Free Practice Questions for Ping Identity PAP-001 Exam

To enableSingle Logout (SLO), theSLO scopemust be defined in the PingAccess Web Session configuration. This determines which sessions are ended when a logout request occurs.

Exact Extract:

“The SLO scope option in a web session specifies which applications are included in a logout event when Single Logout is triggered.”

Option A (SLO scope)is correct; it explicitly enables SLO support by linking session termination across apps.

Option B (Idle timeout)is unrelated; this controls session expiration, not SLO.

Option C (Validate Session)ensures session state is synchronized but does not configure SLO.

Option D (Refresh User Attributes)is unrelated; it only controls whether attributes are reloaded.

When applications depend solely onheader-based identity mapping, attackers can attempt to bypass PingAccess by injecting headers directly into requests sent to the backend. To prevent spoofing, PingAccess should be configured to passcryptographically verifiable tokens(e.g.,ID tokens from OIDC) instead of relying on plain headers.

Exact Extract:

“Headers can be spoofed if not protected. Use signed tokens, such as ID tokens or JWTs, to provide strong identity assurance and prevent header injection attacks.”

Option A (Use ID Tokens)is correct — ID tokens are signed and verifiable, preventing spoofing.

Option B (Add Site Authenticator)protects PingAccess-to-site authentication, not client-to-API spoofing.

Option C (Require HTTPS)prevents eavesdropping but does not stop header spoofing from inside the network.

Option D (Use Target Host Header)ensures host header integrity but not user identity.

Therun.propertiesfile in PingAccess is the primary configuration file that defines system-level runtime behavior. According to PingAccess documentation:

Exact Extract:

“Therun.propertiesfile contains configuration properties for PingAccess, including operational mode, logging levels, admin authentication fallback, cluster settings, and system defaults.”

(PingAccess Administrator’s Guide –run.properties Reference)

From this, we can determine:

C. Operational mode for PingAccess→CorrectThe propertypa.operational.modeinrun.propertiesdefines whether the node operates asSTANDALONE,CLUSTERED_CONSOLE,CLUSTERED_CONSOLE_REPLICA, orCLUSTERED_ENGINE. This is one of the core configurable options.

E. Logging levels→CorrectProperties such aslog.leveland other logging configurations are explicitly defined inrun.properties, allowing administrators to adjust the verbosity of logs (DEBUG, INFO, WARN, ERROR).

Why the others are incorrect:

A. Default logs location→IncorrectThe log file path is not controlled viarun.properties. It is defined inlog4j2.xml, not inrun.properties.

B. URL for heartbeat endpoint→IncorrectThe heartbeat endpoint (/pa/heartbeat.ping) is a fixed system endpoint and is not configurable inrun.properties.

D. X-Frame-Options header→IncorrectSecurity headers likeX-Frame-Optionsare managed under application security policies or global response headers, not inrun.properties.

PingAccess supports logging directly to a relational database usingLog4j database appenders. To enable this:

Configurelog4j2.xmlto use a JDBC Appender.

Configurelog4j2.db.propertieswith the database connection information.

Provide the appropriate database driver in thePA_HOME/libdirectory.

Exact Extract:

“To log to a database, configure log4j2.xml and log4j2.db.properties, and place the JDBC driver JAR file in PA_HOME/lib.”

Option Ais correct — both files must be configured.

Option Bis incorrect — existing logs do not need removal.

Option Cis incorrect — enabling audit is unrelated to database logging.

Option Dis correct — the Oracle JDBC driver must be installed in PA_HOME/lib.

Option Eis incorrect unless TLS is used to connect to the DB, but it is not required for standard DB logging setup.

PingAccess allows administrators to configurecustom error pages or messagesat theRoot Resource levelof an application. This ensures that when rule violations (e.g., authorization failures) occur, the application can display tailored error responses.

Exact Extract:

“Custom error handling for rule violations is configured within the Root Resource of an application.”

Option Ais incorrect — assigning a rule to a resource does not allow defining custom errors.

Option Bis correct — the Root Resource is where administrators define custom error handling for the entire application.

Option Cis incorrect — Rule Sets only combine rules; they do not handle error responses.

Option Dis incorrect — individual rule definitions do not contain custom error configurations.

PingAccess allows fine-grained authentication enforcement by applyingAuthentication Requirement rulesat the resource level. These rules can invoke MFA flows based on request context or policy.

Exact Extract:

“Authentication requirement rules determine whether PingAccess challenges a user to authenticate again (for example, with MFA) before allowing access to a protected resource.”

Option Ais incomplete. Creating a requirement does nothing unless it is applied.

Option Bis correct because applying the Authentication Requirement rule to thespecific resource (URL)enforces MFA only for that resource.

Option Cis incorrect; Web Session Attribute rules are about evaluating existing session attributes, not triggering MFA.

Option Dis incorrect; HTTP Request Parameter rules are used to evaluate request data, not enforce MFA policies.

When APIs are remote, latency is introduced by frequent token validation requests. EnablingCache Tokenon the OAuth Resource Server reduces repeated validation calls and improves performance.

Exact Extract:

“The OAuth Resource Server configuration includes aCache Tokenoption that improves performance by reducing round trips for token validation.”

Option Ais incorrect — key rolling affects cryptographic keys, not API latency.

Option Bis incorrect — virtual hosts control external FQDNs, not performance.

Option Cis incorrect — token attribute size does not significantly affect remote latency.

Option Dis correct — caching tokens reduces validation overhead.

PingAccess service scripts depend on knowing:

Where the Java runtime is installed (JAVA_HOME)

Where PingAccess itself is installed (PA_HOME)

Exact Extract:

“The PingAccess startup scripts require theJAVA_HOMEenvironment variable to locate the JDK/JRE and thePA_HOMEvariable to locate the PingAccess installation directory.”

Option A (J2EE_HOME)is irrelevant to PingAccess.

Option B (JAVA_HOME)is correct — needed for Java execution.

Option C (PA_PATH)is not a standard variable.

Option D (PA_HOME)is correct — required to point to the PingAccess installation root.

Option E (JAVA_PATH)is not valid;PATHcan include Java, butJAVA_HOMEis the correct environment variable.

PingAccess validates access tokens usingAccess Token Managers, which are typically backed byPingFederateor ageneric OIDC provider.

Exact Extract:

“PingAccess validates tokens through Access Token Managers, which can be configured against PingFederate or a common OIDC provider.”

Option A (PingFederate)is correct — the most common token provider.

Option B (Kerberos)is not supported for token validation.

Option C (SAML provider)is incorrect — PingAccess does not natively consume SAML assertions.

Option D (Common OIDC provider)is correct — tokens can be validated against any OIDC-compliant IdP.

Option E (PingAuthorize)is an authorization engine, not a token provider.

PingAccess retains backup archives of its configuration in thedata/archivedirectory. The number of retained backups is controlled in therun.propertiesfile.

Exact Extract:

“The number of configuration backups retained in thedata/archivedirectory is controlled by thearchive.maxCountproperty inrun.properties.”

Option A (log4j2.db.properties)is incorrect; this file controls database logging, not archive retention.

Option B (jvm-memory.options)is incorrect; this file sets JVM heap and memory arguments.

Option C (run.properties)is correct — it contains system-level settings includingarchive.maxCount.

Option D (log4j2.xml)is incorrect; this file configures log appenders and levels, not archive backups.