PAP-001 Certified Professional - PingAccess Questions and Answers

PingAccess usesobfuscated keysto secure sensitive configuration values (like passwords). Theobfuscate.bat(Windows) orobfuscate.sh(Linux) script is used to generate a new key and protect sensitive data.

Exact Extract:

“Useobfuscate.[bat|sh]to generate a new obfuscation key for protecting configuration values.”

Option A (db-passwd-rotate.bat)is not a valid PingAccess script.

Option B (memoryoptions.bat)configures JVM memory, not encryption.

Option C (run.bat)starts PingAccess.

Option D (obfuscate.bat)is correct — it is used to protect sensitive configuration.

Identity Mapping in PingAccess relies on attributes provided by thetoken provider(e.g., PingFederate, OIDC provider). If the desired attributes are not present in the dropdown, it means they are not being provided in the token or userinfo response.

Exact Extract:

“Attributes available in identity mappings are those provided in the web session by the token provider. If attributes are missing, they must be added to the token by the identity provider.”

Option Ais correct — the token provider administrator must configure the IdP to include the additional attributes.

Option Bis incorrect — rewrite rules modify content but do not supply new identity attributes.

Option Cis incorrect — developers cannot directly add identity attributes; they must come from the IdP.

Option Dis incorrect — Web Session Attribute rules only evaluate available attributes; they don’t create new ones.

PingAccess officially supportsGoogle ChromeandMicrosoft Edgefor the administrative console. Other browsers (Safari, Opera, Brave) may work but are not officially supported.

Exact Extract:

“The PingAccess administrative console is supported on current versions of Google Chrome and Microsoft Edge.”

Option A (Safari)is not officially supported.

Option B (Opera)is not supported.

Option C (Google Chrome)is correct.

Option D (Microsoft Edge)is correct.

Option E (Brave)is not officially supported.

PingAccess can be configured to log or suppress back-channel requests that occur duringtoken validationwith an OAuth/OpenID Connect provider such as PingFederate. These requests happen when PingAccess calls PingFederate to validate access tokens or retrieve key material.

Exact Extract from PingAccess documentation:

“Back-channel requests are logged during token validation by default. To prevent these requests from being written to the audit log, update theToken Validationsettings in PingAccess.”

This makesToken Validationthe correct location for changing the behavior without modifying application-specific configurations.

Why other options are wrong:

B. Web Sessions

Incorrect. Web Sessions control user session management and cookie handling, not back-channel token validation traffic.

C. Sites

Incorrect. Sites are the definitions of backend servers that PingAccess proxies to. This setting does not affect back-channel logging to PingFederate.

D. Token Provider

Incorrect. The Token Provider defines the OIDC/OAuth server (e.g., PingFederate) and its endpoints, but the logging of back-channel requests is not controlled here.

Thus, the correct answer isA. Token Validation.

When a resource is configured asanonymous, PingAccess does not challenge the user for authentication. However, certain processing and identity propagation still occur.

Exact Extract:

“Anonymous resources do not require authentication. Identity mappings and request/response processing rules still apply.”

Option Ais incorrect because rules such as identity mappings and processing still apply.

Option Bis correct — Identity Mappings can still forward attributes, even for anonymous access.

Option Cis correct — Processing rules (e.g., request/response modifications) still apply.

Option Dis incorrect — requestsarelogged; anonymous does not disable logging.

Option Eis incorrect — access control rules (authorization) are not evaluated for anonymous resources.

To prevent CORS errors, administrators must configure aCross-Origin Request (CORS) Processing Rule. The secure practice is to allow thespecific trusted domain(www.anycompany.com ) and, when cookies or credentials are required, to enableAllow Credentials.

Exact Extract:

“For secure CORS, specify exact origins rather than wildcards. Enable ‘Allow Credentials’ when client-side resources must include cookies or authentication data.”

Option Ais incomplete — multiple values are possible, but in this case onlywww.anycompany.com is required.

Option Bis less secure — using a wildcard (*.anycompany.com) broadens exposure unnecessarily.

Option Cis insecure —*with credentials is disallowed by CORS specifications.

Option Dis correct — restricts access to the trusted domain and allows credentialed requests.

All onboarding in PingAccess begins with defining anApplication. Once the application exists, the administrator can defineResourceswithin it and assign different rules to those resources.

Exact Extract:

“Before you can configure resources and rules, you must first create an application in PingAccess.”

Option A (Identity Mapping)may be required later but not the first step.

Option B (Web Session)can be shared but is not the first onboarding step.

Option C (Application)is correct — the starting point for onboarding.

Option D (Resource)comes after creating the application.

To enableSingle Logout (SLO), theSLO scopemust be defined in the PingAccess Web Session configuration. This determines which sessions are ended when a logout request occurs.

Exact Extract:

“The SLO scope option in a web session specifies which applications are included in a logout event when Single Logout is triggered.”

Option A (SLO scope)is correct; it explicitly enables SLO support by linking session termination across apps.

Option B (Idle timeout)is unrelated; this controls session expiration, not SLO.

Option C (Validate Session)ensures session state is synchronized but does not configure SLO.

Option D (Refresh User Attributes)is unrelated; it only controls whether attributes are reloaded.

When PingAccess is first installed, theAdministrative Console(the web-based UI for managing configuration) is bound to adefault port of 9000. This is documented in the installation and configuration guides:

Exact Extract from documentation:

“By default, the administrative console is available athttps:// :9000.”

(PingAccess Installation Guide – Default Ports)

This means that unless the administrator has explicitly changed the port inrun.propertiesor during installation, the console will always be available onport 9000.

Option Analysis:

A. 9000✅Correct. Default administrative console port.

B. 3000❌Incorrect. This is not a PingAccess default port.

C. 9090❌Incorrect. Sometimes used by other Ping products for APIs, but not the PingAccess admin console.

D. 3030❌Incorrect. Not a default PingAccess port.

When PingAccess is integrated with PingFederate as aToken Provider, the OAuth clients already configured in PingFederate become available in PingAccess. This enables administrators toautomatically select Client IDswhen creating Web Sessions.

Exact Extract:

“When PingAccess uses PingFederate as its token provider, PingFederate OAuth clients appear automatically in PingAccess for selection during web session configuration.”

Option Ais incorrect — this refers to Admin Console authentication, which is separate.

Option Bis incorrect — OAuth clients must be created in PingFederate, not from within PingAccess.

Option Cis incorrect — token issuance policies are managed in PingFederate, not PingAccess.

Option Dis correct — the Client ID dropdown is populated automatically from PingFederate.

PingAccess resources have anAudit flag. When enabled, all access attempts (allowed or denied) are recorded in the audit logs.

Exact Extract:

“To audit access requests to a specific resource, enable the Audit option on that resource in the application configuration.”

Option Ais correct — enabling audit for/adminensures its access requests are logged.

Option Bis incorrect — enabling audit for/*is overly broad and logs everything, not just/admin.

Option Cis incorrect — Splunk integration is for log forwarding, not per-resource auditing.

Option Dis incorrect —log4j2.xmlcontrols log destinations/levels, not resource-specific auditing.

PingAccess supports logging directly to a relational database usingLog4j database appenders. To enable this:

Configurelog4j2.xmlto use a JDBC Appender.

Configurelog4j2.db.propertieswith the database connection information.

Provide the appropriate database driver in thePA_HOME/libdirectory.

Exact Extract:

“To log to a database, configure log4j2.xml and log4j2.db.properties, and place the JDBC driver JAR file in PA_HOME/lib.”

Option Ais correct — both files must be configured.

Option Bis incorrect — existing logs do not need removal.

Option Cis incorrect — enabling audit is unrelated to database logging.

Option Dis correct — the Oracle JDBC driver must be installed in PA_HOME/lib.

Option Eis incorrect unless TLS is used to connect to the DB, but it is not required for standard DB logging setup.

In PingAccess, when an application relies on claims from an OAuth access token, you must configure PingAccess to evaluate those claims and potentially inject them into headers for the backend application.

Exact Extract from PingAccess documentation:

“OAuth rules allow you to evaluate claims in OAuth access tokens. You can configure PingAccess to look at specific claims and enforce policies or pass them to target applications.”

“To extract attributes from an access token, configure anOAuth Attribute Rule.”

This clearly matches optionD.

Analysis of each option:

A. An authentication requirement definition

Incorrect. Authentication requirements determine how users authenticate to applications (OIDC provider, etc.), but do not manage access token claims.

B. A web session attribute rule

Incorrect. Web session attribute rules map attributes from the authenticated user’s web session (SSO session), not from OAuth access tokens.

C. An identity mapping definition

Incorrect. Identity mappings transform user attributes (from IdP to app), but they don’t directly pull claims from OAuth tokens.

D. An OAuth attribute rule

Correct. This rule is specifically designed to extract and enforce policies onclaims from OAuth access tokens.

Therefore, the correct answer isD. An OAuth attribute rule.

In Log4j2, theLoggerelement controls the log level (INFO,DEBUG,ERROR, etc.) for specific packages or classes.

Exact Extract:

“To modify logging levels, edit theelement inlog4j2.xmland change the level attribute.”

Option A (AsyncLogger)is a performance optimization, not for changing levels.

Option B (RollingFile)defines file rotation, not log levels.

Option C (Logger)is correct — this is where log levels are defined.

Option D (Appenders)define output destinations, not severity levels.

Modern browsers enforce stricter cookie handling rules. If cookies are not configured correctly with theSameSiteattribute, behavior can differ across browsers, leading to inconsistent authentication and access denials. Security exceptions may appear when session cookies are blocked.

Exact Extract:

“The SameSite cookie setting defines how browsers send cookies in cross-site requests. Misconfigured SameSite values can lead to inconsistent application behavior across browsers.”

Option A (Enable PKCE)is related to OAuth flow security, not browser cookie behavior.

Option B (SameSite Cookie)is correct — this directly explains the inconsistent browser issues.

Option C (Request Preservation)ensures query parameters are kept, not related to cross-browser session handling.

Option D (Validate Session)checks session state but does not address browser inconsistencies.

Because the application context root is/parts, resource paths are defined relative to it. The correct relative path is:

/suspension/struts/manufacturer

Exact Extract:

“Resource matching begins at the context root. The most specific matching path is selected.”

Option Ais incorrect —/*/struts/manufacturerdoes not match because it starts with a wildcard, not the defined path.

Option Bis incorrect —/*/manufacturerwould match less specifically and at a different depth.

Option Cis correct — exact match relative to/parts.

Option Dis incorrect — too generic and not the best match.

TheSameSiteattribute is applied to session cookies to control cross-site behavior. In PingAccess, session cookie configuration (includingSameSite) is defined at theWeb Sessionlevel.

Exact Extract:

“Web session configuration includes cookie attributes such as name, domain, secure flag, HTTPOnly, and SameSite.”

Option A (Rules)is incorrect — rules govern access control, not cookies.

Option B (Sites)defines backend connections, not session cookies.

Option C (Applications)ties resources to sessions but does not define cookie behavior.

Option D (Web Sessions)is correct — session cookie SameSite settings are configured here.

When a backend application requires its own authentication (e.g., Basic Auth or mutual TLS), PingAccess uses aSite Authenticatorto inject the necessary credentials.

Exact Extract:

“Site Authenticators provide the credentials PingAccess uses when authenticating to target applications that require their own authentication mechanisms.”

Option A (Token Provider)is incorrect — this is used for OIDC/OAuth tokens, not site-level authentication.

Option B (Web Session)manages end-user sessions, not backend site authentication.

Option C (Site Authenticator)is correct — it handles authentication between PingAccess and the backend.

Option D (Access Control Rule)enforces authorization, not backend authentication.