PT-AM-CPE Ping Identity Certified Professional - PingAM Exam Free Practice Exam Questions (2026 Updated)

In a Cross-Domain Single Sign-On (CDSSO) environment, PingAM must manage session cookies across multiple distinct DNS domains.2 By default, a standard SSO token could potentially be stolen and reused by a malicious actor to gain access to other domains within the same realm.3 To mitigate this specific threat, PingAM 8.0.2 utilizes Restricted Tokens.4

According to the documentation on "Securing CDSSO session cookies," a restricted token is a unique SSO token issued for each specific application or policy agent after successful user authentication.5When CDSSO is active with cookie hijacking protection enabled, PingAM issues a "master" SSO token for the domain where AM resides and separaterestricted tokensfor the other fully qualified domain names (FQDNs) where web or Java agents are located.6

The restricted token is "restricted" because it is inextricably linked to the specific agent and application that initiated the redirection. Internally, AM stores a correlation between the master session and these restricted tokens.7If an attacker attempts to hijack a restricted token and use it to access a different application or a different domain, the AM server performs a validation check on the constraint associated with the token (such as the agent's DN or IP). If the request does not originate from the authorized entity, a security violation is triggered, and access is denied. This mechanism ensures that even if a cookie is stolen in one domain, its utility is confined strictly to that domain and cannot be used for "lateral movement" across the enterprise’s other protected resources. It is important to note that restricted tokens requireserver-side sessionsto function; they are not supported for client-side (JWT-based) sessions.8

In PingAM 8.0.2, when a client needs to trigger a specific authentication path—such as a higher-level tree for step-up authentication or a specific module for transactional authorization—it must tell the /authenticate endpoint which "Index" to use.

According to the PingAM "Authenticate over REST" and "Session Upgrade" documentation, these are governed by two mandatory parameters:

authIndexType: This defines thecategoryof the authentication mechanism being requested. Valid values include service (for Authentication Trees/Chains), module (for individual modules), or level (to request any mechanism that meets a specific Auth Level).

authIndexValue: This defines thenameof the specific instance. For example, if authIndexType is service, the authIndexValue would be the name of the Authentication Tree (e.g., StepUpMFA).

For a step-up or transactional request to succeed, the client must send these two parameters. While service (Option B and D) is a commonvaluefor authIndexType, it is not a parameter name itself.ForceAuth(Option C and D) is an optional boolean used to force a fresh login even if a session exists, but it is not a requirement for the basic routing of the request to the correct tree. Therefore,authIndexTypeandauthIndexValue(Option A) are the fundamental parameters required by the AM engine to identify and initiate the intended authentication journey.7

The May Act script is a critical component of the OAuth 2.0 Token Exchange implementation in PingAM 8.0.2. It allows for the validation of impersonation or delegation requests. Because token exchange can be configured both globally for all clients and specifically for individual applications, the script can be attached at two different levels in the Administrative UI.

OAuth2 Provider Service > Advanced Tab (A): This is the global configuration level. If you want to apply a standard "May Act" validation script across the entire realm for any client performing a token exchange, you configure it here. This script will be the default unless specifically overridden.

OAuth2 Client Profile > OAuth2 Provider Overrides Tab (D): PingAM allows for granular control per client. If a specific "Confidential Client" (like a backend microservice) requires unique logic for determining who it can act as, you can specify a different script or override the global setting. This is done in the "OAuth2 Provider Overrides" tab within that specific client's configuration profile.

Why other options are incorrect: TheCoretab (B) is used for basic settings like issuer names and token lifetimes, not for advanced scripting hooks. TheAdvancedtab of the Client Profile (C) contains settings like TTLs and Logout URLs, but the specific ability to override "Provider" level logic (like the May Act script) is moved to the specializedOverridestab to keep the interface organized. Therefore, the correct locations areA and D, as identified in the "Token Exchange Configuration" guide for version 8.0.2.

When an OAuth2 client uses Private Key JWT or Client Secret JWT for authentication at the PingAM 8.0.2 token endpoint, it must present a JWT (JSON Web Token) containing specific claims that identify and authorize the client. This is governed by the OIDC and OAuth2 JWT Profile specifications (RFC 7523).

According to the PingAM documentation on "OAuth 2.0 Client Authentication" and the "JWT Profile for Client Authentication":

iss (Issuer): Mandatory. This must be the client_id of the OAuth2 client.

sub (Subject): Mandatory. This must also be the client_id of the OAuth2 client (as the client is the subject of the authentication).

aud (Audience): Mandatory. This must be the URL of the PingAM OAuth2 service (the token endpoint) or the issuer URL.

exp (Expiration Time): Mandatory. This protects against the long-term use of intercepted assertions.

Thejti (JWT ID)(Option A) provides a unique identifier for the token. In the context of standard JWT validation, jti is used to preventreplay attacksby ensuring that a specific token is only processed once. While highly recommended for security hardening, the PingAM 8.0.2 technical reference for OAuth2 client assertions marks jti asoptionalunless the server is explicitly configured to require it for replay detection. Without a jti, PingAM will still validate the iss, sub, aud, and exp claims to authenticate the client. Therefore, among the choices provided, jti is the claim that can be omitted without inherently violating the base OAuth2 JWT authentication request requirements.

============

When a client requests an OpenID Connect (OIDC) scope (like profile), PingAM 8.0.2 may present a Consent Screen to the user, asking permission to share specific claims. To make this screen user-friendly, PingAM allows administrators to map technical claim names to human-readable labels and specify localizations.

According to the PingAM documentation on "Supported Claims" in the OAuth2/OIDC Provider settings:

The format for the Supported Claims property entry is:

ClaimName|Locale|DisplayName

In this syntax:

ClaimName: The technical OIDC claim (e.g., name, email, given_name).

Locale: The ISO language code (e.g., en, fr).

DisplayName: The text that will actually appear on the UI (the "Full name" label).

Therefore, the string name|en|Full name (Option A) is the correct configuration.

Option Bis incorrect because it reverses the technical name and the display name.

Option Cis incorrect as it lacks the required locale component and uses full_name (which is not the standard OIDC claim name; the standard is name).

Option Dattempts to perform a logic operation (+) within a configuration field where only static mapping strings are allowed. Claim composition (concatenating first and last names) is handled by theOIDC Claims Script, not by the Supported Claims UI property.

The Device Authorization Grant (commonly referred to as the Device Flow, RFC 8628) is a specialized OAuth 2.0 grant flow supported by PingAM 8.0.2. It is designed for internet-connected devices that either lack a browser or have limited input capabilities (e.g., Smart TVs, IoT devices, or CLI tools).

In this flow, the interaction is split between the "Device" and a "Secondary Device" (like a smartphone or laptop) that has a full browser. TheUser Codeis a fundamental component of this process:

Device Request: The device requests a code from PingAM.

PingAM Response: AM returns aDevice Code(for the device) and aUser Code(a short, human-readable string like BCDF-GHJK).

User Action: The device displays the User Code and a verification URL to the user.

Authorization: The user navigates to the URL on their smartphone, logs into PingAM, and enters theUser Code.

Token Issuance: Once the user authorizes the request, the device (which has been polling AM using the Device Code) receives the Access and Refresh tokens.

TheUser Codeis unique to the Device Flow (Option D). It is not used in theClient Credentials Grant(which is machine-to-machine), theAuthorization Code Grant(which uses a redirect-based code), or theResource Owner Password Credentials Grant(which uses direct username/password submission). In PingAM 8.0.2, administrators can configure the length, character set, and expiration time of these user codes within the OAuth2 Provider settings.

Cross-Site Request Forgery (CSRF) is an attack where a malicious site sends a request to PingAM using the victim's authenticated browser session. Because standard HTML forms and cross-site requests cannot easily set custom HTTP headers, requiring a specific header is an effective defense for REST APIs.

According to the PingAM "Security" documentation and the "REST API" reference:

By default, PingAM 8.0.2 enforces a CSRF filter on its REST endpoints (such as /json/authenticate or /json/users). For any "state-changing" request (like a POST, PUT, or DELETE), the client must prove the request is intentional and not a forged browser-driven request. This is achieved by requiring at least one of the following headers:

X-Requested-With: Commonly used by AJAX libraries like jQuery. Its presence indicates the request was made via a script, which is generally not possible for a standard cross-site CSRF attack.

Accept-API-Version: This header serves two purposes. First, it ensures the client is targeting a specific version of the PingAM REST API (e.g., resource=2.0, protocol=1.0). Second, since custom headers cannot be set in simple cross-site <form> submissions, it acts as aCSRF token.

If a POST request is sent to the REST API without one of these headers, PingAM will reject the request with a403 Forbiddenerror, even if the user has a valid session cookie.

Option B (If-Match: _rev)is used for concurrency control (preventing "lost updates" in IDM or AM configuration), but it is not the primary CSRF defense.Options A and Dare headers sometimes used for "Zero-Page Login" or legacy authentication, but they do not provide protection against CSRF for the general REST API. Therefore, the combination ofX-Requested-WithorAccept-API-Versionis the correct answer for default CSRF protection in PingAM 8.0.2.

This error message is directly related to the User Profile configuration within a specific realm in PingAM 8.0.2. In the "Core Authentication Attributes" of a realm, PingAM defines how it should handle user identities after they have successfully provided valid credentials through an authentication tree or chain.

There are primarily four modes for theUser Profilesetting:

Required: This is often the default. It specifies that after a user successfully authenticates, PingAM must be able to locate a corresponding user entry in the configuredIdentity Store. If the user exists in the datastore, the session is created. If the user does not exist, authentication fails with the error message "user requires profile to login" (or a similar profile-related exception in the logs).

Ignored: In this mode, PingAM issues an SSO session token immediately upon successful credential validation, regardless of whether a user profile exists in the back-end repository. This is useful for temporary or guest access where no permanent record is needed.

Dynamic: AM attempts to find the user; if the user is not found, it automatically creates a new profile in the identity store.

Dynamic with User Alias: Similar to dynamic creation but supports aliasing.

If an administrator sees the "user requires profile to login" error, it confirms that the credentials themselves were technically correct (the user passed the authentication nodes), but the realm is currently inRequiredmode (it hasnotbeen set toIgnoreorDynamic) and no matching entry exists in the identity store. This frequently happens in migration scenarios or when using external identity providers (like Social IDPs) where the "Link" or "Provisioning" step has not been properly configured in the authentication journey. To resolve this, the administrator must either pre-provision the user, set the mode toIgnore, or implement aCreate Objectnode within the authentication tree to handle dynamic provisioning.

In a high-availability PingAM 8.0.2 cluster, Affinity Load Balancing is a mechanism used to ensure that requests related to a specific session or configuration are routed to the same Directory Server (DS) instance to avoid issues with replication lag. This is particularly important for stores where data changes frequently or where consistent reads are required immediately after a write.

According to the PingAM documentation on "Load Balancing" and "External Data Stores," affinity can be configured for the following primary stores:

Core Token Service (CTS) Store: This is the most critical area for affinity. Since the CTS handles stateful data like session tokens and OAuth2 tokens that are updated constantly, ensuring that an AM server consistently communicates with a specific DS node (using the HOST:PORT|SERVERID|SITEID syntax) prevents "token not found" errors that might occur if a request reached a DS node before the token was replicated.

Configuration Store: This store holds the central configuration for the AM deployment. In multi-server environments, affinity ensures that configuration changes are read consistently across the cluster.

Identity Stores: These hold the user profiles. While often read-heavy, affinity is used here to improve caching efficiency and ensure that profile updates (like password changes or attribute updates) are reflected immediately in subsequent authentication steps within the same cluster.

Policy Data Store: This stores authorization policies. Similar to configuration, affinity ensures consistent policy evaluation.

Option D is the correct answer because it includes theCore Token Service, Identity Stores, Configuration Store, and Policy Data Store. The "Application Data Store" (mentioned in other options) is often logically grouped with or replaced by the Policy Data Store in many 8.0.2 configurations, but the four stores listed in Option D are the specific ones explicitly called out in the "External Data Stores" secondary configuration documentation for supporting affinity settings.