSO) environment, PingAM must manage session cookies across multiple distinct DNS domains.2 By default, a standard SSO token could potentially be stolen and reused by a malicious actor to gain access to other domains within the same realm.3 To mitigate this specific threat, PingAM 8.0.2 utilizes Restricted Tokens.4

According to the documentation on "Securing CDSSO session cookies," a restricted token is a unique SSO token issued for each specific application or policy agent after successful user authentication.5When CDSSO is active with cookie hijacking protection enabled, PingAM issues a "master" SSO token for the domain where AM resides and separaterestricted tokensfor the other fully qualified domain names (FQDNs) where web or Java agents are located.6

The restricted token is "restricted" because it is inextricably linked to the specific agent and application that initiated the redirection. Internally, AM stores a correlation between the master session and these restricted tokens.7If an attacker attempts to hijack a restricted token and use it to access a different application or a different domain, the AM server performs a validation check on the constraint associated with the token (such as the agent's DN or IP). If the request does not originate from the authorized entity, a security violation is triggered, and access is denied. This mechanism ensures that even if a cookie is stolen in one domain, its utility is confined strictly to that domain and cannot be used for "lateral movement" across the enterprise’s other protected resources. It is important to note that restricted tokens requireserver-side sessionsto function; they are not supported for client-side (JWT-based) sessions.8

Social Authentication in PingAM 8.0.2 allows users to log in using identities from external providers like Google, Apple, or LinkedIn. This process relies on PingAM acting as an OAuth2 Client or OpenID Connect Relying Party (RP) toward the social provider.

According to the PingAM "Social Authentication" and "Social Identity Provider Client Configuration" documentation, for PingAM to successfully hand off authentication to a social provider, you must configure anOAuth2 Client(specifically a Social Identity Provider client) within the PingAM realm. This configuration includes:

Client ID and Client Secret: Obtained from the social provider's developer console (e.g., Google Cloud Console).

Endpoints: The authorization, token, and UserInfo endpoints of the social provider.

Scopes: The permissions PingAM is requesting (e.g., openid, profile, email).

Once this "Social Client" is configured, it is used by aSocial Provider Handler node(or the legacy Social Authentication module) within an authentication tree. When the user clicks "Login with Google," PingAM uses these client credentials to initiate the OIDC flow with Google.

Why other options are not the primary requirement:

While aData Store (A)is eventually used to save the linked user profile, themechanismof social auth itself is driven by the OAuth2 client configuration.

A realm service (B)is too broad; while social auth is a service within a realm, the specific configuration object required is the client.

A realm policy (D)governs authorizationafterlogin, but does not enable the social login process itself. Therefore, theOAuth2 clientconfiguration is the technical prerequisite for establishing the trust relationship with the external provider.

In PingAM 8.0.2, Session Upgrade (often referred to as Step-up Authentication) is the process of increasing the "Authentication Level" (Auth Level) associated with a user's session.2 This is common when a user has logged in with a basic method (like username/password) but attempts to access a resource that requires a stronger method (like MFA).

Regarding the statements:

Statement A is correct: To upgrade a session, PingAM requires the user to satisfy the requirements of an authentication tree or module that has a higher Auth Level than the current session.3This technically involves a "re-authentication" event specifically for the higher-level requirement.

Statement B is correct: Crucially, the identity authenticated during the upgrade must match the identity of the existing session. If a different user attempts to authenticate during an upgrade process, PingAM will reject the upgrade to prevent session hijacking or identity swapping.4

Statement D is correct: Session upgrade is indeed the technical implementation of the industry-standard "step-up authentication" concept.

Statement C is incorrectbecause ForceAuth=true is not the only mechanism for a session upgrade. While ForceAuth=true (in SAML2 or OIDC) or the prompt=login parameter can force a fresh authentication, PingAM also supports upgrades viaPolicy Advice.5When a policy engine determines that a resource requires a higher Auth Level, it sends an "advice" to the client, triggering a session upgrade journey.6Additionally, authentication trees can be configured to perform upgrades natively using theSession Upgradeconfiguration in the realm settings. Therefore, since A, B, and D are technically accurate descriptions of the AM 8.0.2 lifecycle, Option C is the correct choice.

To facilitate federation between a SAML2 Identity Provider (IdP) and a Service Provider (SP), metadata must be exchanged. PingAM 8.0.2 provides a built-in utility page, exportmetadata.jsp, specifically for this purpose.

When an IdP is configured within asubrealm(rather than the Top Level Realm), the metadata export URL must be qualified with specific query parameters to ensure the correct entity configuration is retrieved. According to the "SAML 2.0 Reference" and "Exporting SAML 2.0 Metadata" documentation:

entityid: This parameter is mandatory when there are multiple entities configured. It specifies the unique URI of the IdP (e.g., http://myserver.domain.com:8080/openam). This tells the JSP which specific provider's metadata to generate.

realm: This parameter is crucial for subrealm deployments. By default, the JSP looks in the root realm (/). If the IdP resides in a subrealm named /idprealm, the URL must explicitly include &realm=/idprealm.

Option D is the correct technical string. Option B is incorrect as it lacks parameters and would only attempt to export default root-level metadata. Option C is incorrect because the parameter name is entityid, not idp. While Amster (Option A) can indeed be used to export configuration, the exportmetadata.jsp remains the standard and most common method for generating the XML-formatted metadata required by external partners.

In PingAM 8.0.2, the Intelligent Access engine (Authentication Trees) uses a specific data-passing mechanism to move information between individual nodes within a single journey. When a journey involves collecting context—such as device metadata (OS, version, screen resolution), location data (IP, geofencing), or risk signals—this information must be stored temporarily while the tree evaluates the next steps.

According to the "Authentication Node Development" and "Nodes and Trees" documentation, PingAM uses two primary transient storage objects during the authentication flow:

Shared State: This is the primary map used to share data between nodes in the same tree. Contextual data collected by nodes like theDevice Profile CollectororBrowser Capabilitiesnodes is stored here. It exists only for the duration of the authentication journey.

Transient State: Similar to shared state, but often used for sensitive data that should not be visible to certain types of nodes or scripts.

The documentation identifiesShared Node State(Option B) as the best practice for persisting collected contextduringthe tree process.

Session State(Option A) is only availableafterthe authentication is successful and a session has been created. It is not suitable for data needed by nodes within the tree to make a decision (like a risk engine node).

User Profile(Option C) is for long-term persistence (LDAP/PingDS). Storing transient device context there would cause unnecessary database write overhead and privacy concerns.

Browser Cookies(Option D) are limited in size and pose security risks if used to store raw device data that could be tampered with by the client.

Therefore, for real-time risk analysis within a journey, nodes write data to the shared state, where subsequent nodes (like aScripted Decision NodeorAdaptive Risk Node) can retrieve and analyze it.

In PingAM 8.0.2, troubleshooting complex issues often requires moving beyond audit logs to Debug Logs. These logs capture the internal operations of the AM engine and its various components (e.g., Authentication, Core Token Service, Session Management).7

According to the "Debug Logging" section of the PingAM 8.0.2 Maintenance Guide, the standard format for a debug log entry is designed to provide maximum context for support engineers and developers. A typical entry includes:

Time and Date Header: Precise timestamp of when the event occurred.

The Component (Category): Identifies which part of the code issued the message (e.g., amAuth, amSession, amOAuth2).

The Debug Level: Indicates the verbosity/severity, such as ERROR, WARNING, INFO, MESSAGE, or OFF.

The Thread ID: Crucial for multi-threaded environments like Tomcat, allowing administrators to trace a single user's request across multiple log entries.

The Message: A descriptive string explaining the internal operation or the error encountered.

Stack Trace: If the entry is recording an exception, a full Java stack trace is optionally included to pinpoint the exact line of code where the failure occurred.

Option A is the most complete and accurate representation of this structured output. Options B, C, and D are incorrect because they omit essential troubleshooting fields like theThread IDor theComponent name, which are necessary for correlating logs in a high-concurrency production environment. Understanding this structure is fundamental for any administrator using tools like ssoadm or the REST API to capture and analyze troubleshooting information.

In PingAM 8.0.2, the OAuth 2.0 Token Exchange (RFC 8693) implementation allows for complex identity delegation scenarios. The may_act claim is a specific claim used to indicate that one entity is authorized to act on behalf of another. When customizing the behavior of token exchange via the OAuth2 Token Exchange Script, developers interact with specific scriptable objects provided by the PingAM engine.

According to the "Scripting API" for OAuth2 and the "Token Exchange" developer guide, the requestedToken object is the primary interface used to modify the structure of the token being issued during the exchange. To insert the may_act claim, the API provides the addMayAct() method.

The may_act claim is technically a JSON object that contains a sub (subject) claim of the entity that is allowed to act as the subject of the token. In the scripting environment:

The requestedToken variable represents the token currently being minted.

The .addMayAct() method is the defined function signature to append this delegation metadata.

Why other options are incorrect:

Options A and D:The object name token is not the standard binding used for the target token in the Token Exchange script context; requestedToken is the correct binding.

Option C:The method name setMayAct is incorrect. The PingAM API uses the add prefix for these types of claims (similar to addActor), reflecting the underlying structure where these claims are added to the claim set of the JWT.

Using the correct syntax requestedToken.addMayAct(mayAct) ensures that the resulting Access Token or ID Token contains the correctly formatted delegation information required by resource servers to validate that the "Actor" has the permission to represent the "Subject."

In PingAM 8.0.2, the Default Failure Login URL is a global or realm-level configuration attribute that defines the fallback destination for a user whose authentication journey has ended unsuccessfully.

According to the "Core Authentication Attributes" documentation:

When an authentication tree or chain completes with a "Failure" outcome, PingAM needs to know where to send the user's browser. The logic follows a specific hierarchy:

If the initial request included a specific redirect parameter (like gotoOnFail), PingAM will use that.

If the authentication tree ends with aFailure URL node, the URL configured in that specific node will be used.

If no specific instructions are provided at the request or tree level, PingAM reverts to theDefault Failure Login URL.

This URL is typically configured to point back to the login page with an error flag (e.g., .../XUI/#login/&error=true) or to a custom help page where the user can find instructions on how to reset their password or contact the helpdesk. It is essentially the "safety net" for the user experience during a failed login attempt. Option A is incorrect because gotoOnFail is a parameter thatoverridesthe default, not the default itself. Option C is incorrect as nodes are configured individually and do not "automatically populate" from global settings. Option D is incorrect because the URL defines thedestinationof the redirect, not the internal error message display logic itself.

Session Upgrade in PingAM 8.0.2 is the mechanism by which a user’s current authenticated session is "elevated" to a higher authentication level (Auth Level). This is commonly triggered by Step-up Authentication requirements, where a user attempts to access a highly sensitive resource that requires a stronger authentication method (such as MFA) than what was used for their initial login.

According to the PingAM documentation on "Session Upgrade Outcomes," the process is not merely a modification of the existing session. Instead, when a user successfully completes the additional authentication requirements (the "Advice"):

Creation of a New Session: PingAM generates a brand-new authenticated session. This new session is assigned a higher authentication level corresponding to the tree or module just completed.

Property Copying: To ensure a seamless user experience, PingAM copies the session properties (attributes, constants, and other metadata) from the original lower-level session into the new higher-level session. This ensures that information gathered during the initial login remains available to applications.

Token Replacement: Because the session ID is part of the session token (SSO Token), a new session implies a new token. PingAM hands the client anew session tokento replace the original one. The client (browser or application) must then use this new token for subsequent requests.

If the realm is configured forserver-side sessions, the new session is stored in theCore Token Service (CTS). If configured forclient-side sessions, a new signed/encrypted JWT is sent to the client as a cookie. The key distinction is that the tokenchanges, and properties arepreservedthrough copying, which distinguishes Option B as the correct technical description of the internal AM lifecycle.