PT-AM-CPE Ping Identity Certified Professional - PingAM Exam Free Practice Exam Questions (2026 Updated)

In a SAML 2.0 Federation flow, once the Service Provider (SP) receives and validates a SAML Assertion from an Identity Provider (IdP), it must determine which local user account the assertion corresponds to. This is the role of the SAML2 Account Mapper.

According to the PingAM 8.0.2 documentation on "Federate Identities" and the "SAML 2.0 Reference":

The SP-side account mapper (specifically the SPAccountMapper interface or its scripted equivalent) is responsible for mapping the remote user (identified in the SAML assertion) to a local user profile in the SP's identity store.

This mapping can be achieved in several ways:

Account Linking: Finding an existing link between the NameID in the assertion and a local DN.

Attribute Matching: Using an attribute from the assertion (like mail) to search the local directory for a matching user.

Auto-Federation: If configured, creating a link or a new profile automatically based on the incoming data.

If the account mapper cannot find a corresponding local profile, the SP cannot create a local session, and the SSO process will fail, typically with a "User not found" or "Local identity not found" error. Thus, the purpose is strictly the identification of the local subject based on the remote assertion (Option D). Options A and B are incorrect as they describe aggregation or account merging which are not the primary function of the SAML mapper. Option C describes "Attribute Mapping," which is a separate step (handled by the Attribute Mapper) that occursafterthe identity has been successfully mapped.

This question explores the fundamental architecture of Session Management in PingAM 8.0.2. PingAM is designed to be highly flexible, supporting both traditional browser-based Single Sign-On (SSO) and modern API-driven interactions.

Analysis of the statements based on PingAM documentation:

Statement A is correct: For browser-based flows, PingAM uses HTTP cookies to maintain session state. Upon successful authentication, AM sends a Set-Cookie header to the browser containing the session token (the session reference).

Statement B is correct: For "headless" or REST-based authentication (such as a mobile app or a back-end service calling /json/realms/root/authenticate), there is no browser to handle cookies automatically. In this case, PingAM returns the tokenId directly in the JSON response body, allowing the client to manage the token manually in subsequent API calls.

Statement D is correct: For historical reasons, the default value for theSSO Cookie Namein PingAM is iPlanetDirectoryPro. While administrators are encouraged to change this for security (obfuscation), it remains the default "out-of-the-box" configuration.

Statement C is incorrect: This is the "distractor" in the question. PingAM 8.0.2 supports multiple session storage models. While theCore Token Service (CTS)is the standard for server-side stateful sessions, AM also supportsClient-side sessions(where the state is stored in a signed/encrypted JWT in the cookie itself) andIn-memory sessions(primarily used for short-lived authentication journeys). Since AM is not restrictedonlyto the CTS, Statement C is false.

Therefore, the combination ofA, B, and Daccurately reflects the session capabilities of PingAM 8.0.2, making Option A the correct answer.

In PingAM 8.0.2, there is a critical distinction between Tree-based (or Chain-based) authentication and Module-based authentication. Module-based authentication is a legacy feature that allows a user to target an individual authentication module directly (e.g., .../UI/Login?module=DataStore).

According to the "Security Considerations" and "Hardening PingAM" documentation, module-based authentication poses a significant security risk and should be disabled in production. This is becauseit allows a user to bypass steps in an authentication chain(Option C).

If an administrator has designed a secure "Chain" that requires both aDataStore(password) check AND aOne-Time Password(MFA) check, the intention is for these to be inseparable. However, if module-based authentication is enabled, a malicious user or a tester could bypass the MFA requirement by crafting a URL that calls only the "DataStore" module. This effectively circumvents the multi-factor security logic intended by the administrator.

To mitigate this, PingAM provides a global and realm-level setting to "Disable Module-based Authentication." Once disabled, PingAM will only process authentication requests that target a namedAuthentication TreeorChain, ensuring that the user is forced through the entire sequence of nodes and logic defined by the security architect.

In PingAM 8.0.2, a Session Upgrade occurs when a user is required to authenticate at a higher security level (Auth Level). The outcomes of these upgrades depend on the session storage (server-side vs. client-side) and the parameters used.

Statement B isincorrectbecause it claims that a new token is issuedonlywhen the current session does not meet requirements. In reality, if a request explicitly includes a parameter like ForceAuth=true or prompt=login, PingAM will force a re-authentication and issue anew session tokenregardless of the current session's state.

According to the "Session Upgrade" and "Step-up Authentication" documentation:

Statement A is correct: When ForceAuth=true is used, the AM engine ignores the existing session's Auth Level and forces the user through the tree. A new session/token is generated upon success.

Statement C is correct: This describes the standard "Advice" flow (e.g., from a policy). AM creates a new session, copies existing properties from the old one, and replaces the token.

Statement D is correct: In client-side sessions, since the state is in a JWT cookie, any change (like an Auth Level increase) requires the issuance of a brand-new signed JWT to replace the old one.

Therefore, because PingAM allows for forced re-authentication even when requirements are met, the restrictive "only when" condition in Statement B makes it the incorrect (and thus the target) answer. This behavior is key for security scenarios where a fresh proof of presence is required regardless of previous activity.

============

The Core Token Service (CTS) is a high-performance persistence layer in PingAM 8.0.2 designed to store short-lived, stateful data. Unlike the Configuration Store (which holds static system settings) or the Identity Store (which holds user profiles), the CTS is optimized for "token-like" data that is frequently created, updated, and deleted.

According to the "Core Token Service (CTS) Overview" in the PingAM 8.0.2 documentation, the primary purpose of the CTS is to provide a centralized repository for:

Session Tokens: For server-side sessions, the session state is stored in the CTS.

OAuth 2.0 Tokens: This includesAccess Tokens,Refresh Tokens, andAuthorization Codes. When an OAuth2 client requests a token, AM generates it and, if configured for server-side storage, persists it in the CTS so that any node in an AM cluster can validate it.

SAML 2.0 Tokens: Used for tracking assertions and managing Single Logout (SLO) states.

UMA (User-Managed Access) Labels and Resources: Various state information for the UMA protocol.

The documentation explicitly clarifies that the CTS isnota general-purpose database.Configuration(Option A) is strictly stored in the Configuration Data Store (usually a dedicated PingDS instance).Users(Option B) are stored in an Identity Store such as Active Directory or PingDS.Kerberos tokens(Option C) are part of a challenge-response handshake that is typically handled at the protocol layer and not stored as persistent records in the CTS. Therefore,OAuth2 tokensare the definitive type of data managed by the CTS among the choices provided. Utilizing the CTS for OAuth2 tokens is a prerequisite for supporting features like token revocation and refresh token persistence across multiple AM instances in a high-availability deployment.

============

The Device Authorization Grant (Device Flow), defined in RFC 8628 and implemented in PingAM 8.0.2, involves a polling mechanism where the device repeatedly asks the token endpoint for an access token using the device_code it received earlier.1

According to the PingAM documentation on "Device Authorization Grant" and "OAuth 2.0 Endpoints," during the period when the user is still navigating to the verification URL and entering their user code, the device's polling requests to the /oauth2/access_token endpoint will not result in a successful token issuance. Instead, PingAM returns a400 Bad Requeststatus code.

It is important to look at the JSON response body accompanying the 400 error. The body contains an error field with the value authorization_pending.2This specific error code tells the device that the authorization request is still valid and in progress, but the user has not yet completed their part. The device should continue to poll at the interval specified in the initial response.

Other error codes like403 Forbidden(Option A) would typically indicate a permanent rejection or that the device is polling too frequently (slow_down).401 Unauthorized(Option C) is generally reserved for invalid client credentials when the client is confidential.302 Found(Option D) is a redirect, which is not used in the back-channel polling phase of the Device Flow. Therefore, while a 400 error usually suggests a client error, in the context of the Device Flow, it is the standard protocol-level response used to communicate that the token is not yet ready because the user hasn't finished authorizing.

When integrating PingAM 8.0.2 with an external LDAP directory (such as PingDS or Active Directory), the Identity Store configuration defines how AM interacts with that directory. A common task is defining which LDAP attribute should be used when a user attempts to log in with a username.

According to the "Identity Store Configuration Reference," the propertyLDAP Users Search Attributeis the correct attribute to modify. This field defines the LDAP attribute name that AM uses in its search filter to find a matching user entry. For example, if this property is set to uid, AM will execute a search like (&(objectClass=person)(uid=username)). If the requirement changes such that users should log in using their email addresses, the administrator would update this property to mail.

LDAP Users Search Attribute (Option A): Directly controls the attribute used in the user lookup query.

LDAP Users Bind Attribute (Option C): This is used to specify which attribute forms the Distinguished Name (DN) during a bind operation, but the initial "finding" of the user is governed by the Search Attribute.

Option B and D: These are not standard property names within the PingAM Data Store configuration UI.

Understanding this mapping is essential for aligning PingAM with the existing schema of an organization's directory. This setting is typically found underRealms > [Realm Name] > Identity Stores > [Store Name] > LDAP Secondary Configuration.

To facilitate federation between a SAML2 Identity Provider (IdP) and a Service Provider (SP), metadata must be exchanged. PingAM 8.0.2 provides a built-in utility page, exportmetadata.jsp, specifically for this purpose.

When an IdP is configured within asubrealm(rather than the Top Level Realm), the metadata export URL must be qualified with specific query parameters to ensure the correct entity configuration is retrieved. According to the "SAML 2.0 Reference" and "Exporting SAML 2.0 Metadata" documentation:

entityid: This parameter is mandatory when there are multiple entities configured. It specifies the unique URI of the IdP (e.g., http://myserver.domain.com:8080/openam). This tells the JSP which specific provider's metadata to generate.

realm: This parameter is crucial for subrealm deployments. By default, the JSP looks in the root realm (/). If the IdP resides in a subrealm named /idprealm, the URL must explicitly include &realm=/idprealm.

Option D is the correct technical string. Option B is incorrect as it lacks parameters and would only attempt to export default root-level metadata. Option C is incorrect because the parameter name is entityid, not idp. While Amster (Option A) can indeed be used to export configuration, the exportmetadata.jsp remains the standard and most common method for generating the XML-formatted metadata required by external partners.

The Authentication Context Class Reference (acr) is a standard parameter in OpenID Connect (OIDC) used by a client (Relying Party) to request a specific level or method of authentication from the OpenID Provider (PingAM 8.0.2).

According to the "OpenID Connect 1.0" and "OAuth2 Provider Service" documentation in PingAM, there is a specific configuration mapping forACR to Authentication Tree. In the AM console, under theOAuth2 Provider > OpenID Connecttab, administrators define a list of mappings. Each entry consists of an ACR string (e.g., urn:mace:incommon:iap:silver or simply MFA) and its correspondingAuthentication Treename.

When an OIDC client sends a request to the /authorize endpoint containing the acr_values parameter, PingAM performs a lookup:

It checks the incoming acr_values against the configured map.

If a match is found, PingAM ignores the default realm authentication configuration and initiates theAuthentication Treemapped to that specific ACR value.

Upon successful completion, the resulting ID Token will contain the acr claim with the requested value, confirming to the client that the specific journey was completed.

This mechanism allows developers to programmatically request "Step-up" or "Social Login" or "MFA" specifically from their application code by leveraging OIDC standard parameters. While ACR values are oftenrelatedtoAuthentication Levels(Option D) conceptually, in PingAM's internal architecture, they are directly used to select and trigger a specificAuthentication Tree(Option A).

In SAML 2.0 federation with PingAM 8.0.2, there are two ways to initiate SSO: IdP-Initiated (where the user starts at the Identity Provider) and SP-Initiated (where the user starts at the Service Provider).3

According to the "SAML 2.0 Guide" for PingAM:

SP-Initiated SSO: The correct JSP file for an SP-initiated flow is spSSOInit.jsp.4This script is used by an SP (in this case, PingAM acting as an SP or a "Fedlet") to generate a SAML AuthnRequest and send it to the IdP.

Redirecting to the Application: In the SAML 2.0 standard, the mechanism used to preserve state (like the final destination URL) across the redirect-heavy SSO process is theRelayStateparameter. When the IdP sends the SAML assertion back to the SP, it also returns the RelayState value. The SP then uses this value to redirect the user to the final application.

While PingAM uses the goto parameter for internal redirects (like standard web login),RelayStateis the required parameter name for SAML-related JSPs to ensure interoperability with the SAML specification. Therefore, the correct URL is .../spSSOInit.jsp combined with the RelayState parameter (Option D). Using idpSSOInit.jsp (Options A and B) would trigger an IdP-initiated flow, which is not what the question describes. Option C is incorrect because it uses the non-SAML goto parameter in a SAML initialization context.

Securing a PingAM 8.0.2 environment involves hardening multiple layers of the architecture, particularly when using external data stores and stateful sessions. According to the "General Security Considerations" and "Hardening PingAM" documentation, several key "Best Practices" must be applied.

Changing the SSO Cookie Name: By default, AM uses iPlanetDirectoryPro. Attackers often scan for this specific cookie name to identify ForgeRock/PingAM installations. Changing it provides "security through obscurity" and prevents some automated attacks.

Using Your Own Keys: PingAM ships with default test keys in the keystore. For production, you must generate your own cryptographic keys for signing and encrypting tokens (SSO, OIDC, SAML) to ensure the integrity of the environment.

Specific Bind Accounts: When connecting to an external PingDS or Active Directory, PingAM should never use a highly privileged account (like cn=Directory Manager). Instead, a dedicated account with limited, specific permissions (ACLs) should be created for AM's use.

Top-Level Administrator Management: The amAdmin account is the "root" of the AM system. In a production environment, it is considered a significant security risk to use this account for daily operations.

Why Option C is the correct answer:The documentation specifically recommends creating anew top-level administratorand thensecuring or disablingthe default amAdmin. This is more effective than simply "renaming" it (Option A) or "reducing privileges" (Options B and D). In PingAM, amAdmin has hardcoded superuser capabilities in many areas; therefore, the best practice is to create a new administrative user with the necessary roles and then protect the amAdmin credentials in a vault. Option B is also incorrect because server-side sessions already store data on the server; the cookie only contains the session ID (the reference), so "encrypting the cookie contents" is redundant for server-side sessions compared to client-side sessions where theentirestate is in the cookie.

When PingAM 8.0.2 evaluates an authorization policy, the primary output is a "Permit" or "Deny" decision. However, applications and Policy Enforcement Points (PEPs)—like PingGateway or a Web Agent—often require additional metadata about the user or the session to function correctly (e.g., the user's employee ID, department, or a specific preference).

According to the PingAM documentation on "Policies" and "Requesting Decisions":

The mechanism used to provide this extra information is Response Attributes. When defining a policy in the PingAM UI or via REST, an administrator can configure "Response Attributes" which map internal attributes (from the User Profile or the Session) to keys that are sent back in the policy decision payload.

How it works: If a policy is configured with a response attribute mapping uid to User-ID, when PingGateway asks "Can user X access resource Y?", PingAM responds with "Permit" AND a map containing User-ID: X.

Consumption: PingGateway or the Web Agent can then take these attributes and inject them into HTTP headers (e.g., X-User-ID) so the downstream application can consume them without having to query AM again.

Subjects(Option A),Resources(Option B), andActions(Option D) are allinputcomponents used to define the scope of a policy; they are not used to return data to the enforcer. OnlyResponse Attributesserve the purpose of enriching the decision response with additional context.

============

The scenario described—where a client (Relying Party) already knows who the user is and needs them to authorize an action on a different device—is the primary use case for the Backchannel Request Grant, also known as Client-Initiated Backchannel Authentication (CIBA).

According to the PingAM 8.0.2 documentation on "OpenID Connect Grant Flows" and "CIBA":

Unlike traditional OIDC flows (Implicit, Authorization Code, Hybrid) that require a browser redirect (front-channel) to the OpenID Provider, CIBA is a back-channel flow. It is designed for "decoupled" authentication.

The Trigger: The RP sends a request directly to PingAM's backchannel authentication endpoint, providing a user identifier (like a username or email).

The Consent: PingAM then reaches out to the user'sAuthentication Device(usually a smartphone with the ForgeRock Authenticator app) via a Push notification.

The Approval: The user approves the request on their phone.

The Tokens: The RP, which has been polling PingAM or waiting for a callback, receives the ID Token and Access Token.

Common real-world examples include a bank teller initiating a login on their terminal which the customer approves on their mobile banking app, or a call center agent verifying a caller's identity via a push notification. Option D is the only flow that supports this decoupled, separate-device architecture. Options A, B, and C are all "Front-channel" flows that require the user's interaction to happen in the same browser session that initiated the request.

To enforce complex authorization logic based on session duration, PingAM 8.0.2 administrators must move beyond the static "Out-of-the-Box" conditions.

Analysis of the options based on the "Policy Conditions" documentation:

Time Condition (Option A): This condition is used to restrict access based on theclock time of dayorday of the week(e.g., "Allow access only between 9 AM and 5 PM"). It does not track the elapsed time of a specific user session.

Current Session Properties (Option B): This condition checks for the presence of specific key-value pairs in a session. While a session contains a startTime property, this condition is designed for matching static values (like department=HR), not for performing mathematical time calculations.

Active Session Time (Option D): This is not a standard default condition name in the PingAM 8.0.2 policy engine.

The Correct Approach (Option C): AScripted Policy Conditionis required for this use case. Within a Policy Condition script, the administrator has access to the session object. The script can retrieve the startTime (or creationTime) of the session and compare it against the current system time (currentTime).

Example logic in the script:

var sessionStartTime = session.getProperty("startTime");

var maxDuration = 10 * 60 * 1000; // 10 minutes in milliseconds

if ((currentTime - sessionStartTime) > maxDuration) { authorized = false; }

By using a script, PingAM can dynamically calculate the age of the session at the moment of the access request and return a "Deny" decision if the 10-minute threshold has been exceeded. This provides the granular control needed for high-security environments where "session freshness" is a requirement for specific sensitive resources.

In PingAM 8.0.2, requesting policy decisions via the REST API involves sending a POST request to the policies endpoint with the _action=evaluate parameter. To receive an accurate decision, the request body must provide the context of the access attempt.

According to the "Request policy decisions over REST" documentation, the JSON body typically includes the following core fields:

resources: (Required) An array of strings representing the URIs the user is attempting to access.

application: (Required) This field specifies the name of thePolicy Set(formerly known as the application) that contains the relevant policies for the evaluation.

subject: (Optional, but usually required for user-specific policies) This object identifies the user or entity requesting access. It can include the user's ssoToken or a set of claims if using JWT-based subjects.

Why other options are incorrect:Advices(Options A and C) are not inputs for a policy evaluation request. Instead, advices arereturnedby PingAM in the response if a policy condition fails (e.g., an AuthLevelConditionAdvice requesting the user to provide MFA). A request cannot "evaluate" an advice; it triggers one. Option D is incorrect because the resources field is a mandatory requirement for any evaluation; without a target resource, the engine has nothing to compare against the defined policy rules. Therefore, the combination ofresources, subject, and applicationrepresents the standard, valid structure for a policy decision request in PingAM 8.0.2.

In the Ping Identity ForgeOps methodology for version 8.0.2, there are two primary deployment patterns used in Kubernetes: the Cloud Developer Kit (CDK) and the Cloud Deployment Model (CDM).

CDK (Cloud Developer Kit): This is intended for development and demonstration purposes. It is a "minimized" version of the platform. Crucially, in the CDK, thePingDS(directory service) is typically deployed as a single instance. It lacks the redundancy and replication required for production, as the goal is to reduce resource consumption on a developer's machine or a small test cluster.

CDM (Cloud Deployment Model): This is the reference architecture for production-grade environments. The CDM is designed for high availability and scale. According to the "ForgeOps Documentation," the primary differentiator is that the CDM providesreplicated directory services. In a CDM deployment, PingDS is deployed in a multi-instance, replicated state (using a Kubernetes StateFulSet) to ensure that if one DS pod fails, the session and configuration data remain available.

While both models support major cloud providers like GKE, EKS, and AKS (Option B), generate random secrets (Option A), and provide integrated AM/IDM/DS stacks (Option D), the presence ofmulti-node replicationin the directory layer is the definitive technical boundary between the "Developer" kit and the "Production" model.

In SAML 2.0, an Artifact is a reference (a "pointer" or "ticket") used in the SAML Artifact Binding.5 This is an alternative to the more common POST or Redirect bindings where the actual XML assertion is sent through the user's browser.

According to the PingAM "SAML 2.0 Bindings" documentation:

When using the Artifact binding, the Identity Provider (IdP) does not send the full SAML Assertion through the browser.6 Instead, it sends a small, opaque string called the Artifact to the Service Provider (SP).

Issuance: The IdP stores the real assertion in its own local memory/cache and sends the Artifact to the SP via the browser redirect.

Resolution: The Service Provider receives the Artifact and then makes a direct, secureback-channel call(SOAP over HTTPS) to the IdP's Artifact Resolution Endpoint.

Exchange: The SP presents the Artifact, and the IdP returns the actual SAML Assertion.

Therefore, the Artifact is thevalue sent to retrieve the assertion(Option D). It is not the assertion itself (Option A), nor is it a binding name or an attribute name. The Artifact binding is often used for security reasons, as it prevents the sensitive assertion data from ever passing through the user's browser, thus mitigating certain types of interception attacks.

CSRF stands for Cross-Site Request Forgery.8 It is a common web security vulnerability where an attacker tricks a victim's browser into performing an unwanted action on a different website where the victim is currently authenticated.9

In the context ofPingAM 8.0.2and the OAuth 2.0 /authorize endpoint, CSRF protection is vital.10If an attacker can forge an authorization request, they might be able to inject their own authorization code into a victim's session or link a victim's account to an attacker-controlled client.

To mitigate this, the OAuth 2.0 protocol uses a parameter (often named state in the RFC, but referred to in PingAM's security configuration and logging as a CSRF-related check) to ensure that the request returning to the client is the same one that the client initiated.11PingAM's "Security Considerations" documentation explains that the server enforcesCross-Site Request Forgeryprotection by verifying that requests originate from trusted sources and include unpredictable tokens that an external malicious site could not guess or recreate.12

In AM 8.0.2, you can configure the "CSRF Protection Filter" which can be applied to various endpoints to prevent unauthorized state-changing commands.13This is particularly important for the administration UI and the authentication endpoints where a user's session is active. Understanding that CSRF stands for Cross-Site Request Forgery is a fundamental requirement for any security professional working with identity protocols and PingAM hardening.

The Cloud Developer Kit (CDK), part of the forgeops repository, represents the modern approach to deploying the Ping Identity Platform (including PingAM 8.0.2) in a containerized, Kubernetes-native environment. According to the PingAM deployment and ForgeOps documentation, the platform has transitioned from a monolithic architecture—where the user interface was embedded within the AM web application—to a decoupled, microservices-aligned architecture. In a standard CDK deployment, the user interface components are separated into their own distinct pods to allow for independent scaling, updates, and management.

The three specific pods that provide user interface functionality in a default CDK environment are:

admin-ui: This pod hosts the administrative console. It is the centralized interface that administrators use to configure realms, manage identity stores, define authentication trees, and oversee the general health of both PingAM and PingIDM. By separating the administrative UI from the core engine, the platform reduces the attack surface and allows for more granular resource allocation.

end-user-ui: This pod serves the self-service portal for end-users. It is responsible for providing the interface where users can manage their own profiles, update passwords, register Multi-Factor Authentication (MFA) devices, and manage their consent for OAuth2/UMA applications. This UI interacts with the back-end via REST APIs to ensure a seamless and responsive user experience.

login-ui: This is a specialized pod dedicated to the authentication journey. When a user interacts with an "Intelligent Access" tree, the login-ui pod renders the callbacks (such as username prompts, password fields, or MFA challenges). This pod ensures that thepresentation layer of the authentication process is modernized and distinct from the heavy processing logic of the PingAM core.

Collectively, these three pods ensure that the "User Interface" layer of the deployment is modular. This architecture is a prerequisite for high-availability deployments and is the standard configuration verified in the ForgeOps documentation for version 8.0.2 deployments.

============