Pass the Ping Identity PingAM PT-AM-CPE Questions and answers with ExamsMirror

In PingAM 8.0.2, Authorization Policies define who can perform what actions on a specific resource. These "Actions" are defined within a Resource Type. When you create a new policy, you must select which actions are allowed or denied.

According to the "Resource Types" documentation, PingAM includes several "Default" resource types (such as URL, RPC, and others).9For the most common resource type, theURL Resource Type, PingAM defines a set of standard HTTP-related actions by default:

GET

POST

PUT

DELETE

HEAD

OPTIONS

PATCH

HEAD (Option A) is a standard HTTP method and is included in the default list for URL-based policies.

INSERT, CREATE, and UPDATE (Options B, C, and D) are not provided by default in the standard URL resource type. While an administrator can certainly create a Custom Resource Type and define "INSERT" or "UPDATE" as valid actions (common for database or API-specific policies), they are not present in the "default" out-of-the-box configuration for web-based resources. Understanding the default action set is important for administrators when quickly securing web applications without the need for custom schema development.

In PingAM 8.0.2, the management of sensitive data such as passwords and cryptographic keys is handled through a unified Secret Store framework. This framework abstracts the source of the secret from the component that consumes it using Secret IDs. One of the most critical secret IDs in a standard installation is storepass.

The storepass secret ID is specifically used by thedefault-keystore(which is typically a "Keystore secret store" pointing to keystore.jks or keystore.p12). Before AM can access the keys within the default-keystore to sign tokens or encrypt data, it must first unlock the keystore itself using the password mapped to the storepass secret ID.

According to the PingAM "Secrets, certificates, and keys" documentation, in adefault file-based configuration, PingAM initializes aFilesystem secret storeas its primary global store. This store is configured to look into a specific directory within the AM configuration path (usually .../openam/secrets/). Inside this directory, AM expects to find files named after the secret IDs they contain. For the storepass ID, there is typically a corresponding file (such as storepass or .storepass) containing the cleartext or encrypted password required to open the primary keystore.

While AM can be configured to use anEnvironment and system property secret store(Option B) for high-portability cloud deployments, the "out-of-the-box" default behavior during a standard installation relies on the filesystem. Option A is incorrect because the storepass is thekeyto the keystore, not a secretinsideit, and Option D refers to specialized hardware integrations not used in a default software-only setup. Therefore, theFilesystem secret storeis the correct technical answer for the default location of the storepass.

============

The ForceAuth=true parameter is a standard directive used in various authentication protocols (specifically SAML2 and OIDC) and is natively supported by the PingAM 8.0.2 XUI (the modern End-User User Interface).

According to the "Authentication and SSO" documentation:

Normally, if a user has an active, valid session cookie (iPlanetDirectoryPro), and they navigate to the AM login URL, PingAM will recognize the session and automatically redirect the user to their destination (the "Success URL") without prompting for credentials. This is the core benefit of Single Sign-On.

However, when the ForceAuth=true parameter is appended to the query string, it instructs the PingAM authentication engine tobypass the session checkfor the purpose of re-authentication. The engine will:

Ignore the existing valid session cookie.

Force the user back to thelogin page(rendering the initial nodes of the configured authentication tree).

Require the user to provide their credentials again.

This is a critical security feature for high-value transactions. For instance, if a user is already logged in but attempts to change their bank transfer details, the application can redirect them to AM with ForceAuth=true to ensure the person sitting at the computer is indeed the authorized user. Option B is incorrect because ForceAuth only forces are-authentication; whether that includes MFA depends on the tree configuration, not the parameter itself. Option C is incorrect as PingAM explicitly processes this parameter. Therefore, the primary outcome is theredirection to the login pageregardless of the current session state.

When configuring Authorization Policies in PingAM 8.0.2, defining the Resource Pattern is critical for determining which URLs the policy applies to. PingAM uses specific wildcard symbols to represent dynamic parts of a URI, but they behave differently regarding directory depth.

According to the PingAM documentation on "Policies and Resource Types":

The * Wildcard (One-Level Wildcard): This wildcard matches characters within a single path level. It doesnotmatch forward slashes (/). For example, http://example.com/* will match http://example.com/page1 but will notmatch http://example.com/folder/page1.

The -*- Wildcard (Multi-Level Wildcard): This wildcard is designed to match any number of characters, including forward slashes (/), effectively spanning multiple levels of a directory hierarchy. For example, http://example.com/-*- will match http://example.com/page1, http://example.com/folder/page1, and even http://example.com/deeply/nested/resource.

Statement B is the correct technical distinction. Statement A is incorrect because query parameters are typically handled by specifically enabling "Query Parameter Matching" in the Resource Type configuration, rather than being a primary distinction between these two wildcards. Statement C is technically discouraged because mixing them can lead to unpredictable or overly broad matches that are difficult to debug. Statement D is incorrect because wildcardscanbe used in the host/port portion of the URL if the resource type is configured to support it. Understanding the difference between single-level (*) and multi-level (-*-) matching is a fundamental skill for AM policy administrators to prevent security gaps.

============

The Device Authorization Grant (Device Flow), defined in RFC 8628 and implemented in PingAM 8.0.2, involves a polling mechanism where the device repeatedly asks the token endpoint for an access token using the device_code it received earlier.1

According to the PingAM documentation on "Device Authorization Grant" and "OAuth 2.0 Endpoints," during the period when the user is still navigating to the verification URL and entering their user code, the device's polling requests to the /oauth2/access_token endpoint will not result in a successful token issuance. Instead, PingAM returns a400 Bad Requeststatus code.

It is important to look at the JSON response body accompanying the 400 error. The body contains an error field with the value authorization_pending.2This specific error code tells the device that the authorization request is still valid and in progress, but the user has not yet completed their part. The device should continue to poll at the interval specified in the initial response.

Other error codes like403 Forbidden(Option A) would typically indicate a permanent rejection or that the device is polling too frequently (slow_down).401 Unauthorized(Option C) is generally reserved for invalid client credentials when the client is confidential.302 Found(Option D) is a redirect, which is not used in the back-channel polling phase of the Device Flow. Therefore, while a 400 error usually suggests a client error, in the context of the Device Flow, it is the standard protocol-level response used to communicate that the token is not yet ready because the user hasn't finished authorizing.

In SAML 2.0 Federation, there is a standard XML schema (defined by OASIS) that all vendors use to describe an Identity Provider (IdP) or Service Provider (SP). This is known as "Standard Metadata." However, standard metadata does not include every configuration option required to run a sophisticated Access Management server.

PingAM 8.0.2 usesExtended Metadatato store implementation-specific settings that fall outside the OASIS SAML 2.0 specification. According to the "SAML 2.0 Guide," extended metadata is stored as a separate configuration file (or JSON entry in newer versions) and includes parameters such as:

Identity Store Mapping: Which attribute in the local datastore matches the SAML NameID.

Session Information: How AM should handle the session lifecycle after a successful SAML assertion.

Attribute Mapping: Detailed instructions on how to transform local LDAP attributes into SAML attributes (and vice versa).

Authentication Trees: Which specific tree should be triggered when a request arrives at the IdP.

Option D is the correct description. Option C is incorrect because extended metadata isnota standard way to communicate features; in fact, other SAML products (like ADFS or Okta) cannot read or process PingAM's extended metadata. Option A is incorrect because basic certificates/keys are usually part of thestandardmetadata (KeyDescriptor), and Option B is incorrect because SAML federation usually triggers authentication journeys or attribute mapping rather than a standard authorization "policy."

Audit logging is a vital security feature in PingAM 8.0.2 that provides a record of system activity. To make these logs useful for modern analysis tools and to ensure they contain rich metadata, PingAM utilizes structured logging.

According to the PingAM "Audit Logging Service" documentation:

When an administrator enables audit logging in a new installation, the system is pre-configured with the JSON audit event handler as the default. This handler writes log entries to the local filesystem in a structured JSON format (e.g., access.audit.json).

The choice ofJSON(Option D) as the default is strategic:

Structure: JSON allows for complex, nested data structures, which is necessary to capture the full context of an authentication journey or a policy decision.

Interoperability: JSON is the "native language" of modern log aggregators and SIEM platforms like Splunk, ELK (Elasticsearch/Logstash/Kibana), and Sumo Logic.

Readability: While structured, it remains human-readable for quick manual inspection.

Why other options are incorrect:

CSV (B)andSyslog (C)are available handlers but must be explicitly added or configured; they are not the primary default.

Elasticsearch (A)is a powerful target for audit logs, but PingAM typically sends data there via an external collector reading the JSON files or via a specifically configured Elasticsearch handler, rather than it being the out-of-the-box default for a local installation.

The JSON handler ensures that from the moment logging is turned on, the data is stored in a format that balances detailed reporting with ease of integration.

In a high-availability PingAM 8.0.2 cluster, the Load Balancer (LB) is responsible for distributing traffic across multiple AM instances. Session Stickiness (also known as session affinity) ensures that all requests from a specific user session are routed to the same AM server that initially created the session.

According to the PingAM "Deployment Planning" and "Load Balancing" documentation, PingAM is designed to be "sticky-preferred" but not "sticky-required" if theCore Token Service (CTS)is used. If stickiness isnotensured:

Performance Impact: Every time a user request lands on adifferentAM server (Server B) than the one that holds the session in local memory (Server A), Server B must query theCTS (External Store)to retrieve the session details, deserialize the object, and reconstruct the session state. This cross-server look-up introduces significant latency and increases the load on the PingDS instances hosting the CTS.

CTS Load: Without stickiness, every single request becomes a "Global" session lookup. This drastically increases the I/O and CPU overhead on the back-end directory servers, potentially leading to performance degradation of the entire identity platform.

Why other options are incorrect:

Option A: Session failoverrequiresthe CTS, but stickiness actuallyminimizesthe need for failover logic during normal operation. Failover still works without stickiness, it just becomes the "default" behavior for every request.

Option B: AM servers in a cluster share the same encryption keys and back-end stores. Any server can technically validate a session by looking it up in the CTS; the browser doesn't "know" which server is correct.

Option C: Redirects are handled at the application logic level. While some internal processing changes, it doesn't necessarily result in extra browser-level HTTP redirects.

Thus, the primary negative impact of lacking stickiness in a correctly configured cluster is adecrease in performance(Option D) due to the constant session synchronization overhead.

============

In PingAM 8.0.2 Intelligent Access, the Set Session Properties node is a specialized utility node designed to modify the session object once it is created.

According to the "Authentication Node Reference":

During an authentication journey, data is typically stored in the sharedState. However, sharedState is transient and is destroyed once the tree finishes. If an administrator wants to take a piece of information (e.g., a "Risk Score" calculated during the tree, or a "Branch ID" retrieved from a legacy system) and make it a permanent part of the user's session, they must use the Set Session Properties node.

Functionality: This node allows you to map a value from the sharedState or transientState to a session property name. After the tree reaches aSuccessnode, these properties are persisted in the session (either in the CTS for server-side sessions or the JWT for client-side sessions).

Usage: Once set, these properties can be retrieved later forResponse Attributesin policies, or by applications using the /json/sessions endpoint.

Option A (Get Session Data node)is used toretrieveexisting properties from an active session, not set them.Option Bis incorrect because while webhooks can trigger external logic, the native way to modify the session within a tree is a node.Option C (Provision Dynamic Account node)is for creating user entries in the Identity Store (LDAP), not for managing session-level properties. Therefore,Set Session Properties(Option D) is the correct technical tool for this requirement in version 8.0.2.

PingAM 8.0.2 provides a robust framework for Multi-Factor Authentication (MFA) centered around modern, secure protocols and the Intelligent Access (Authentication Trees) engine. When discussing supported "protocols" in the context of MFA in PingAM documentation, the focus is on standardized methods for secondary verification.

The primary supported MFA pillars in PingAM 8.0.2 are:

Open Authentication (OATH): AM supports the OATH standards, specificallyTOTP(Time-based One-Time Password) andHOTP(HMAC-based One-Time Password). This is implemented through the "OATH" authentication nodes, allowing users to use apps like ForgeRock Authenticator, Google Authenticator, or YubiKeys in OATH mode.

Web Authentication (WebAuthn): This is the implementation of theFIDO2standard. It allows for passwordless and secure second-factor authentication using biometrics (like TouchID/FaceID) or hardware security keys (like YubiKeys). It is the successor to older standards and is natively supported via WebAuthn nodes.

Push Authentication: This is a proprietary but highly secure protocol used specifically with theForgeRock/Ping Authenticator app. It allows a "Push" notification to be sent to a registered mobile device, which the user then approves or denies.

Why others are excluded from the selection:While PingAM supportsSecurity Questions(KBA) andUniversal 2nd Factor(U2F), they are often categorized differently in the 8.0.2 documentation. Security Questions are considered a "User Self-Service" or "Legacy" validation method rather than a modern MFA protocol. U2F is technically superseded by and included within theWebAuthnframework in PingAM 8.0.2. Thus, the most accurate grouping of distinct, core MFA protocols supported in the current version isA, C, and E, making Option C the correct answer.