Ping Identity PAP-001 - Certified Professional - PingAccess

Applications consuming signed JWTs need theJSON Web Key Set (JWKS)endpoint to retrieve the public keys used for validating JWT signatures. PingAccess exposes this at/pa/authtoken/JWKS.

Exact Extract:

“When using JWT identity mapping, applications can obtain the signing keys from the/pa/authtoken/JWKSendpoint to validate the JWT signature.”

Option Ais correct —/pa/authtoken/JWKSprovides the key set for signature validation.

Option Bis incorrect — that’s an administrative API for configuring identity mappings, not a runtime validation endpoint.

Option Cis incorrect —/pa/aidc/cbis the OIDC callback endpoint.

Option Dis incorrect —/pa-admin-api/v3/authTokenManagementis for admin token management, not JWT validation.

From the “Promoting the replica administrative node” documentation:

Exact Extract:

“Open the/conf/run.propertiesfile in a text editor. Locate thepa.operational.modeline and change the value fromCLUSTERED_CONSOLE_REPLICAtoCLUSTERED_CONSOLE. These properties are case-sensitive. Do not restart the replica node during the promotion process.”Ping Identity Documentation

Also from the documentation under “Next steps” / manual promotion / “Using the admin API …”When promoting the replica, there is also mention of setting the new host-port in the primary admin configuration so that engine nodes and configuration references now point to the promoted replica. One of the API properties iseditRunPropertyFile(to flip the mode), another iseditPrimaryHostPort, which causes the primary-admin host setting to be updated.Ping Identity Documentation

Using those facts:

Why C is correct:

Option C says:Changepa.operational.modetoCLUSTERED_CONSOLEon the replica admin node.This directly matches the documented manual promotion step: switchpa.operational.modefromCLUSTERED_CONSOLE_REPLICA→CLUSTERED_CONSOLE.Ping Identity Documentation+1

This is essential for promoting the replica to primary console.

Why E is correct:

Option E:Modifybootstrap.propertiesand set theengine.admin.configuration.hostvalue to point at the replica admin node.While the documentation doesn’t always name the exact propertyengine.admin.configuration.host, the “promote via admin API” includes updating the “primary host:port” in the configuration so that engine nodes’ configuration queries (or whatever is used by engines) point to the new primary. This maps to ensuring that engine nodes know that the promoted replica is now the administrative node. This requiring modifying the bootstrap or configuration that engine nodes use to find the administrative host is essential.Ping Identity Documentation

Why the other options are incorrect:

A.Changepa.operational.modetoCLUSTERED_CONSOLE_REPLICAon one of the engine nodes.No. Engine nodes should havepa.operational.mode = CLUSTERED_ENGINE, not console modes.CLUSTERED_CONSOLE_REPLICAis an admin/replica console mode, not applicable for engines.docs.ping.directory+2Ping Identity Documentation+2

B.Restart all nodes in the cluster.The documentation explicitly saysdo not restartthe replica node during the promotion process because restart can cause file corruption or failure to properly promote. Only certain restarts are neededafterconfiguration updates. So restarting all nodes is not a correct required action.Ping Identity Documentation

D.Restart the replica admin node.As above, for manual promotion, a restart of the replica admin node isnotrequired (and is even discouraged during the promotion process). The change inrun.propertiesis detected without restarting.Ping Identity Documentation

When a PingAccess agent is compromised, the secure approach is toinvalidate the existing credentials and issue a new configuration filefrom the PingAccess Admin Console. This provides a freshagent.propertiesfile with new secrets, ensuring compromised keys cannot be reused.

Exact Extract:

“If an agent is compromised, revoke and regenerate the agent configuration by downloading a newagent.propertiesfile from the administrative console.”

Option Ais incorrect — manually changing the secret in the file does not propagate it to PingAccess.

Option Bis incorrect — trusted certificates are not tied to agent authentication.

Option Cis unnecessary — reinstalling the agent does not reset credentials.

Option Dis correct — downloading a newagent.propertiesfile re-secures the agent.

The Rule Set GroupC(ALL) requiresboth Rule Set A and Rule Set Bto evaluate to true.

Rule Set A (ALL)requirescan_read=yes.

Rule Set B (ANY)requireseitherOpt-in=yesORgroup=customerService.

Together in Rule Set Group C (ALL), both conditions must hold:

can_read=yesmust be present in the request.

User must have eitheropt-in=yesor be in thecustomerServicegroup.

This matchesOption Dexactly.

Option Ais incorrect; it requires both attributes in Rule Set B, but B is ANY (either is sufficient).

Option Bis incorrect; the “unless” wording is misleading — the parameter is always required because Rule Set A uses ALL.

Option Cis incorrect; same reasoning as above, B is ANY not AND.

Option Dis correct —can_read=yesAND(opt-in=yesORgroup=customerService).

When applications require additional attributes:

TheWeb Sessionmust be configured to retrieve those attributes from the token provider (OIDC or PingFederate).

TheIdentity Mappingmust be updated to forward those attributes to the application (e.g., as headers).

Exact Extract:

“Web sessions define how user attributes are retrieved from the token provider. Identity mappings determine how those attributes are inserted into requests to applications.”

Option Ais not necessarily required; attributes can be retrieved via userinfo endpoint or access token, not only ID tokens.

Option Bis correct — Identity Mappings must be updated to pass attributes to the app.

Option Cis incorrect — Site Authenticators define how PingAccess authenticates to apps, not attribute handling.

Option Dis incorrect unless the architecture specifically requires access token updates; PingAccess often uses the Web Session to fetch attributes.

Option Eis correct — Web Session must be updated to retrieve additional attributes.

When a back-end site requires HTTP Basic Authentication, PingAccess supports this via aBasic Authentication Site Authenticator. The authenticator is configured with credentials so that PingAccess can successfully authenticate to the target site.

Exact Extract:

“PingAccess can authenticate to target sites using a Site Authenticator. Use the Basic Authentication Site Authenticator when the site requires a username and password.”

Option Ais incorrect — identity mappings are used to forward user attributes, not for site-to-site authentication.

Option Bis incorrect — web sessions represent end-user sessions, not back-end credentials.

Option Cis correct — the Basic Authentication Site Authenticator should be configured on the Site.

Option Dis incorrect — mTLS authenticates with certificates, not username/password.

To transmit theid_tokenvia a back channel according to OIDC best practices, the application must use theAuthorization Code Flow(login type =code). This ensures tokens are retrieved securely via the back channel instead of being exposed in the browser.

Exact Extract:

“For back-channel transmission of ID tokens, configure the OIDC login type as Authorization Code.”

Option Ais correct — setting login type to code ensures back-channel delivery.

Option Bis incorrect — request preservation concerns request method persistence, not OIDC flow.

Option Cis incorrect — POST is not a valid login type; only Code, Implicit, or Hybrid.

Option Dis incorrect — request preservation has no bearing on token delivery.

In PingAccess, when an application relies on claims from an OAuth access token, you must configure PingAccess to evaluate those claims and potentially inject them into headers for the backend application.

Exact Extract from PingAccess documentation:

“OAuth rules allow you to evaluate claims in OAuth access tokens. You can configure PingAccess to look at specific claims and enforce policies or pass them to target applications.”

“To extract attributes from an access token, configure anOAuth Attribute Rule.”

This clearly matches optionD.

Analysis of each option:

A. An authentication requirement definition

Incorrect. Authentication requirements determine how users authenticate to applications (OIDC provider, etc.), but do not manage access token claims.

B. A web session attribute rule

Incorrect. Web session attribute rules map attributes from the authenticated user’s web session (SSO session), not from OAuth access tokens.

C. An identity mapping definition

Incorrect. Identity mappings transform user attributes (from IdP to app), but they don’t directly pull claims from OAuth tokens.

D. An OAuth attribute rule

Correct. This rule is specifically designed to extract and enforce policies onclaims from OAuth access tokens.

Therefore, the correct answer isD. An OAuth attribute rule.

The requirement is:

Allow access ifuser is in sales

OR ifuser is in marketing AND is a manager

This is logically represented as:

(A) OR (B AND C)

To configure this in PingAccess:

Rule Set (D) = ANY (A)

Rule Set (E) = ALL (B, C)

Rule Set Group (F) = ANY (D, E)

Assign Group (F) to the resource

This exactly matchesOption D.

Option Ais incorrect — requires both A and (B AND C), which is stricter than the requirement.

Option Bis incorrect — ANY(A, B, C) would allow users in marketing or managers without requiring both.

Option Cis incorrect — it uses ALL(D, E), which would require both conditions instead of OR.

Option Dis correct — it models (A OR (B AND C)).