Ping Identity PT-AM-CPE - Certified Professional - PingAM Exam

While several endpoints in PingAM 8.0.2 interact with tokens, only one is explicitly designed for the purpose of checking the metadata and validity of an opaque or structured OAuth2 token.

According to the "OAuth 2.0 Endpoints" and "Token Introspection" documentation:

/oauth2/introspect (Option B): This is the RFC 7662-compliant endpoint. It is used by resource servers (or other authorized clients) to determine the "activeness" of a token. When a token is sent to this endpoint, PingAM returns a JSON object indicating if the token is valid, its scope, its expiration time, and the subject it represents. This is the standard way to validate tokens that are not self-validated (like opaque tokens stored in the CTS).

Why other options are incorrect:

/oauth2/userinfo (Option A): This endpoint is part of OpenID Connect. While itrequiresa valid token to function, its purpose is to return user claims, not to provide a "valid/invalid" metadata check of the token itself.

/oauth2/validate (Option C): This is a legacy endpoint used in older versions of the product. In PingAM 8.0.2, introspection is the standardized replacement.

/oauth2/access_token (Option D): This is theToken Endpointused toissuetokens, not to validate them.

Using the/oauth2/introspectendpoint is a best practice for security because it allows the authorization server (PingAM) to verify that a token has not been revoked in the Core Token Service (CTS) before a resource server grants access.

In the Ping Identity ForgeOps methodology for version 8.0.2, there are two primary deployment patterns used in Kubernetes: the Cloud Developer Kit (CDK) and the Cloud Deployment Model (CDM).

CDK (Cloud Developer Kit): This is intended for development and demonstration purposes. It is a "minimized" version of the platform. Crucially, in the CDK, thePingDS(directory service) is typically deployed as a single instance. It lacks the redundancy and replication required for production, as the goal is to reduce resource consumption on a developer's machine or a small test cluster.

CDM (Cloud Deployment Model): This is the reference architecture for production-grade environments. The CDM is designed for high availability and scale. According to the "ForgeOps Documentation," the primary differentiator is that the CDM providesreplicated directory services. In a CDM deployment, PingDS is deployed in a multi-instance, replicated state (using a Kubernetes StateFulSet) to ensure that if one DS pod fails, the session and configuration data remain available.

While both models support major cloud providers like GKE, EKS, and AKS (Option B), generate random secrets (Option A), and provide integrated AM/IDM/DS stacks (Option D), the presence ofmulti-node replicationin the directory layer is the definitive technical boundary between the "Developer" kit and the "Production" model.

This question tests the understanding of Session Cookie Domains and browser behavior in a PingAM 8.0.2 deployment. According to the "Secure Session Cookies" documentation, the Cookie Domain setting in a realm determines the scope of the SSO token.

Standard browser cookie rules (RFC 6265) dictate that a cookie set for a specific domain is visible to that domain and all of itssubdomains. However, a cookie isnotvisible to a parent domain or a "sibling" domain.

In this scenario, the cookie is set for am.example.com:

A. example.com: This is theparent domain. A cookie set for am.example.com isnotvisible here. To make it visible to example.com, the cookie domain would have to be explicitly set to .example.com.

B. am.example.com: The cookie is directly set for this domain, so it is obviouslyvisible.

C. sub.am.example.com: This is asubdomainof am.example.com. Under standard cookie rules, it will receive the cookie.

D. login.am.example.com: While this is also a subdomain, the question implies a specific selection.

Looking at the provided options (B and C), Option C accurately reflects the inheritance rule where the domain itself and its immediate sub-levels are covered. While login.am.example.com (Option D) is technically also a subdomain, the standard documentation examples for "Cross-domain" or "Sub-domain" visibility typically emphasize the relationship between the primary AM host and its child applications. Therefore, the combination ofB and Cis the most accurate representation of how the browser handles the scope of an am.example.com cookie.

============

According to the PingAM 8.0.2 "Maintenance and Troubleshooting" documentation, the system generates two primary, distinct categories of logs for monitoring and problem-solving: Audit Logs and Debug Logs.

Audit Logs: These are high-level logs intended for security auditing, compliance, and reporting. They record specific "business events" or "state changes" within the system. Examples include successful logins, failed authentication attempts, administrative configuration changes (logged in config.audit.json), and policy evaluation decisions (logged in access.audit.json). These logs are structured (often in JSON) to be easily consumed by SIEM (Security Information and Event Management) tools.

Debug Logs: These are low-level, highly verbose logs intended for developers and support engineers. They record the internal "thought process" of the PingAM engine. They track the execution of specific Java classes, the results of LDAP queries, and the movement of data between authentication nodes. These logs are stored in the /debug directory and can be adjusted to different levels of verbosity (Error, Warning, Message, Info).

While PingAM runs within aJavaVirtual Machine (JVM), and you may see container logs (like catalina.out in Tomcat) or "Java logs" from the underlying web server, these are technically external to the PingAM application itself. The PingAM application's internal logging framework is strictly split betweenAudit(what happened at a functional level) andDebug(why it happened at a code level). Therefore, Option C is the most accurate technical description of the logs natively managed and written by the PingAM service.

To implement Step-up Authentication in PingAM 8.0.2, you typically use Authorization Policies that include "Environment Conditions."14 These conditions check the "quality" of the user's current session. If the session does not meet the specified condition, PingAM generates an Advice, which triggers the step-up process.

According to the "Condition Types" reference in the PingAM 8 documentation, the conditions used specifically to evaluatehowa user authenticated are:

Authentication Level (greater than or equal to): This is the most common condition for step-up. It checks if the session's Auth Level is at least a certain value (e.g., Level 2). If the user only has a Level 1 session, the policy fails and triggers an upgrade.

Authentication by Service: This condition checks if the user authenticated using a specificAuthentication TreeorChain(e.g., the user must have used the "SecureBankMFA" tree).

Authentication by Module Instance: This is used for legacy deployments where individual modules are used instead of trees. It verifies that the user successfully completed a specific module (e.g., the "DataStore" module).

Authentication to a Realm(Option D) is generally not a condition used for step-up authentication. While a policy existswithina realm, the "step-up" logic is focused on themethodorlevelof authentication within that realm, not the fact that they are in the realm itself (which is already a prerequisite for reaching the policy engine). Therefore, the combination ofA, B, and C(Option B) represents the specific environment conditions designed to evaluate the authentication context for step-up or "Quality of Service" (QoS) requirements.

When PingAM 8.0.2 evaluates an authorization policy, the primary output is a "Permit" or "Deny" decision. However, applications and Policy Enforcement Points (PEPs)—like PingGateway or a Web Agent—often require additional metadata about the user or the session to function correctly (e.g., the user's employee ID, department, or a specific preference).

According to the PingAM documentation on "Policies" and "Requesting Decisions":

The mechanism used to provide this extra information is Response Attributes. When defining a policy in the PingAM UI or via REST, an administrator can configure "Response Attributes" which map internal attributes (from the User Profile or the Session) to keys that are sent back in the policy decision payload.

How it works: If a policy is configured with a response attribute mapping uid to User-ID, when PingGateway asks "Can user X access resource Y?", PingAM responds with "Permit" AND a map containing User-ID: X.

Consumption: PingGateway or the Web Agent can then take these attributes and inject them into HTTP headers (e.g., X-User-ID) so the downstream application can consume them without having to query AM again.

Subjects(Option A),Resources(Option B), andActions(Option D) are allinputcomponents used to define the scope of a policy; they are not used to return data to the enforcer. OnlyResponse Attributesserve the purpose of enriching the decision response with additional context.

============

In SAML 2.0 federation with PingAM 8.0.2, there are two ways to initiate SSO: IdP-Initiated (where the user starts at the Identity Provider) and SP-Initiated (where the user starts at the Service Provider).3

According to the "SAML 2.0 Guide" for PingAM:

SP-Initiated SSO: The correct JSP file for an SP-initiated flow is spSSOInit.jsp.4This script is used by an SP (in this case, PingAM acting as an SP or a "Fedlet") to generate a SAML AuthnRequest and send it to the IdP.

Redirecting to the Application: In the SAML 2.0 standard, the mechanism used to preserve state (like the final destination URL) across the redirect-heavy SSO process is theRelayStateparameter. When the IdP sends the SAML assertion back to the SP, it also returns the RelayState value. The SP then uses this value to redirect the user to the final application.

While PingAM uses the goto parameter for internal redirects (like standard web login),RelayStateis the required parameter name for SAML-related JSPs to ensure interoperability with the SAML specification. Therefore, the correct URL is .../spSSOInit.jsp combined with the RelayState parameter (Option D). Using idpSSOInit.jsp (Options A and B) would trigger an IdP-initiated flow, which is not what the question describes. Option C is incorrect because it uses the non-SAML goto parameter in a SAML initialization context.

PingAM 8.0.2 is strictly compliant with various identity standards to ensure interoperability between different vendors and platforms. The Security Assertion Markup Language (SAML) V2.0 is the cornerstone of modern XML-based federation.7

According to the PingAM "SAML 2.0 Introduction" and "Supported Standards" documentation, the SAML 2.0 standard is developed and maintained byOASIS(the Organization for the Advancement of Structured Information Standards).8Specifically, theOASIS Security Services Technical Committee (SSTC)is responsible for the specifications that define the SAML core (assertions and protocols), bindings (how SAML messages are mapped onto transport protocols like HTTP), and profiles (how SAML is used to solve specific use cases like Web Browser SSO).

Knowing the governing body is important for administrators when reviewing the "Technical Metadata" and "Schema" sections of PingAM, as AM’s implementation follows the OASIS SAML 2.0 standards for XML signing, encryption, and assertion structure. Other organizations listed, such as theIETF(Internet Engineering Task Force), govern protocols like OAuth2 and OpenID Connect, while theW3C(World Wide Web Consortium) handles general web standards like XML and WebAuthn. However, for SAML2, OASIS remains the authoritative governing body.

In PingAM 8.0.2, choosing the correct OAuth2 grant flow depends entirely on the type of client and the nature of the resource access. For a microservice (a machine-to-machine scenario), the Client Credentials Flow (defined in RFC 6749) is the industry-standard and documented best practice.

A microservice is categorized as aConfidential Clientbecause it runs on a secure server where it can safely store its own credentials (client_id and client_secret). In a microservice-to-microservice interaction, there is no "end-user" present to provide consent or enter a password. Instead, the microservice authenticates as itself to the PingAM token endpoint.

According to the PingAM "OAuth 2.0 Grant Flows" documentation:

The microservice sends a POST request to the /oauth2/access_token endpoint.

The request includes the grant_type=client_credentials parameter along with the client's own authentication (such as Basic Auth with secret, or mTLS).

PingAM validates the client's credentials and scopes.

Since this is a machine-to-machine flow, PingAM bypasses the user authorization (consent) step and issues anAccess Tokendirectly to the service.

Why other options are incorrect:

Implicit flow (A)andAuthorization code flow (B)are designed for scenarios where a human user is present to authenticate and authorize access.

Resource owner flow (D)(also known as the Password grant) requires the service to handle a user's cleartext credentials, which is a major security risk and is deprecated in modern security architectures.

TheClient Credentials flowensures that microservices can securely obtain the tokens necessary to communicate with other protected APIs within the ecosystem without requiring human intervention.

In PingAM 8.0.2, Session Upgrade (often referred to as Step-up Authentication) is the process of increasing the "Authentication Level" (Auth Level) associated with a user's session.2 This is common when a user has logged in with a basic method (like username/password) but attempts to access a resource that requires a stronger method (like MFA).

Regarding the statements:

Statement A is correct: To upgrade a session, PingAM requires the user to satisfy the requirements of an authentication tree or module that has a higher Auth Level than the current session.3This technically involves a "re-authentication" event specifically for the higher-level requirement.

Statement B is correct: Crucially, the identity authenticated during the upgrade must match the identity of the existing session. If a different user attempts to authenticate during an upgrade process, PingAM will reject the upgrade to prevent session hijacking or identity swapping.4

Statement D is correct: Session upgrade is indeed the technical implementation of the industry-standard "step-up authentication" concept.

Statement C is incorrectbecause ForceAuth=true is not the only mechanism for a session upgrade. While ForceAuth=true (in SAML2 or OIDC) or the prompt=login parameter can force a fresh authentication, PingAM also supports upgrades viaPolicy Advice.5When a policy engine determines that a resource requires a higher Auth Level, it sends an "advice" to the client, triggering a session upgrade journey.6Additionally, authentication trees can be configured to perform upgrades natively using theSession Upgradeconfiguration in the realm settings. Therefore, since A, B, and D are technically accurate descriptions of the AM 8.0.2 lifecycle, Option C is the correct choice.