Ping Identity PT-AM-CPE - Certified Professional - PingAM Exam

According to the PingAM 8.0.2 documentation on "OAuth 2.0 Client Authentication," clients are categorized into two types based on their ability to maintain the confidentiality of their credentials: Public and Confidential.

AConfidential Clientis defined as an application that is capable of securely storing a client_secret or a private key.1These are typically applications where the code and configuration are not exposed to the end user.Web Applications(Option D) are the classic example of confidential clients because they run on a secure back-end server.2The server-side code can store and use a secret to authenticate with PingAM's token endpoint without the risk of the secret being leaked to the user-agent or a third party.

In contrast:

Web Browsers(Option C) andJavaScript clients(Option B) are consideredPublic Clients.3Since the code runs within the user's browser, any secret embedded in the application would be visible to the user via "View Source" or developer tools.4

Desktop clients(Option A) and native mobile apps are also categorized as public clients in the OAuth2 specification (RFC 6749) because they are distributed to end-user devices.5Even if the secret is obfuscated, it can be extracted through reverse engineering or decompilation.

For confidential clients, PingAM 8.0.2 supports various authentication methods at the token endpoint, including client_secret_basic, client_secret_post, and more secure options likeMutual TLS (mTLS)orPrivate Key JWT. By correctly identifying a client as confidential, administrators can enforce these stronger authentication requirements, ensuring that the client is indeed the entity it claims to be before granting access or refresh tokens.

Upgrading PingAM 8.0.2 is a complex process that involves updating binaries, modifying schemas in the configuration store, and potentially migrating scripts to the "Next-Generation" scripting engine. To ensure that the system is not only "running" but also "production-ready," a comprehensive testing phase is required.

According to the "Post-Upgrade Tasks" and "Best Practices for Upgrading" documentation:

A successful upgrade verification must cover two distinct categories of testing:

Functional Tests: These verify that the core features still work as intended. Can users log in? Do the authentication trees execute correctly? Are SAML assertions being generated? This ensures the "Logic" of the identity platform is intact.

Non-Functional Tests: These are equally critical in an upgrade scenario. An upgrade can sometimes introduce performance regressions, change the way memory is utilized by the JVM, or alter the connection pool behavior to the CTS. Testing forperformance, high availability (failover), security (vulnerability scanning), and monitoringensures the system can handle production loads and meets the organization's Service Level Agreements (SLAs).

While setting version flags (Option D) might be a technical step in some internal processes, it does not "ensure a successful upgrade" in the way that rigorous validation does. Running only functional tests (Option A) or only non-functional tests (Option C) leaves the environment vulnerable to either logic errors or system crashes. Thus, the verified best practice is to runboth functional and non-functional tests(Option B) before redirecting production traffic to the upgraded instances.

The Push Result Verifier node is a core component of the "MFA: Push Authentication" journey in PingAM 8.0.2. Its primary function is to check the status of a push notification that was previously dispatched to a user's mobile device (usually via the Push Sender node).22

According to the "Authentication Node Reference" for version 8.0.2, the node evaluates the state of the push request and yields exactly four distinct outcomes:

Success: This path is followed if the user has actively approved the push notification on their registered device using the ForgeRock/Ping Authenticator app.

Failure: This path is taken if the user explicitly denies or rejects the push notification on their device, indicating a potential unauthorized login attempt.

Expired: This outcome occurs if the notification reaches its "Message Timeout" limit (defined in the Push Sender node) without any response from the user.23In standard trees, this path often loops back to allow the user to try a different MFA method or resend the push.

Waiting: This outcome is triggered if a response has not yet been received but the timeout has not yet been reached. This is used in conjunction with aPush WaitorPollingmechanism to create a "check-and-loop" logic until a final result (Success, Failure, or Expired) is determined.

TheRetryoutcome (mentioned in other options) is notably absent from this specific node's metadata. While a "Retry" might be implemented in the overalltree logic(for example, by using aRetry Limit Decision nodeafter anExpiredoutcome), thePush Result Verifier nodeitself only reports the state of the specific push transaction it is tracking. Understanding these four discrete states is vital for designing resilient authentication journeys that handle user delays or network issues gracefully.

The connection string format HOST:PORT|SERVERID|SITEID is a specific syntax used in PingAM 8.0.2 for Affinity Load Balancing, a feature almost exclusively associated with the Core Token Service (CTS). In high-volume deployments, the CTS handles thousands of session updates per second. To avoid replication lag issues—where an AM server might try to read a session token from a directory server (DS) before the update has replicated from another DS node—PingAM uses "Affinity."16

According to the "CtsDataStoreProperties" and "CTS Deployment Architectures" documentation, this specialized string allows the AM instance to prioritize connections based on theServer IDandSite ID.17The pipe (|) characters signify the optional affinity parameters:

01/02: These represent the Server IDs of the underlying Directory Servers.

Affinity Logic: By providing these IDs, PingAM can ensure that it always routes requests for the same CTS token to the same directory server node.18

While standard Identity Stores (Option A) and the Configuration Data Store (Option C) use LDAP connection strings, they typically utilize a comma-separated list of host:port pairs or rely on a hardware load balancer. The specific use ofserver and site IDs within the connection string itselfto manage LDAP request routing is a hallmark of the CTS affinity configuration.19The documentation explicitly states that "Each connection string is composed as follows: HOST:PORT[|SERVERID[|SITEID]]" within the context ofCTS external store configuration.20Therefore, this complex string is specifically designed for the Core Token Service to ensure data consistency and high performance in clustered environments.

When configuring secure communication (LDAPS, HTTPS) in PingAM 8.0.2, managing the Truststore is a critical security task. The truststore contains the public certificates (trust anchors) of the servers PingAM needs to communicate with, such as PingDS or external Identity Providers.

The PingAM "Secure Network Communication" documentation outlines several best practices:

Avoid Modifying the JVM Truststore: One should not add internal certificates (like those for PingDS) to the default JVM cacerts file (Option D is a best practice). This prevents pollution of the system-wide Java environment.

Use a Dedicated Truststore: Creating a fresh, minimal truststore containing only necessary certificates (Option B and C) ensures a "least privilege" approach to trust.

Why Statement A is NOT a best practice:Statement A suggests that you should copy the JVM truststore toisolateit from changes made to the JVM container's truststore. In a production security context, this is a dangerous anti-pattern. The JVM's default truststore (e.g., cacerts) is frequently updated by Java maintainers and OS vendors to include new Root CAs and, more importantly, toremove/revokecompromised or untrustworthy CAs. By making a static copy to "isolate" AM from these updates, an administrator inadvertently keeps obsolete or insecure certificates in AM's trust list while missing out on critical security updates provided by the platform.

Best practice dictates that AM should point to a truststore that is intentionally managed. If isolation is needed, it should be achieved by creating a new store forinternalcertificates and potentially using the -Djavax.net.ssl.trustStore property to manage the hierarchy, rather than cloning the system-wide CA bundle to avoid "changes." Therefore, Option A is the correct answer as it describes a maintenance and security risk.

Session Denylisting is a critical security feature in PingAM 8.0.2, primarily used when a realm is configured for client-side sessions.9 In a client-side session model, the session state is stored in a signed and encrypted JWT within the user's browser cookie rather than in the server's memory or the Core Token Service (CTS).10 Because the server does not "own" the session state, a logout event typically only involves deleting the cookie from the browser. However, if a malicious actor had previously copied that cookie, they could still use it until it naturally expires.

To solve this, PingAM usesSession Denylistingto keep track oflogged out sessions.11When a user logs out, or when a session is invalidated (e.g., during a session upgrade or administrative action), AM records the session identifier in a denylist stored within theCore Token Service (CTS).12For every subsequent request, AM checks the incoming client-side session token against this denylist.13If the session ID is found in the denylist, AM rejects the token as invalid, even if the cryptographic signature is correct and the expiration time has not passed.

The documentation emphasizes that this feature is essential for "tracking session logouts across multiple AM servers" in a cluster. Without denylisting, there would be no way to perform a "global logout" for client-side sessions that is immediately effective across all nodes.14Administrators can configure properties such as theDenylist Purge Delay(to account for clock skew) and theDenylist Poll Interval(to balance security speed with system performance).15By effectively managing the lifecycle of revoked tokens, session denylisting ensures that a logout is a cryptographically and operationally certain event.

Social Authentication in PingAM 8.0.2 allows users to log in using identities from external providers like Google, Apple, or LinkedIn. This process relies on PingAM acting as an OAuth2 Client or OpenID Connect Relying Party (RP) toward the social provider.

According to the PingAM "Social Authentication" and "Social Identity Provider Client Configuration" documentation, for PingAM to successfully hand off authentication to a social provider, you must configure anOAuth2 Client(specifically a Social Identity Provider client) within the PingAM realm. This configuration includes:

Client ID and Client Secret: Obtained from the social provider's developer console (e.g., Google Cloud Console).

Endpoints: The authorization, token, and UserInfo endpoints of the social provider.

Scopes: The permissions PingAM is requesting (e.g., openid, profile, email).

Once this "Social Client" is configured, it is used by aSocial Provider Handler node(or the legacy Social Authentication module) within an authentication tree. When the user clicks "Login with Google," PingAM uses these client credentials to initiate the OIDC flow with Google.

Why other options are not the primary requirement:

While aData Store (A)is eventually used to save the linked user profile, themechanismof social auth itself is driven by the OAuth2 client configuration.

A realm service (B)is too broad; while social auth is a service within a realm, the specific configuration object required is the client.

A realm policy (D)governs authorizationafterlogin, but does not enable the social login process itself. Therefore, theOAuth2 clientconfiguration is the technical prerequisite for establishing the trust relationship with the external provider.

In PingAM 8.0.2, the OAuth 2.0 Token Exchange (RFC 8693) implementation allows for complex identity delegation scenarios. The may_act claim is a specific claim used to indicate that one entity is authorized to act on behalf of another. When customizing the behavior of token exchange via the OAuth2 Token Exchange Script, developers interact with specific scriptable objects provided by the PingAM engine.

According to the "Scripting API" for OAuth2 and the "Token Exchange" developer guide, the requestedToken object is the primary interface used to modify the structure of the token being issued during the exchange. To insert the may_act claim, the API provides the addMayAct() method.

The may_act claim is technically a JSON object that contains a sub (subject) claim of the entity that is allowed to act as the subject of the token. In the scripting environment:

The requestedToken variable represents the token currently being minted.

The .addMayAct() method is the defined function signature to append this delegation metadata.

Why other options are incorrect:

Options A and D:The object name token is not the standard binding used for the target token in the Token Exchange script context; requestedToken is the correct binding.

Option C:The method name setMayAct is incorrect. The PingAM API uses the add prefix for these types of claims (similar to addActor), reflecting the underlying structure where these claims are added to the claim set of the JWT.

Using the correct syntax requestedToken.addMayAct(mayAct) ensures that the resulting Access Token or ID Token contains the correctly formatted delegation information required by resource servers to validate that the "Actor" has the permission to represent the "Subject."

Debugging a PingAM 8.0.2 environment is essential for troubleshooting issues that occur at the engine level. In a multi-server deployment (a cluster), different servers may be experiencing different local issues (e.g., filesystem permissions or local JVM constraints). Therefore, debug settings are managed at the server-specific level rather than the global site level.

According to the "Debug Logging" and "Server Settings" documentation:

The debug level (e.g., error, warning, message, info) is configured on a per-instance basis. In the PingAM Administrative Console, an administrator navigates to Deployment > Servers > [Server Name] > Debugging. Here, they can set the "Debug Level" and "Debug Output" (file vs. console).

Setting the level per instance allows an administrator to increase verbosity on a single "problematic" node without flooding the logs and impacting the performance of the entire healthy cluster. While these settings eventually modify internal properties, theAdmin Consoleis the primary and recommended interface for making these changes in version 8.0.2.

Why other options are incorrect:

Option A: While legacy versions of OpenAM used a local debug.properties file, modern PingAM stores these settings in the Configuration Store, though they are applied to specific server instances.

Option C: A "Site" is a logical grouping for load balancing. Setting a debug level on a site would force all servers in that site to change simultaneously, which is often undesirable for targeted troubleshooting.

Option D: Changing the debug level is a standard and recommended practice for troubleshooting, provided it is returned to a lower level (like error or warning) once the issue is resolved to save disk space and CPU.

Auto-federation is a feature in PingAM 8.0.2 designed to simplify the user experience by automatically linking an IdP identity to an SP identity without manual intervention or a specialized "linking" page.12

According to the PingAM documentation on "Link Identities Automatically with Auto-Federation":

Linking Mechanism (Statement B): Auto-federation does not rely on the SAML NameID. Instead, it uses acommon attribute valuefound in both the SAML assertion and the SP's local identity store. For example, if both systems share an "Email" attribute, the SP can be configured to use the mail attribute from the incoming assertion to search its own datastore. If a match is found, the accounts are linked. This is significantly more flexible than relying on NameID formats (disproving Statement A).

User Experience (Statement C): One of the primary benefits of auto-federation is that it supports a "Just-in-Time" experience. The useronly needs to log in to the Identity Provider (IdP). When they are redirected to the SP, the SP performs the attribute-based lookup and creates the session immediately. The user is never prompted to log in at the SP side just to "prove" who they are for the linking process (disproving Statement D).

Because auto-federation relies on matching attributes and only requires a single login at the IdP, the correct statements areB and C. This makes Option B the correct choice. This feature is particularly useful in Large-Scale B2B or B2C scenarios where pre-mapping thousands of users manually would be impossible.