PAP-001 Certified Professional - PingAccess Questions and Answers

Applications consuming signed JWTs need the JSON Web Key Set (JWKS) endpoint to retrieve the public keys used for validating JWT signatures. PingAccess exposes this at /pa/authtoken/JWKS .

Exact Extract:

“When using JWT identity mapping, applications can obtain the signing keys from the /pa/authtoken/JWKS endpoint to validate the JWT signature.”

Option A is correct — /pa/authtoken/JWKS provides the key set for signature validation.

Option B is incorrect — that’s an administrative API for configuring identity mappings, not a runtime validation endpoint.

Option C is incorrect — /pa/aidc/cb is the OIDC callback endpoint.

Option D is incorrect — /pa-admin-api/v3/authTokenManagement is for admin token management, not JWT validation.

When a backend application requires its own authentication (e.g., Basic Auth or mutual TLS), PingAccess uses a Site Authenticator to inject the necessary credentials.

Exact Extract:

“Site Authenticators provide the credentials PingAccess uses when authenticating to target applications that require their own authentication mechanisms.”

Option A (Token Provider) is incorrect — this is used for OIDC/OAuth tokens, not site-level authentication.

Option B (Web Session) manages end-user sessions, not backend site authentication.

Option C (Site Authenticator) is correct — it handles authentication between PingAccess and the backend.

Option D (Access Control Rule) enforces authorization, not backend authentication.

The admin.auth setting in the run.properties file is used to specify a fallback authentication method for the administrative console.

Exact Extract from official documentation:

“To define a fallback administrator authentication method if the OIDC token provider is unreachable, enable the admin.auth=native property in the run.properties file. This overrides any configured administrative authentication to basic authentication.”

This makes it clear that the purpose of admin.auth is to override any configured SSO for the admin UI and enforce native (basic) authentication instead.

Option A is incorrect because the admin.auth setting does not configure SSO. SSO for the admin UI is configured separately.

Option B is incorrect because this setting does not apply to the administrative API; it specifically applies to the admin UI console.

Option C is correct because it directly reflects the documented behavior: admin.auth overrides SSO configuration for the administrative UI and enables native authentication.

Option D is incorrect because the setting does not enable automatic authentication. It still requires credentials, but falls back to basic auth.

Mutual TLS (mTLS) is used to establish two-way authentication where both the client and the server present certificates to prove their identity. In the case of PingAccess, a Mutual TLS Site Authenticator is configured when PingAccess acts as a reverse proxy making requests to a backend (target) server.

Exact Extract from PingAccess documentation:

“Mutual TLS site authenticators provide client certificate authentication when PingAccess connects to a backend site. This allows PingAccess to present its certificate to the target server during the TLS handshake.”

This means the purpose is for PingAccess (client) to authenticate itself to the backend server (target resource) when establishing a secure connection.

Why other options are wrong:

A. Allows the backend server to authenticate to PingAccess

Incorrect. That’s normal server-side TLS authentication (the server presents a cert to the client), not mutual TLS initiated by PingAccess.

B. Allows the user to authenticate to the backend server

Incorrect. End users do not directly use this setting; this is between PingAccess and the backend application server.

C. Allows PingAccess to authenticate to the backend server

Correct. This is exactly the definition of a Mutual TLS Site Authenticator in PingAccess.

D. Allows PingAccess to authenticate to the token provider

Incorrect. That would involve OIDC/OAuth token exchange and possibly TLS trust, but it’s not the role of the Site Authenticator.

Thus, the correct answer is C. Allows PingAccess to authenticate to the backend server .

PingAccess resources have an Audit flag . When enabled, all access attempts (allowed or denied) are recorded in the audit logs.

Exact Extract:

“To audit access requests to a specific resource, enable the Audit option on that resource in the application configuration.”

Option A is correct — enabling audit for /admin ensures its access requests are logged.

Option B is incorrect — enabling audit for /* is overly broad and logs everything, not just /admin .

Option C is incorrect — Splunk integration is for log forwarding, not per-resource auditing.

Option D is incorrect — log4j2.xml controls log destinations/levels, not resource-specific auditing.

When PingAccess is first installed, the Administrative Console (the web-based UI for managing configuration) is bound to a default port of 9000 . This is documented in the installation and configuration guides:

Exact Extract from documentation:

“By default, the administrative console is available at https:// < host > :9000 .”

( PingAccess Installation Guide – Default Ports )

This means that unless the administrator has explicitly changed the port in run.properties or during installation, the console will always be available on port 9000 .

Option Analysis:

A. 9000 ✅ Correct. Default administrative console port.

B. 3000 ❌ Incorrect. This is not a PingAccess default port.

C. 9090 ❌ Incorrect. Sometimes used by other Ping products for APIs, but not the PingAccess admin console.

D. 3030 ❌ Incorrect. Not a default PingAccess port.

Modern browsers enforce stricter cookie handling rules. If cookies are not configured correctly with the SameSite attribute, behavior can differ across browsers, leading to inconsistent authentication and access denials. Security exceptions may appear when session cookies are blocked.

Exact Extract:

“The SameSite cookie setting defines how browsers send cookies in cross-site requests. Misconfigured SameSite values can lead to inconsistent application behavior across browsers.”

Option A (Enable PKCE) is related to OAuth flow security, not browser cookie behavior.

Option B (SameSite Cookie) is correct — this directly explains the inconsistent browser issues.

Option C (Request Preservation) ensures query parameters are kept, not related to cross-browser session handling.

Option D (Validate Session) checks session state but does not address browser inconsistencies.

When applications require additional attributes:

The Web Session must be configured to retrieve those attributes from the token provider (OIDC or PingFederate).

The Identity Mapping must be updated to forward those attributes to the application (e.g., as headers).

Exact Extract:

“Web sessions define how user attributes are retrieved from the token provider. Identity mappings determine how those attributes are inserted into requests to applications.”

Option A is not necessarily required; attributes can be retrieved via userinfo endpoint or access token, not only ID tokens.

Option B is correct — Identity Mappings must be updated to pass attributes to the app.

Option C is incorrect — Site Authenticators define how PingAccess authenticates to apps, not attribute handling.

Option D is incorrect unless the architecture specifically requires access token updates; PingAccess often uses the Web Session to fetch attributes.

Option E is correct — Web Session must be updated to retrieve additional attributes.

When applications depend solely on header-based identity mapping , attackers can attempt to bypass PingAccess by injecting headers directly into requests sent to the backend. To prevent spoofing, PingAccess should be configured to pass cryptographically verifiable tokens (e.g., ID tokens from OIDC ) instead of relying on plain headers.

Exact Extract:

“Headers can be spoofed if not protected. Use signed tokens, such as ID tokens or JWTs, to provide strong identity assurance and prevent header injection attacks.”

Option A (Use ID Tokens) is correct — ID tokens are signed and verifiable, preventing spoofing.

Option B (Add Site Authenticator) protects PingAccess-to-site authentication, not client-to-API spoofing.

Option C (Require HTTPS) prevents eavesdropping but does not stop header spoofing from inside the network.

Option D (Use Target Host Header) ensures host header integrity but not user identity.

PingAccess officially supports Google Chrome and Microsoft Edge for the administrative console. Other browsers (Safari, Opera, Brave) may work but are not officially supported.

Exact Extract:

“The PingAccess administrative console is supported on current versions of Google Chrome and Microsoft Edge.”

Option A (Safari) is not officially supported.

Option B (Opera) is not supported.

Option C (Google Chrome) is correct.

Option D (Microsoft Edge) is correct.

Option E (Brave) is not officially supported.

For multiple subdomains to share the same PingAccess session, the Cookie Domain must be configured so that the session cookie is valid across all listed applications.

Exact Extract:

“Set the Cookie Domain in the web session configuration to a parent domain (for example, .company.com) to enable applications in different subdomains to share the same session.”

Option A (Set Audience option) applies to OAuth token validation, not cookie sharing.

Option B (Set Cookie Domain option) is correct — e.g., setting .company.com allows session cookies to be shared.

Option C (Rewrite Cookie Domain rule) modifies upstream cookies for back-end applications, not PingAccess session cookies.

Option D (Rewrite Cookie Path rule) is unrelated; it modifies paths for cookies, not domains.

The pattern /images/sitel/* matches all subpaths and files under the /images/sitel/ directory, including nested paths.

Exact Extract:

“The asterisk (*) matches zero or more characters within the path. For example, /images/sitel/* matches all resources under the sitel folder.”

Option A is incorrect — it references /aitel/ instead of /sitel/ .

Option B is incorrect — /site* matches strings beginning with “site”, but may also match “siteX” incorrectly.

Option C is incorrect — it only matches resources under /english/ , missing other folders.

Option D is correct — /images/sitel/* covers all given examples.

When APIs are remote, latency is introduced by frequent token validation requests. Enabling Cache Token on the OAuth Resource Server reduces repeated validation calls and improves performance.

Exact Extract:

“The OAuth Resource Server configuration includes a Cache Token option that improves performance by reducing round trips for token validation.”

Option A is incorrect — key rolling affects cryptographic keys, not API latency.

Option B is incorrect — virtual hosts control external FQDNs, not performance.

Option C is incorrect — token attribute size does not significantly affect remote latency.

Option D is correct — caching tokens reduces validation overhead.

All onboarding in PingAccess begins with defining an Application . Once the application exists, the administrator can define Resources within it and assign different rules to those resources.

Exact Extract:

“Before you can configure resources and rules, you must first create an application in PingAccess.”

Option A (Identity Mapping) may be required later but not the first step.

Option B (Web Session) can be shared but is not the first onboarding step.

Option C (Application) is correct — the starting point for onboarding.

Option D (Resource) comes after creating the application.

PingAccess rules are categorized into Access Control Rules and Processing Rules .

Processing Rules modify or add to HTTP requests and responses.

Cross-Origin Request (CORS) is specifically listed as a Processing Rule , because it modifies response headers to support cross-origin requests.

Exact Extract:

“Processing rules apply to HTTP traffic, such as Cross-Origin Resource Sharing (CORS), header injection, or response modification.”

Option A (Web Session Attribute) is an access control rule.

Option B (Cross-Origin Request) is correct — this is a processing rule.

Option C (HTTP Request Parameter) is an access control rule.

Option D (HTTP Request Header) is an access control rule.

Applications in PingAccess can be associated with multiple Virtual Hosts . Each virtual host defines an FQDN and port combination through which the application is exposed, allowing protection across multiple domains or hostnames.

Exact Extract:

“Virtual hosts specify the fully qualified domain names (FQDNs) and ports that PingAccess uses to expose applications.”

Option A (Sites) represent the target back-end servers, not the external FQDN.

Option B (Virtual Hosts) is correct — use multiple virtual hosts for multiple domains.

Option C (Redirects) are unrelated to multi-domain application protection.

Option D (Rules) define access policies, not hostnames.

Virtual Hosts in PingAccess define the external FQDNs (and ports) through which applications are accessed. An application can be bound to multiple virtual hosts to allow access via multiple FQDNs.

Exact Extract:

“A virtual host specifies the fully qualified domain name and port number through which an application is accessed.”

Option A (Virtual Hosts) is correct — multiple FQDNs can be supported by assigning multiple virtual hosts.

Option B (Applications) define resource protection but do not manage FQDN binding.

Option C (Sites) define back-end targets, not the public-facing FQDN.

Option D (Web Sessions) handle authentication state, unrelated to hostnames.

PingAccess automatically creates configuration archive backups whenever changes are made. These are stored in the data/archive directory.

Exact Extract:

“PingAccess stores configuration archive files in the PA_HOME/data/archive directory.”

Option A (tools) is incorrect — contains administrative scripts.

Option B (conf) is incorrect — holds configuration files like run.properties .

Option C (data) is correct — archives are stored under data/archive .

Option D (bin) is incorrect — contains executables and scripts.