Free Practice Questions for Ping Identity PT-AM-CPE Exam

In PingAM 8.0.2, the OAuth 2.0 Token Exchange (RFC 8693) supports two primary patterns: delegation and impersonation. Understanding the difference between these is critical for secure microservices architecture.

According to the "Demonstrate Impersonation" section of the PingAM documentation,impersonationis a pattern where a client (the "Actor") acts as another identity (the "Subject") in a way that the downstream resource server sees only the Subject's identity.

Statement A is correct: In an impersonation flow, the client (which has been authorized by the user or is a trusted service) requests a token where it effectively "becomes" the subject to interact with another service. The downstream service treats the request as if it were coming directly from the subject, often with the same set of permissions.

Statement D is correct: To perform a token exchange for impersonation, the client must provide specific parameters to the /oauth2/access_token endpoint. It provides thesubject_token(representing the identity to be impersonated) and theactor_token(representing the identity of the client/service that is performing the impersonation). PingAM validates both tokens to ensure the "Actor" has the permission to impersonate the "Subject."

Why other statements are incorrect: Statement B describesdelegation(where an actor actson behalf ofa subject but maintains their own identity in the act claim). Statement C is incorrect because a token exchange inherently requires proving who the requester is (the actor) and whom they represent (the subject). Without both tokens, the AM server cannot verify the authorization relationship required for impersonation. Therefore, the combination ofA and Daccurately reflects the impersonation pattern in PingAM 8.0.2.

This question explores the fundamental architecture of Session Management in PingAM 8.0.2. PingAM is designed to be highly flexible, supporting both traditional browser-based Single Sign-On (SSO) and modern API-driven interactions.

Analysis of the statements based on PingAM documentation:

Statement A is correct: For browser-based flows, PingAM uses HTTP cookies to maintain session state. Upon successful authentication, AM sends a Set-Cookie header to the browser containing the session token (the session reference).

Statement B is correct: For "headless" or REST-based authentication (such as a mobile app or a back-end service calling /json/realms/root/authenticate), there is no browser to handle cookies automatically. In this case, PingAM returns the tokenId directly in the JSON response body, allowing the client to manage the token manually in subsequent API calls.

Statement D is correct: For historical reasons, the default value for theSSO Cookie Namein PingAM is iPlanetDirectoryPro. While administrators are encouraged to change this for security (obfuscation), it remains the default "out-of-the-box" configuration.

Statement C is incorrect: This is the "distractor" in the question. PingAM 8.0.2 supports multiple session storage models. While theCore Token Service (CTS)is the standard for server-side stateful sessions, AM also supportsClient-side sessions(where the state is stored in a signed/encrypted JWT in the cookie itself) andIn-memory sessions(primarily used for short-lived authentication journeys). Since AM is not restrictedonlyto the CTS, Statement C is false.

Therefore, the combination ofA, B, and Daccurately reflects the session capabilities of PingAM 8.0.2, making Option A the correct answer.

The Cloud Developer Kit (CDK), part of the forgeops repository, represents the modern approach to deploying the Ping Identity Platform (including PingAM 8.0.2) in a containerized, Kubernetes-native environment. According to the PingAM deployment and ForgeOps documentation, the platform has transitioned from a monolithic architecture—where the user interface was embedded within the AM web application—to a decoupled, microservices-aligned architecture. In a standard CDK deployment, the user interface components are separated into their own distinct pods to allow for independent scaling, updates, and management.

The three specific pods that provide user interface functionality in a default CDK environment are:

admin-ui: This pod hosts the administrative console. It is the centralized interface that administrators use to configure realms, manage identity stores, define authentication trees, and oversee the general health of both PingAM and PingIDM. By separating the administrative UI from the core engine, the platform reduces the attack surface and allows for more granular resource allocation.

end-user-ui: This pod serves the self-service portal for end-users. It is responsible for providing the interface where users can manage their own profiles, update passwords, register Multi-Factor Authentication (MFA) devices, and manage their consent for OAuth2/UMA applications. This UI interacts with the back-end via REST APIs to ensure a seamless and responsive user experience.

login-ui: This is a specialized pod dedicated to the authentication journey. When a user interacts with an "Intelligent Access" tree, the login-ui pod renders the callbacks (such as username prompts, password fields, or MFA challenges). This pod ensures that thepresentation layer of the authentication process is modernized and distinct from the heavy processing logic of the PingAM core.

Collectively, these three pods ensure that the "User Interface" layer of the deployment is modular. This architecture is a prerequisite for high-availability deployments and is the standard configuration verified in the ForgeOps documentation for version 8.0.2 deployments.

============

When a client requests an OpenID Connect (OIDC) scope (like profile), PingAM 8.0.2 may present a Consent Screen to the user, asking permission to share specific claims. To make this screen user-friendly, PingAM allows administrators to map technical claim names to human-readable labels and specify localizations.

According to the PingAM documentation on "Supported Claims" in the OAuth2/OIDC Provider settings:

The format for the Supported Claims property entry is:

ClaimName|Locale|DisplayName

In this syntax:

ClaimName: The technical OIDC claim (e.g., name, email, given_name).

Locale: The ISO language code (e.g., en, fr).

DisplayName: The text that will actually appear on the UI (the "Full name" label).

Therefore, the string name|en|Full name (Option A) is the correct configuration.

Option Bis incorrect because it reverses the technical name and the display name.

Option Cis incorrect as it lacks the required locale component and uses full_name (which is not the standard OIDC claim name; the standard is name).

Option Dattempts to perform a logic operation (+) within a configuration field where only static mapping strings are allowed. Claim composition (concatenating first and last names) is handled by theOIDC Claims Script, not by the Supported Claims UI property.

In PingAM 8.0.2, the OpenID Connect (OIDC) Claims Script is the specific extensibility point designed to govern how user information is mapped and transformed into claims within an OIDC ID token or the UserInfo response. While PingAM supports standard scopes like profile and email out of the box, specialized business requirements—such as including an "employee number" which might be stored as employeenumber in an LDAP directory—require a custom transformation.

According to the "OIDC Claims Script" reference in the PingAM documentation:

The script acts as a bridge between the Identity Store (the source of truth) and the OIDC Provider (the issuer). When a client requests a token, PingAM executes this script, providing it with a claimObjects map and the userProfile. The developer can then write Groovy or JavaScript logic to retrieve the employeeNumber attribute from the user's profile and add it to the resulting claims set.

The script typically follows this logical flow:

Identify the requested claims from the OIDC scope.

Fetch the corresponding raw attributes from the Identity Store (e.g., PingDS or AD).

Format and name the claim as per the OIDC specification or the specific client requirement (e.g., mapping LDAP employeenumber to OIDC claim emp_id).

Return the claims to be signed and embedded into the JWT.

Why other options are incorrect: Options A, C, and D reference script types that do not exist under those specific names in the standard PingAM 8.0.2 scripting engine. While there are "Access Token Modification" scripts and "Client Registration" scripts, theOIDC Claims Scriptis the only one authorized and designed to manage the payload of the id_token.

In PingAM 8.0.2, the management of sensitive data such as passwords and cryptographic keys is handled through a unified Secret Store framework. This framework abstracts the source of the secret from the component that consumes it using Secret IDs. One of the most critical secret IDs in a standard installation is storepass.

The storepass secret ID is specifically used by thedefault-keystore(which is typically a "Keystore secret store" pointing to keystore.jks or keystore.p12). Before AM can access the keys within the default-keystore to sign tokens or encrypt data, it must first unlock the keystore itself using the password mapped to the storepass secret ID.

According to the PingAM "Secrets, certificates, and keys" documentation, in adefault file-based configuration, PingAM initializes aFilesystem secret storeas its primary global store. This store is configured to look into a specific directory within the AM configuration path (usually .../openam/secrets/). Inside this directory, AM expects to find files named after the secret IDs they contain. For the storepass ID, there is typically a corresponding file (such as storepass or .storepass) containing the cleartext or encrypted password required to open the primary keystore.

While AM can be configured to use anEnvironment and system property secret store(Option B) for high-portability cloud deployments, the "out-of-the-box" default behavior during a standard installation relies on the filesystem. Option A is incorrect because the storepass is thekeyto the keystore, not a secretinsideit, and Option D refers to specialized hardware integrations not used in a default software-only setup. Therefore, theFilesystem secret storeis the correct technical answer for the default location of the storepass.

============

In PingAM 8.0.2, troubleshooting complex issues often requires moving beyond audit logs to Debug Logs. These logs capture the internal operations of the AM engine and its various components (e.g., Authentication, Core Token Service, Session Management).7

According to the "Debug Logging" section of the PingAM 8.0.2 Maintenance Guide, the standard format for a debug log entry is designed to provide maximum context for support engineers and developers. A typical entry includes:

Time and Date Header: Precise timestamp of when the event occurred.

The Component (Category): Identifies which part of the code issued the message (e.g., amAuth, amSession, amOAuth2).

The Debug Level: Indicates the verbosity/severity, such as ERROR, WARNING, INFO, MESSAGE, or OFF.

The Thread ID: Crucial for multi-threaded environments like Tomcat, allowing administrators to trace a single user's request across multiple log entries.

The Message: A descriptive string explaining the internal operation or the error encountered.

Stack Trace: If the entry is recording an exception, a full Java stack trace is optionally included to pinpoint the exact line of code where the failure occurred.

Option A is the most complete and accurate representation of this structured output. Options B, C, and D are incorrect because they omit essential troubleshooting fields like theThread IDor theComponent name, which are necessary for correlating logs in a high-concurrency production environment. Understanding this structure is fundamental for any administrator using tools like ssoadm or the REST API to capture and analyze troubleshooting information.

Auto-federation is a feature in PingAM 8.0.2 designed to simplify the user experience by automatically linking an IdP identity to an SP identity without manual intervention or a specialized "linking" page.12

According to the PingAM documentation on "Link Identities Automatically with Auto-Federation":

Linking Mechanism (Statement B): Auto-federation does not rely on the SAML NameID. Instead, it uses acommon attribute valuefound in both the SAML assertion and the SP's local identity store. For example, if both systems share an "Email" attribute, the SP can be configured to use the mail attribute from the incoming assertion to search its own datastore. If a match is found, the accounts are linked. This is significantly more flexible than relying on NameID formats (disproving Statement A).

User Experience (Statement C): One of the primary benefits of auto-federation is that it supports a "Just-in-Time" experience. The useronly needs to log in to the Identity Provider (IdP). When they are redirected to the SP, the SP performs the attribute-based lookup and creates the session immediately. The user is never prompted to log in at the SP side just to "prove" who they are for the linking process (disproving Statement D).

Because auto-federation relies on matching attributes and only requires a single login at the IdP, the correct statements areB and C. This makes Option B the correct choice. This feature is particularly useful in Large-Scale B2B or B2C scenarios where pre-mapping thousands of users manually would be impossible.

When PingAM 8.0.2 evaluates an authorization policy, the primary output is a "Permit" or "Deny" decision. However, applications and Policy Enforcement Points (PEPs)—like PingGateway or a Web Agent—often require additional metadata about the user or the session to function correctly (e.g., the user's employee ID, department, or a specific preference).

According to the PingAM documentation on "Policies" and "Requesting Decisions":

The mechanism used to provide this extra information is Response Attributes. When defining a policy in the PingAM UI or via REST, an administrator can configure "Response Attributes" which map internal attributes (from the User Profile or the Session) to keys that are sent back in the policy decision payload.

How it works: If a policy is configured with a response attribute mapping uid to User-ID, when PingGateway asks "Can user X access resource Y?", PingAM responds with "Permit" AND a map containing User-ID: X.

Consumption: PingGateway or the Web Agent can then take these attributes and inject them into HTTP headers (e.g., X-User-ID) so the downstream application can consume them without having to query AM again.

Subjects(Option A),Resources(Option B), andActions(Option D) are allinputcomponents used to define the scope of a policy; they are not used to return data to the enforcer. OnlyResponse Attributesserve the purpose of enriching the decision response with additional context.

============