PT-AM-CPE Certified Professional - PingAM Exam Questions and Answers

In PingAM 8.0.2, there are two distinct ways to implement Mutual TLS (mTLS) for OAuth2 client authentication: the PKI Approach (CA-signed) and the Self-Signed Approach.21

According to the documentation on "Mutual TLS using PKI":

The PKI approach relies on a chain of trust. The steps required are:

Step 1 (Trust) : You must import the CA certificates that signed the client certificates into the truststore of the web container (Tomcat) or the AM Secret Store. 22 This allows AM to verify the signature of the client's certificate during the TLS handshake.

Step 2 (Mapping) : You must configure a Secret Store and map the am.services.oauth2.tls.client.cert.authentication secret label to the trusted CA aliases. 23

Step 3 (Authentication Method) : In the OAuth2 Client Profile, you must select tls_client_auth . 24 This is the specific OIDC standard string for CA-based mTLS. (In contrast, self_signed_tls_client_auth (Step 4) is used only when you trust individual certificates directly without a CA). 25

Step 5 (Identity Mapping) : Because multiple clients might have certificates signed by the same CA, you must provide the Subject Distinguished Name (DN) (e.g., CN=myClientApp) in the client profile. PingAM uses this to ensure that the certificate presented by the client during the handshake actually belongs to that specific Client ID.

Why other steps are excluded : Step 7 (Registering the certificate) is only required for the Self-Signed approach, as the PKI approach validates against the CA. Step 6 (Revocation check) is a global provider setting or an optional enhancement, but not a fundamental "must-configure" step for the basic PKI identity mapping logic. Thus, the correct sequence for the PKI approach is 1, 2, 3, and 5 , making Option C the correct answer.

The forgeops command-line tool is used to manage the lifecycle of the Ping Identity Platform in Kubernetes environments.9 When using the Cloud Developer Kit (CDK) for version 8.0.2, the delete subcommand is used to tear down the environment.

According to the "ForgeOps CLI Reference" and "CDK Shutdown and Removal" documentation:

The forgeops delete command (without additional flags like --force or specific component names) is designed to remove the Ping Identity Platform pods. This includes the core applications like PingAM, PingIDM, and PingDS, as well as the specialized UI pods (login-ui, etc.). It also removes the standard CDK artifacts and configuration manifests associated with that specific namespace.

However, the command follows a "safe delete" philosophy regarding infrastructure-level components:

Ingress Controllers, Certificate Managers (cert-manager), and the DS Operator are considered part of the "Base" or "Infrastructure" layer. These are typically installed once per cluster or namespace and are shared across multiple deployments. The forgeops delete command does not remove these by default, as doing so could disrupt other services.

PVCs (Persistent Volume Claims) and Secrets are also preserved unless the --force or -f flag is explicitly added to the command.

Thus, the answer is D . The command focuses strictly on the platform pods and their immediate deployment artifacts. If a developer wishes to perform a "deep clean" that removes the ingress and operators, they would need to use more specific commands like forgeops delete base or kubectl commands. 10 This distinction is vital for developers to avoid accidentally deleting shared cluster infrastructure when they only intended to restart the Ping platform.

PingAM 8.0.2 is strictly compliant with various identity standards to ensure interoperability between different vendors and platforms. The Security Assertion Markup Language (SAML) V2.0 is the cornerstone of modern XML-based federation.7

According to the PingAM "SAML 2.0 Introduction" and "Supported Standards" documentation, the SAML 2.0 standard is developed and maintained by OASIS (the Organization for the Advancement of Structured Information Standards). 8 Specifically, the OASIS Security Services Technical Committee (SSTC) is responsible for the specifications that define the SAML core (assertions and protocols), bindings (how SAML messages are mapped onto transport protocols like HTTP), and profiles (how SAML is used to solve specific use cases like Web Browser SSO).

Knowing the governing body is important for administrators when reviewing the "Technical Metadata" and "Schema" sections of PingAM, as AM’s implementation follows the OASIS SAML 2.0 standards for XML signing, encryption, and assertion structure. Other organizations listed, such as the IETF (Internet Engineering Task Force), govern protocols like OAuth2 and OpenID Connect, while the W3C (World Wide Web Consortium) handles general web standards like XML and WebAuthn. However, for SAML2, OASIS remains the authoritative governing body.

CSRF stands for Cross-Site Request Forgery.8 It is a common web security vulnerability where an attacker tricks a victim's browser into performing an unwanted action on a different website where the victim is currently authenticated.9

In the context of PingAM 8.0.2 and the OAuth 2.0 /authorize endpoint, CSRF protection is vital. 10 If an attacker can forge an authorization request, they might be able to inject their own authorization code into a victim's session or link a victim's account to an attacker-controlled client.

To mitigate this, the OAuth 2.0 protocol uses a parameter (often named state in the RFC, but referred to in PingAM's security configuration and logging as a CSRF-related check) to ensure that the request returning to the client is the same one that the client initiated. 11 PingAM's "Security Considerations" documentation explains that the server enforces Cross-Site Request Forgery protection by verifying that requests originate from trusted sources and include unpredictable tokens that an external malicious site could not guess or recreate. 12

In AM 8.0.2, you can configure the "CSRF Protection Filter" which can be applied to various endpoints to prevent unauthorized state-changing commands. 13 This is particularly important for the administration UI and the authentication endpoints where a user's session is active. Understanding that CSRF stands for Cross-Site Request Forgery is a fundamental requirement for any security professional working with identity protocols and PingAM hardening.

In PingAM 8.0.2, the recommended and most secure flow for "Public Clients"—such as Single Page Applications (SPAs) written in JavaScript—is the Authorization Code Grant Flow with PKCE (Proof Key for Code Exchange).

Historically, the Implicit Grant Flow (Option B) was used for browser-based apps because they could not securely store a client_secret. However, the Implicit flow is now considered legacy and insecure due to the risk of access token leakage in the browser history or via referrer headers. The Resource Owner Password Credentials Grant (Option C) is also discouraged as it requires the application to handle user credentials directly, violating the core principle of delegated authorization. Client Credentials (Option D) is reserved strictly for machine-to-machine communication where no user is involved.

The Authorization Code Grant with PKCE addresses the security limitations of public clients by replacing the static client_secret with a dynamically generated "code verifier" and "code challenge." The process works as follows:

Challenge Generation : The JavaScript app creates a cryptographically strong random string (Verifier) and transforms it (Challenge).

Authorization Request : The app sends the challenge to PingAM. 21

Code Exchange : After user login, AM returns an authorization code. The app then sends the code and the original verifier to the token endpoint.

Verification : AM verifies that the verifier matches the initial challenge before issuing the Access Token.

This flow ensures that even if an attacker intercepts the authorization code, they cannot exchange it for a token without the original verifier, which never left the browser's execution context. PingAM 8.0.2 fully supports this flow and provides specific configuration options in the OAuth2 Provider settings to enforce PKCE for all public clients.

The Push Result Verifier node is a core component of the "MFA: Push Authentication" journey in PingAM 8.0.2. Its primary function is to check the status of a push notification that was previously dispatched to a user's mobile device (usually via the Push Sender node).22

According to the "Authentication Node Reference" for version 8.0.2, the node evaluates the state of the push request and yields exactly four distinct outcomes:

Success : This path is followed if the user has actively approved the push notification on their registered device using the ForgeRock/Ping Authenticator app.

Failure : This path is taken if the user explicitly denies or rejects the push notification on their device, indicating a potential unauthorized login attempt.

Expired : This outcome occurs if the notification reaches its "Message Timeout" limit (defined in the Push Sender node) without any response from the user. 23 In standard trees, this path often loops back to allow the user to try a different MFA method or resend the push.

Waiting : This outcome is triggered if a response has not yet been received but the timeout has not yet been reached. This is used in conjunction with a Push Wait or Polling mechanism to create a "check-and-loop" logic until a final result (Success, Failure, or Expired) is determined.

The Retry outcome (mentioned in other options) is notably absent from this specific node's metadata. While a "Retry" might be implemented in the overall tree logic (for example, by using a Retry Limit Decision node after an Expired outcome), the Push Result Verifier node itself only reports the state of the specific push transaction it is tracking. Understanding these four discrete states is vital for designing resilient authentication journeys that handle user delays or network issues gracefully.

PingAM 8.0.2 provides a "Recovery Code" mechanism as part of its Multi-Factor Authentication (MFA) suite. This allows users to regain access to their accounts if they lose their MFA device (such as a smartphone used for Push or OATH).

According to the PingAM "Authentication Node Reference" for version 8.0.2:

The node responsible for the validation of these codes is the Recovery Code Collector Decision node. This node performs a dual function:

Collection : It renders the UI callback to the user (a text input field) asking for the recovery code.

Decision/Validation : Once the user submits a code, the node checks the input against the stored, hashed recovery codes in the user's profile.

Analysis of the other options:

Recovery Code Display node (Option A): This node is used during the registration phase to show the user their newly generated codes so they can save them. It does not validate them.

Recovery Code Verifier node (Option D): This is a common distractor name. While "Verifier" sounds logical, the actual name in the AM designer is the "Collector Decision" node, reflecting the pattern of nodes that both collect data and make a branching decision.

Recovery Code Comparator node (Option B): Not a standard node in PingAM 8.0.2.

The Recovery Code Collector Decision node typically has two outcomes: Success (code matched and was consumed/removed) or Failure (code was invalid). This node is vital for ensuring that "Account Recovery" journeys remain secure and functional within the Intelligent Access framework.

============

The May Act script is a critical component of the OAuth 2.0 Token Exchange implementation in PingAM 8.0.2. It allows for the validation of impersonation or delegation requests. Because token exchange can be configured both globally for all clients and specifically for individual applications, the script can be attached at two different levels in the Administrative UI.

OAuth2 Provider Service > Advanced Tab (A) : This is the global configuration level. If you want to apply a standard "May Act" validation script across the entire realm for any client performing a token exchange, you configure it here. This script will be the default unless specifically overridden.

OAuth2 Client Profile > OAuth2 Provider Overrides Tab (D) : PingAM allows for granular control per client. If a specific "Confidential Client" (like a backend microservice) requires unique logic for determining who it can act as, you can specify a different script or override the global setting. This is done in the "OAuth2 Provider Overrides" tab within that specific client's configuration profile.

Why other options are incorrect : The Core tab (B) is used for basic settings like issuer names and token lifetimes, not for advanced scripting hooks. The Advanced tab of the Client Profile (C) contains settings like TTLs and Logout URLs, but the specific ability to override "Provider" level logic (like the May Act script) is moved to the specialized Overrides tab to keep the interface organized. Therefore, the correct locations are A and D , as identified in the "Token Exchange Configuration" guide for version 8.0.2.

Persistent Search is an LDAP control that allows a client (like PingAM) to receive real-time notifications from the Directory Server (like PingDS) whenever a user record is modified. PingAM 8.0.2 uses this to maintain its User Data Cache.

According to the "Identity Store Configuration" and "Tuning AM" documentation:

When persistent search is supported, PingAM caches user profile data in memory to speed up authentication and authorization decisions. When a change happens in the LDAP store, the directory server "pushes" the update to AM via the persistent search connection, and AM updates its cache immediately.

If the LDAP directory does not support persistent search (common in some legacy or highly restricted environments):

Cache Inconsistency : If caching were enabled, PingAM would not know when a user's attribute (like a group membership) had changed in the back-end. The cache would become "stale," leading to incorrect authorization decisions.

Required Configuration : The administrator must Disable user data caching to ensure that every request results in a direct query to the LDAP server, ensuring "Read-through" accuracy.

Performance Impact : Disabling the cache has a negative impact on performance (Option D) because every policy evaluation or session check now requires a synchronous network round-trip to the LDAP server, increasing latency and putting higher CPU/IO load on the directory.

Therefore, for directories lacking persistent search, disabling the cache is necessary for data integrity but comes at a significant performance cost.

PingAM 8.0.2 supports various Multi-Factor Authentication (MFA) methods, each with different hardware and software requirements.7 The question asks specifically for methods that require both a separate device and a specific application.

Push Authentication : This requires a mobile device (separate from the computer used to log in) and the ForgeRock/Ping Authenticator app (or a custom app using the SDK) to receive and approve the notification. 8

Open Authentication (OATH) : This refers to TOTP (Time-based One-Time Password). It requires a separate device (smartphone or hardware token) and an application (like ForgeRock Authenticator, Google Authenticator, or Authy) to generate the 6-digit rotating codes.

Why WebAuthn is excluded : While WebAuthn (Option A, B, and C) can use separate devices (like a YubiKey or a secondary phone), it is specifically designed to work natively with the browser and the operating system (using the FIDO2 standard). It does not require a specific "Authenticator Application" to be installed by the user; instead, it uses the platform's built-in authenticators (like TouchID, FaceID, or Windows Hello) or a hardware key handled directly by the browser's WebAuthn API.

Therefore, the two methods that strictly fit the "Separate Device + App" criteria in the PingAM ecosystem are Open Authentication and Push , making Option D the correct answer.

Auto-federation is a feature in PingAM 8.0.2 designed to simplify the user experience by automatically linking an IdP identity to an SP identity without manual intervention or a specialized "linking" page.12

According to the PingAM documentation on "Link Identities Automatically with Auto-Federation":

Linking Mechanism (Statement B) : Auto-federation does not rely on the SAML NameID. Instead, it uses a common attribute value found in both the SAML assertion and the SP's local identity store. For example, if both systems share an "Email" attribute, the SP can be configured to use the mail attribute from the incoming assertion to search its own datastore. If a match is found, the accounts are linked. This is significantly more flexible than relying on NameID formats (disproving Statement A).

User Experience (Statement C) : One of the primary benefits of auto-federation is that it supports a "Just-in-Time" experience. The user only needs to log in to the Identity Provider (IdP) . When they are redirected to the SP, the SP performs the attribute-based lookup and creates the session immediately. The user is never prompted to log in at the SP side just to "prove" who they are for the linking process (disproving Statement D).

Because auto-federation relies on matching attributes and only requires a single login at the IdP, the correct statements are B and C . This makes Option B the correct choice. This feature is particularly useful in Large-Scale B2B or B2C scenarios where pre-mapping thousands of users manually would be impossible.

In SAML 2.0, an Artifact is a reference (a "pointer" or "ticket") used in the SAML Artifact Binding.5 This is an alternative to the more common POST or Redirect bindings where the actual XML assertion is sent through the user's browser.

According to the PingAM "SAML 2.0 Bindings" documentation:

When using the Artifact binding, the Identity Provider (IdP) does not send the full SAML Assertion through the browser.6 Instead, it sends a small, opaque string called the Artifact to the Service Provider (SP).

Issuance : The IdP stores the real assertion in its own local memory/cache and sends the Artifact to the SP via the browser redirect.

Resolution : The Service Provider receives the Artifact and then makes a direct, secure back-channel call (SOAP over HTTPS) to the IdP's Artifact Resolution Endpoint.

Exchange : The SP presents the Artifact, and the IdP returns the actual SAML Assertion.

Therefore, the Artifact is the value sent to retrieve the assertion (Option D). It is not the assertion itself (Option A), nor is it a binding name or an attribute name. The Artifact binding is often used for security reasons, as it prevents the sensitive assertion data from ever passing through the user's browser, thus mitigating certain types of interception attacks.

In PingAM 8.0.2, a Session Upgrade occurs when a user is required to authenticate at a higher security level (Auth Level). The outcomes of these upgrades depend on the session storage (server-side vs. client-side) and the parameters used.

Statement B is incorrect because it claims that a new token is issued only when the current session does not meet requirements. In reality, if a request explicitly includes a parameter like ForceAuth=true or prompt=login, PingAM will force a re-authentication and issue a new session token regardless of the current session's state.

According to the "Session Upgrade" and "Step-up Authentication" documentation:

Statement A is correct : When ForceAuth=true is used, the AM engine ignores the existing session's Auth Level and forces the user through the tree. A new session/token is generated upon success.

Statement C is correct : This describes the standard "Advice" flow (e.g., from a policy). AM creates a new session, copies existing properties from the old one, and replaces the token.

Statement D is correct : In client-side sessions, since the state is in a JWT cookie, any change (like an Auth Level increase) requires the issuance of a brand-new signed JWT to replace the old one.

Therefore, because PingAM allows for forced re-authentication even when requirements are met, the restrictive "only when" condition in Statement B makes it the incorrect (and thus the target) answer. This behavior is key for security scenarios where a fresh proof of presence is required regardless of previous activity.

============

According to the PingAM 8.0.2 documentation on "OAuth 2.0 Client Authentication," clients are categorized into two types based on their ability to maintain the confidentiality of their credentials: Public and Confidential.

A Confidential Client is defined as an application that is capable of securely storing a client_secret or a private key. 1 These are typically applications where the code and configuration are not exposed to the end user. Web Applications (Option D) are the classic example of confidential clients because they run on a secure back-end server. 2 The server-side code can store and use a secret to authenticate with PingAM's token endpoint without the risk of the secret being leaked to the user-agent or a third party.

In contrast:

Web Browsers (Option C) and JavaScript clients (Option B) are considered Public Clients . 3 Since the code runs within the user's browser, any secret embedded in the application would be visible to the user via "View Source" or developer tools. 4

Desktop clients (Option A) and native mobile apps are also categorized as public clients in the OAuth2 specification (RFC 6749) because they are distributed to end-user devices. 5 Even if the secret is obfuscated, it can be extracted through reverse engineering or decompilation.

For confidential clients, PingAM 8.0.2 supports various authentication methods at the token endpoint, including client_secret_basic, client_secret_post, and more secure options like Mutual TLS (mTLS) or Private Key JWT . By correctly identifying a client as confidential, administrators can enforce these stronger authentication requirements, ensuring that the client is indeed the entity it claims to be before granting access or refresh tokens.

In PingAM 8.0.2, Realms are the primary organizational units used to group configuration, policies, and identities.13 A common misconception is that a user is "locked" into a single realm. However, according to the "Realms" and "Identity Stores" documentation, the relationship is highly flexible.

A Realm does not actually "contain" users in a physical sense; instead, a realm is configured with one or more Identity Stores (such as an LDAP directory or a database). Multiple realms can be configured to point to the same underlying Identity Store. Therefore, if a user profile exists in an LDAP directory that is shared by "Realm A" and "Realm B," that user is effectively a member of both realms . They can authenticate to either realm and receive different policies or session properties based on the realm-specific configuration.

Key points from the documentation:

Logical Partitioning : Realms provide a way to apply different authentication logic (different trees) to the same set of users. 14

Multi-tenancy : An organization can create separate realms for different departments or customer groups, even if they overlap in the back-end user database.

Identity Store Mapping : Because a realm maps to an identity store, and an identity store can be reused across realms, a user's membership is determined by where the realm is "looking" for data.

Thus, Option A is the correct description of the architecture: a user can be a member of one or more realms depending on how the administrator has mapped the identity repositories.

Would you like me to proceed with more questions, or would you like to focus on a specific area such as OAuth2 Grant Flows ?

In PingAM 8.0.2, especially when utilizing File-Based Configuration (FBC), the startup sequence relies on a "bootstrap" phase to locate the system's configuration. According to the "Installation Guide" and "Configuration Directory Structure," the primary file involved in this process is named boot.json.

The boot.json file contains the essential connection details required for the AM binaries to find and unlock the configuration store (usually PingDS). This includes the LDAP host, port, bind DN, and references to the secret stores needed to decrypt the configuration.

The location of this file is determined by the Configuration Directory path specified during the initial setup. By default, PingAM creates its configuration directory in the home directory of the user running the web container. The standard path structure is < user-home > / < am-instance-dir > /. Therefore, the boot.json file is located at the root of this instance directory: <</b> user-home > / <</b> am-instance-dir > /boot.json .

Options A and D are incorrect because they place the file inside a /config subdirectory; while AM has many config files in subdirectories, the boot.json sits at the root to be accessible as the first point of entry.

Option B is incorrect because it suggests the file is stored within the Tomcat webapps folder. PingAM specifically avoids storing configuration data within the web application binaries to ensure that configuration persists even if the .war file is deleted or redeployed.

Understanding the location of boot.json is vital for DevOps engineers who need to automate the deployment of PingAM using tools like Amster or when troubleshooting a "Failed to connect to the configuration store" error during server startup.