PT-AM-CPE Certified Professional - PingAM Exam Questions and Answers

When a client requests an OpenID Connect (OIDC) scope (like profile), PingAM 8.0.2 may present a Consent Screen to the user, asking permission to share specific claims. To make this screen user-friendly, PingAM allows administrators to map technical claim names to human-readable labels and specify localizations.

According to the PingAM documentation on "Supported Claims" in the OAuth2/OIDC Provider settings:

The format for the Supported Claims property entry is:

ClaimName|Locale|DisplayName

In this syntax:

ClaimName: The technical OIDC claim (e.g., name, email, given_name).

Locale: The ISO language code (e.g., en, fr).

DisplayName: The text that will actually appear on the UI (the "Full name" label).

Therefore, the string name|en|Full name (Option A) is the correct configuration.

Option Bis incorrect because it reverses the technical name and the display name.

Option Cis incorrect as it lacks the required locale component and uses full_name (which is not the standard OIDC claim name; the standard is name).

Option Dattempts to perform a logic operation (+) within a configuration field where only static mapping strings are allowed. Claim composition (concatenating first and last names) is handled by theOIDC Claims Script, not by the Supported Claims UI property.

In SAML 2.0 federation with PingAM 8.0.2, there are two ways to initiate SSO: IdP-Initiated (where the user starts at the Identity Provider) and SP-Initiated (where the user starts at the Service Provider).3

According to the "SAML 2.0 Guide" for PingAM:

SP-Initiated SSO: The correct JSP file for an SP-initiated flow is spSSOInit.jsp.4This script is used by an SP (in this case, PingAM acting as an SP or a "Fedlet") to generate a SAML AuthnRequest and send it to the IdP.

Redirecting to the Application: In the SAML 2.0 standard, the mechanism used to preserve state (like the final destination URL) across the redirect-heavy SSO process is theRelayStateparameter. When the IdP sends the SAML assertion back to the SP, it also returns the RelayState value. The SP then uses this value to redirect the user to the final application.

While PingAM uses the goto parameter for internal redirects (like standard web login),RelayStateis the required parameter name for SAML-related JSPs to ensure interoperability with the SAML specification. Therefore, the correct URL is .../spSSOInit.jsp combined with the RelayState parameter (Option D). Using idpSSOInit.jsp (Options A and B) would trigger an IdP-initiated flow, which is not what the question describes. Option C is incorrect because it uses the non-SAML goto parameter in a SAML initialization context.

The connection string format HOST:PORT|SERVERID|SITEID is a specific syntax used in PingAM 8.0.2 for Affinity Load Balancing, a feature almost exclusively associated with the Core Token Service (CTS). In high-volume deployments, the CTS handles thousands of session updates per second. To avoid replication lag issues—where an AM server might try to read a session token from a directory server (DS) before the update has replicated from another DS node—PingAM uses "Affinity."16

According to the "CtsDataStoreProperties" and "CTS Deployment Architectures" documentation, this specialized string allows the AM instance to prioritize connections based on theServer IDandSite ID.17The pipe (|) characters signify the optional affinity parameters:

01/02: These represent the Server IDs of the underlying Directory Servers.

Affinity Logic: By providing these IDs, PingAM can ensure that it always routes requests for the same CTS token to the same directory server node.18

While standard Identity Stores (Option A) and the Configuration Data Store (Option C) use LDAP connection strings, they typically utilize a comma-separated list of host:port pairs or rely on a hardware load balancer. The specific use ofserver and site IDs within the connection string itselfto manage LDAP request routing is a hallmark of the CTS affinity configuration.19The documentation explicitly states that "Each connection string is composed as follows: HOST:PORT[|SERVERID[|SITEID]]" within the context ofCTS external store configuration.20Therefore, this complex string is specifically designed for the Core Token Service to ensure data consistency and high performance in clustered environments.

The Tree Designer in PingAM 8.0.2 is a visual, drag-and-drop tool used to build sophisticated login journeys. While it is highly flexible, it follows specific structural rules to ensure the authentication engine can execute the logic predictably.

Analysis of the statements:

Statement A is true: Trees must terminate in an outcome. Success and Failure nodes are standard. Additionally, theInner Tree Evaluatornode allows one tree to hand off processing to another "child" tree.

Statement C is true: The designer is extensible. Administrators can develop their own Java or Scripted nodes, and the Ping Identity Marketplace provides a wide range of third-party nodes (e.g., for biometric providers or specialized risk engines) that appear in the designer palette once installed.

Statement D is true: "Inner trees" are a supported concept, allowing for modularity where common logic (like MFA) can be built once and called from multiple parent trees.

Statement B is the "not true" statement.While the designer allows for complex logic and loops (e.g., looping back to a username prompt if a password is wrong), it doesnotsupportnesting nodes within a tree. In PingAM architecture, nodes are atomic components placed on a flat canvas. You cannot "nest" a node inside another node's configuration in the visual designer. Complexity is achieved through thebranching and linkingof these atomic nodes. If logic needs to be "nested" or grouped, it is done by creating a separate tree and calling it as anInner Tree. Understanding this structural limitation is key for architects designing modular authentication frameworks.

In SAML 2.0, an Artifact is a reference (a "pointer" or "ticket") used in the SAML Artifact Binding.5 This is an alternative to the more common POST or Redirect bindings where the actual XML assertion is sent through the user's browser.

According to the PingAM "SAML 2.0 Bindings" documentation:

When using the Artifact binding, the Identity Provider (IdP) does not send the full SAML Assertion through the browser.6 Instead, it sends a small, opaque string called the Artifact to the Service Provider (SP).

Issuance: The IdP stores the real assertion in its own local memory/cache and sends the Artifact to the SP via the browser redirect.

Resolution: The Service Provider receives the Artifact and then makes a direct, secureback-channel call(SOAP over HTTPS) to the IdP's Artifact Resolution Endpoint.

Exchange: The SP presents the Artifact, and the IdP returns the actual SAML Assertion.

Therefore, the Artifact is thevalue sent to retrieve the assertion(Option D). It is not the assertion itself (Option A), nor is it a binding name or an attribute name. The Artifact binding is often used for security reasons, as it prevents the sensitive assertion data from ever passing through the user's browser, thus mitigating certain types of interception attacks.

In PingAM 8.0.2, there is a critical distinction between Tree-based (or Chain-based) authentication and Module-based authentication. Module-based authentication is a legacy feature that allows a user to target an individual authentication module directly (e.g., .../UI/Login?module=DataStore).

According to the "Security Considerations" and "Hardening PingAM" documentation, module-based authentication poses a significant security risk and should be disabled in production. This is becauseit allows a user to bypass steps in an authentication chain(Option C).

If an administrator has designed a secure "Chain" that requires both aDataStore(password) check AND aOne-Time Password(MFA) check, the intention is for these to be inseparable. However, if module-based authentication is enabled, a malicious user or a tester could bypass the MFA requirement by crafting a URL that calls only the "DataStore" module. This effectively circumvents the multi-factor security logic intended by the administrator.

To mitigate this, PingAM provides a global and realm-level setting to "Disable Module-based Authentication." Once disabled, PingAM will only process authentication requests that target a namedAuthentication TreeorChain, ensuring that the user is forced through the entire sequence of nodes and logic defined by the security architect.

In PingAM 8.0.2, the recommended and most secure flow for "Public Clients"—such as Single Page Applications (SPAs) written in JavaScript—is the Authorization Code Grant Flow with PKCE (Proof Key for Code Exchange).

Historically, theImplicit Grant Flow(Option B) was used for browser-based apps because they could not securely store a client_secret. However, the Implicit flow is now considered legacy and insecure due to the risk of access token leakage in the browser history or via referrer headers. TheResource Owner Password Credentials Grant(Option C) is also discouraged as it requires the application to handle user credentials directly, violating the core principle of delegated authorization.Client Credentials(Option D) is reserved strictly for machine-to-machine communication where no user is involved.

TheAuthorization Code Grant with PKCEaddresses the security limitations of public clients by replacing the static client_secret with a dynamically generated "code verifier" and "code challenge." The process works as follows:

Challenge Generation: The JavaScript app creates a cryptographically strong random string (Verifier) and transforms it (Challenge).

Authorization Request: The app sends the challenge to PingAM.21

Code Exchange: After user login, AM returns an authorization code. The app then sends the codeandthe original verifier to the token endpoint.

Verification: AM verifies that the verifier matches the initial challenge before issuing the Access Token.

This flow ensures that even if an attacker intercepts the authorization code, they cannot exchange it for a token without the original verifier, which never left the browser's execution context. PingAM 8.0.2 fully supports this flow and provides specific configuration options in the OAuth2 Provider settings to enforce PKCE for all public clients.

In SAML 2.0 Federation, there is a standard XML schema (defined by OASIS) that all vendors use to describe an Identity Provider (IdP) or Service Provider (SP). This is known as "Standard Metadata." However, standard metadata does not include every configuration option required to run a sophisticated Access Management server.

PingAM 8.0.2 usesExtended Metadatato store implementation-specific settings that fall outside the OASIS SAML 2.0 specification. According to the "SAML 2.0 Guide," extended metadata is stored as a separate configuration file (or JSON entry in newer versions) and includes parameters such as:

Identity Store Mapping: Which attribute in the local datastore matches the SAML NameID.

Session Information: How AM should handle the session lifecycle after a successful SAML assertion.

Attribute Mapping: Detailed instructions on how to transform local LDAP attributes into SAML attributes (and vice versa).

Authentication Trees: Which specific tree should be triggered when a request arrives at the IdP.

Option D is the correct description. Option C is incorrect because extended metadata isnota standard way to communicate features; in fact, other SAML products (like ADFS or Okta) cannot read or process PingAM's extended metadata. Option A is incorrect because basic certificates/keys are usually part of thestandardmetadata (KeyDescriptor), and Option B is incorrect because SAML federation usually triggers authentication journeys or attribute mapping rather than a standard authorization "policy."

Debugging a PingAM 8.0.2 environment is essential for troubleshooting issues that occur at the engine level. In a multi-server deployment (a cluster), different servers may be experiencing different local issues (e.g., filesystem permissions or local JVM constraints). Therefore, debug settings are managed at the server-specific level rather than the global site level.

According to the "Debug Logging" and "Server Settings" documentation:

The debug level (e.g., error, warning, message, info) is configured on a per-instance basis. In the PingAM Administrative Console, an administrator navigates to Deployment > Servers > [Server Name] > Debugging. Here, they can set the "Debug Level" and "Debug Output" (file vs. console).

Setting the level per instance allows an administrator to increase verbosity on a single "problematic" node without flooding the logs and impacting the performance of the entire healthy cluster. While these settings eventually modify internal properties, theAdmin Consoleis the primary and recommended interface for making these changes in version 8.0.2.

Why other options are incorrect:

Option A: While legacy versions of OpenAM used a local debug.properties file, modern PingAM stores these settings in the Configuration Store, though they are applied to specific server instances.

Option C: A "Site" is a logical grouping for load balancing. Setting a debug level on a site would force all servers in that site to change simultaneously, which is often undesirable for targeted troubleshooting.

Option D: Changing the debug level is a standard and recommended practice for troubleshooting, provided it is returned to a lower level (like error or warning) once the issue is resolved to save disk space and CPU.

While several endpoints in PingAM 8.0.2 interact with tokens, only one is explicitly designed for the purpose of checking the metadata and validity of an opaque or structured OAuth2 token.

According to the "OAuth 2.0 Endpoints" and "Token Introspection" documentation:

/oauth2/introspect (Option B): This is the RFC 7662-compliant endpoint. It is used by resource servers (or other authorized clients) to determine the "activeness" of a token. When a token is sent to this endpoint, PingAM returns a JSON object indicating if the token is valid, its scope, its expiration time, and the subject it represents. This is the standard way to validate tokens that are not self-validated (like opaque tokens stored in the CTS).

Why other options are incorrect:

/oauth2/userinfo (Option A): This endpoint is part of OpenID Connect. While itrequiresa valid token to function, its purpose is to return user claims, not to provide a "valid/invalid" metadata check of the token itself.

/oauth2/validate (Option C): This is a legacy endpoint used in older versions of the product. In PingAM 8.0.2, introspection is the standardized replacement.

/oauth2/access_token (Option D): This is theToken Endpointused toissuetokens, not to validate them.

Using the/oauth2/introspectendpoint is a best practice for security because it allows the authorization server (PingAM) to verify that a token has not been revoked in the Core Token Service (CTS) before a resource server grants access.

Cross-Site Request Forgery (CSRF) is an attack where a malicious site sends a request to PingAM using the victim's authenticated browser session. Because standard HTML forms and cross-site requests cannot easily set custom HTTP headers, requiring a specific header is an effective defense for REST APIs.

According to the PingAM "Security" documentation and the "REST API" reference:

By default, PingAM 8.0.2 enforces a CSRF filter on its REST endpoints (such as /json/authenticate or /json/users). For any "state-changing" request (like a POST, PUT, or DELETE), the client must prove the request is intentional and not a forged browser-driven request. This is achieved by requiring at least one of the following headers:

X-Requested-With: Commonly used by AJAX libraries like jQuery. Its presence indicates the request was made via a script, which is generally not possible for a standard cross-site CSRF attack.

Accept-API-Version: This header serves two purposes. First, it ensures the client is targeting a specific version of the PingAM REST API (e.g., resource=2.0, protocol=1.0). Second, since custom headers cannot be set in simple cross-site <form> submissions, it acts as aCSRF token.

If a POST request is sent to the REST API without one of these headers, PingAM will reject the request with a403 Forbiddenerror, even if the user has a valid session cookie.

Option B (If-Match: _rev)is used for concurrency control (preventing "lost updates" in IDM or AM configuration), but it is not the primary CSRF defense.Options A and Dare headers sometimes used for "Zero-Page Login" or legacy authentication, but they do not provide protection against CSRF for the general REST API. Therefore, the combination ofX-Requested-WithorAccept-API-Versionis the correct answer for default CSRF protection in PingAM 8.0.2.

The Device Authorization Grant (Device Flow), defined in RFC 8628 and implemented in PingAM 8.0.2, involves a polling mechanism where the device repeatedly asks the token endpoint for an access token using the device_code it received earlier.1

According to the PingAM documentation on "Device Authorization Grant" and "OAuth 2.0 Endpoints," during the period when the user is still navigating to the verification URL and entering their user code, the device's polling requests to the /oauth2/access_token endpoint will not result in a successful token issuance. Instead, PingAM returns a400 Bad Requeststatus code.

It is important to look at the JSON response body accompanying the 400 error. The body contains an error field with the value authorization_pending.2This specific error code tells the device that the authorization request is still valid and in progress, but the user has not yet completed their part. The device should continue to poll at the interval specified in the initial response.

Other error codes like403 Forbidden(Option A) would typically indicate a permanent rejection or that the device is polling too frequently (slow_down).401 Unauthorized(Option C) is generally reserved for invalid client credentials when the client is confidential.302 Found(Option D) is a redirect, which is not used in the back-channel polling phase of the Device Flow. Therefore, while a 400 error usually suggests a client error, in the context of the Device Flow, it is the standard protocol-level response used to communicate that the token is not yet ready because the user hasn't finished authorizing.

To enforce complex authorization logic based on session duration, PingAM 8.0.2 administrators must move beyond the static "Out-of-the-Box" conditions.

Analysis of the options based on the "Policy Conditions" documentation:

Time Condition (Option A): This condition is used to restrict access based on theclock time of dayorday of the week(e.g., "Allow access only between 9 AM and 5 PM"). It does not track the elapsed time of a specific user session.

Current Session Properties (Option B): This condition checks for the presence of specific key-value pairs in a session. While a session contains a startTime property, this condition is designed for matching static values (like department=HR), not for performing mathematical time calculations.

Active Session Time (Option D): This is not a standard default condition name in the PingAM 8.0.2 policy engine.

The Correct Approach (Option C): AScripted Policy Conditionis required for this use case. Within a Policy Condition script, the administrator has access to the session object. The script can retrieve the startTime (or creationTime) of the session and compare it against the current system time (currentTime).

Example logic in the script:

var sessionStartTime = session.getProperty("startTime");

var maxDuration = 10 * 60 * 1000; // 10 minutes in milliseconds

if ((currentTime - sessionStartTime) > maxDuration) { authorized = false; }

By using a script, PingAM can dynamically calculate the age of the session at the moment of the access request and return a "Deny" decision if the 10-minute threshold has been exceeded. This provides the granular control needed for high-security environments where "session freshness" is a requirement for specific sensitive resources.

In PingAM 8.0.2, the Intelligent Access engine (Authentication Trees) uses a specific data-passing mechanism to move information between individual nodes within a single journey. When a journey involves collecting context—such as device metadata (OS, version, screen resolution), location data (IP, geofencing), or risk signals—this information must be stored temporarily while the tree evaluates the next steps.

According to the "Authentication Node Development" and "Nodes and Trees" documentation, PingAM uses two primary transient storage objects during the authentication flow:

Shared State: This is the primary map used to share data between nodes in the same tree. Contextual data collected by nodes like theDevice Profile CollectororBrowser Capabilitiesnodes is stored here. It exists only for the duration of the authentication journey.

Transient State: Similar to shared state, but often used for sensitive data that should not be visible to certain types of nodes or scripts.

The documentation identifiesShared Node State(Option B) as the best practice for persisting collected contextduringthe tree process.

Session State(Option A) is only availableafterthe authentication is successful and a session has been created. It is not suitable for data needed by nodes within the tree to make a decision (like a risk engine node).

User Profile(Option C) is for long-term persistence (LDAP/PingDS). Storing transient device context there would cause unnecessary database write overhead and privacy concerns.

Browser Cookies(Option D) are limited in size and pose security risks if used to store raw device data that could be tampered with by the client.

Therefore, for real-time risk analysis within a journey, nodes write data to the shared state, where subsequent nodes (like aScripted Decision NodeorAdaptive Risk Node) can retrieve and analyze it.

In PingAM 8.0.2 Intelligent Access, the Set Session Properties node is a specialized utility node designed to modify the session object once it is created.

According to the "Authentication Node Reference":

During an authentication journey, data is typically stored in the sharedState. However, sharedState is transient and is destroyed once the tree finishes. If an administrator wants to take a piece of information (e.g., a "Risk Score" calculated during the tree, or a "Branch ID" retrieved from a legacy system) and make it a permanent part of the user's session, they must use the Set Session Properties node.

Functionality: This node allows you to map a value from the sharedState or transientState to a session property name. After the tree reaches aSuccessnode, these properties are persisted in the session (either in the CTS for server-side sessions or the JWT for client-side sessions).

Usage: Once set, these properties can be retrieved later forResponse Attributesin policies, or by applications using the /json/sessions endpoint.

Option A (Get Session Data node)is used toretrieveexisting properties from an active session, not set them.Option Bis incorrect because while webhooks can trigger external logic, the native way to modify the session within a tree is a node.Option C (Provision Dynamic Account node)is for creating user entries in the Identity Store (LDAP), not for managing session-level properties. Therefore,Set Session Properties(Option D) is the correct technical tool for this requirement in version 8.0.2.

The OAuth2 May Act script type in PingAM 8.0.2 allows administrators to programmatically determine if a token exchange request (impersonation or delegation) should be allowed by adding a may_act claim to the token.

According to the "Scripting" and "Token Exchange Scripting API" documentation, when this script is executed, the AM engine provides a specific set of "Bindings" or variables. These allow the script to inspect the context of the request before deciding to modify the token. The documented variables for theOAuth2 May Actscript are:

clientProperties: A map of the OAuth2 client's configuration properties.

identity: The identity object for the user/subject.

logger: The logging object for debugging within the script.

requestProperties: Properties of the incoming HTTP request.

scopes: The set of scopes requested or associated with the token.

scriptName: The name of the script being executed.

session: The user's SSO session (if available).

requestedToken: This is the most important variable; it represents the token being issued. Methods like .addMayAct() or .setMayAct() are called on this specific object.

Why other options are incorrect:

Option Bcorrectly lists the bindings.

Options A and Dare incorrect because they use the variable name token. While token is a common variable name inotherOAuth2 script types (like the Access Token Modification script), the Token Exchange script specifically usesrequestedTokento distinguish the new token from the subject_token or actor_token provided in the request.

Option Cuses scopeList, which is not the standard variable name for the scopes in this specific script context; the documentation defines it asscopes.

The Authentication Context Class Reference (acr) is a standard parameter in OpenID Connect (OIDC) used by a client (Relying Party) to request a specific level or method of authentication from the OpenID Provider (PingAM 8.0.2).

According to the "OpenID Connect 1.0" and "OAuth2 Provider Service" documentation in PingAM, there is a specific configuration mapping forACR to Authentication Tree. In the AM console, under theOAuth2 Provider > OpenID Connecttab, administrators define a list of mappings. Each entry consists of an ACR string (e.g., urn:mace:incommon:iap:silver or simply MFA) and its correspondingAuthentication Treename.

When an OIDC client sends a request to the /authorize endpoint containing the acr_values parameter, PingAM performs a lookup:

It checks the incoming acr_values against the configured map.

If a match is found, PingAM ignores the default realm authentication configuration and initiates theAuthentication Treemapped to that specific ACR value.

Upon successful completion, the resulting ID Token will contain the acr claim with the requested value, confirming to the client that the specific journey was completed.

This mechanism allows developers to programmatically request "Step-up" or "Social Login" or "MFA" specifically from their application code by leveraging OIDC standard parameters. While ACR values are oftenrelatedtoAuthentication Levels(Option D) conceptually, in PingAM's internal architecture, they are directly used to select and trigger a specificAuthentication Tree(Option A).

The Cloud Developer Kit (CDK), part of the forgeops repository, represents the modern approach to deploying the Ping Identity Platform (including PingAM 8.0.2) in a containerized, Kubernetes-native environment. According to the PingAM deployment and ForgeOps documentation, the platform has transitioned from a monolithic architecture—where the user interface was embedded within the AM web application—to a decoupled, microservices-aligned architecture. In a standard CDK deployment, the user interface components are separated into their own distinct pods to allow for independent scaling, updates, and management.

The three specific pods that provide user interface functionality in a default CDK environment are:

admin-ui: This pod hosts the administrative console. It is the centralized interface that administrators use to configure realms, manage identity stores, define authentication trees, and oversee the general health of both PingAM and PingIDM. By separating the administrative UI from the core engine, the platform reduces the attack surface and allows for more granular resource allocation.

end-user-ui: This pod serves the self-service portal for end-users. It is responsible for providing the interface where users can manage their own profiles, update passwords, register Multi-Factor Authentication (MFA) devices, and manage their consent for OAuth2/UMA applications. This UI interacts with the back-end via REST APIs to ensure a seamless and responsive user experience.

login-ui: This is a specialized pod dedicated to the authentication journey. When a user interacts with an "Intelligent Access" tree, the login-ui pod renders the callbacks (such as username prompts, password fields, or MFA challenges). This pod ensures that thepresentation layer of the authentication process is modernized and distinct from the heavy processing logic of the PingAM core.

Collectively, these three pods ensure that the "User Interface" layer of the deployment is modular. This architecture is a prerequisite for high-availability deployments and is the standard configuration verified in the ForgeOps documentation for version 8.0.2 deployments.

============

According to the PingAM 8.0.2 Upgrade Guide and best practices for high-availability environments, performing an upgrade on a multi-server cluster requires a controlled redirection of traffic. While several methods can technically stop traffic, the load balancer is the primary tool for managing availability during maintenance.

In a production environment, PingAM instances are typically situated behind a load balancer that performs health checks and distributes user requests. Bydisabling access from the load balancer(specifically, by draining connections or marking nodes as "out of service"), administrators can gracefully prevent new external users from reaching the servers undergoing the upgrade. This approach is superior to shutting down the PingAM instances (Option A) immediately, as it allows existing sessions to complete their current operations or be handled by other nodes in the cluster if a "rolling upgrade" strategy is being used.

Shutting down the PingDS instances (Option B) is dangerous, as the directory service is required by PingAM for both configuration and user data; losing the data store while the AM application is still active can lead to severe system errors and data corruption. While a firewall (Option C) can block traffic, it is generally a "blunt instrument" that does not provide the sophisticated session management or health-probe handling that a load balancer offers. The load balancer allows for a "Maintenance Page" to be displayed to users, providing a better user experience during the downtime. Therefore, for a professional multi-server upgrade, managing the traffic flow at the load balancer layer is the verified best practice in PingAM 8 documentation.

The Device Authorization Grant (commonly referred to as the Device Flow, RFC 8628) is a specialized OAuth 2.0 grant flow supported by PingAM 8.0.2. It is designed for internet-connected devices that either lack a browser or have limited input capabilities (e.g., Smart TVs, IoT devices, or CLI tools).

In this flow, the interaction is split between the "Device" and a "Secondary Device" (like a smartphone or laptop) that has a full browser. TheUser Codeis a fundamental component of this process:

Device Request: The device requests a code from PingAM.

PingAM Response: AM returns aDevice Code(for the device) and aUser Code(a short, human-readable string like BCDF-GHJK).

User Action: The device displays the User Code and a verification URL to the user.

Authorization: The user navigates to the URL on their smartphone, logs into PingAM, and enters theUser Code.

Token Issuance: Once the user authorizes the request, the device (which has been polling AM using the Device Code) receives the Access and Refresh tokens.

TheUser Codeis unique to the Device Flow (Option D). It is not used in theClient Credentials Grant(which is machine-to-machine), theAuthorization Code Grant(which uses a redirect-based code), or theResource Owner Password Credentials Grant(which uses direct username/password submission). In PingAM 8.0.2, administrators can configure the length, character set, and expiration time of these user codes within the OAuth2 Provider settings.

Securing a PingAM 8.0.2 environment involves hardening multiple layers of the architecture, particularly when using external data stores and stateful sessions. According to the "General Security Considerations" and "Hardening PingAM" documentation, several key "Best Practices" must be applied.

Changing the SSO Cookie Name: By default, AM uses iPlanetDirectoryPro. Attackers often scan for this specific cookie name to identify ForgeRock/PingAM installations. Changing it provides "security through obscurity" and prevents some automated attacks.

Using Your Own Keys: PingAM ships with default test keys in the keystore. For production, you must generate your own cryptographic keys for signing and encrypting tokens (SSO, OIDC, SAML) to ensure the integrity of the environment.

Specific Bind Accounts: When connecting to an external PingDS or Active Directory, PingAM should never use a highly privileged account (like cn=Directory Manager). Instead, a dedicated account with limited, specific permissions (ACLs) should be created for AM's use.

Top-Level Administrator Management: The amAdmin account is the "root" of the AM system. In a production environment, it is considered a significant security risk to use this account for daily operations.

Why Option C is the correct answer:The documentation specifically recommends creating anew top-level administratorand thensecuring or disablingthe default amAdmin. This is more effective than simply "renaming" it (Option A) or "reducing privileges" (Options B and D). In PingAM, amAdmin has hardcoded superuser capabilities in many areas; therefore, the best practice is to create a new administrative user with the necessary roles and then protect the amAdmin credentials in a vault. Option B is also incorrect because server-side sessions already store data on the server; the cookie only contains the session ID (the reference), so "encrypting the cookie contents" is redundant for server-side sessions compared to client-side sessions where theentirestate is in the cookie.

In PingAM 8.0.2, device management is a critical part of the Multi-Factor Authentication (MFA) lifecycle. When a user registers a device for Push, OATH, or WebAuthn, that information is stored as a part of their identity profile. There are many scenarios where a device might need to be reset—for example, if a phone is lost, if the ForgeRock/Ping Authenticator app is reinstalled, or if an HOTP (HMAC-based One-Time Password) counter becomes desynchronized beyond the allowed window.

According to the PingAM documentation on "Managing Devices for MFA" and the "REST API for Device Management":

Administrator Capabilities: Administrators have the authority to manage device profiles for any user. They can list, rename, or delete (reset) device profiles using the /json/realms/root/realms/[realm]/users/[username]/devices endpoint. This is vital for helpdesk scenarios (Option D and B).

User Self-Service (The Incorrect Statement C): Statement C is technically incorrect because PingAM's REST API specifically supportsself-service device management. An authenticated end-user has the permission to manage theirowndevices. They can call the /json/realms/root/realms/[realm]/users/[username]/devices endpoint using their own valid SSO token to delete their own registered devices. This allows organizations to build self-service portals where users can "Unpair" a lost device without calling support (Option A).

The internal security of PingAM ensures that while a regular user can only access their own device sub-resource, an administrator with the appropriate amAdmin or Delegate Admin privileges can access the resources of all users. Therefore, the claim thatonlyadministrator accounts can use the REST API for these actions is false and contradicts the "User Self-Service" philosophy built into the PingAM 8 API architecture.

In PingAM 8.0.2, the management of cryptographic material has evolved toward the Secret Store framework, which allows secrets to be stored in various locations (Filesystem, HSM, or Environment Variables). However, for specific core features, the internal PingAM keystore (historically keystore.jks) remains the primary repository for the keys used to protect session integrity.

According to the "Client-side Session Security" documentation, when a realm is configured forClient-side sessions, the entire state of the user's session is encapsulated within a signed and encrypted JSON Web Token (JWT). This JWT is then stored in the user's browser cookie. To ensure that this token cannot be tampered with or read by unauthorized parties, PingAM must sign and encrypt the payload. The AM engine is hardcoded to look for the specific aliases (such as am.services.session.encryption and am.services.session.signing) within thedefault-keystoresecret store, which points directly to the PingAM keystore.

While other features likeOAuth2 providers(Option D) and thePersistent Cookie node(Option B) utilize secret stores, they are designed to be highly flexible and can be configured to use keys from any defined secret store in the realm.Authentication trees(Option C) are logical constructs and do not "use" the keystore directly, although individual nodes within a tree might. The distinction forClient-side sessionsis that the feature's fundamental security model is built specifically around the cryptographic keys managed within the AM keystore to provide "stateless" session management. Administrators must ensure that the same keystore and aliases are shared across all nodes in a cluster to allow any AM instance to validate a client-side session token issued by another node.

In PingAM 8.0.2, especially when utilizing File-Based Configuration (FBC), the startup sequence relies on a "bootstrap" phase to locate the system's configuration. According to the "Installation Guide" and "Configuration Directory Structure," the primary file involved in this process is named boot.json.

The boot.json file contains the essential connection details required for the AM binaries to find and unlock the configuration store (usually PingDS). This includes the LDAP host, port, bind DN, and references to the secret stores needed to decrypt the configuration.

The location of this file is determined by theConfiguration Directorypath specified during the initial setup. By default, PingAM creates its configuration directory in the home directory of the user running the web container. The standard path structure is <user-home>/<am-instance-dir>/. Therefore, the boot.json file is located at the root of this instance directory:<</b>user-home>/<</b>am-instance-dir>/boot.json.

Options A and Dare incorrect because they place the file inside a /config subdirectory; while AM has many config files in subdirectories, the boot.json sits at the root to be accessible as the first point of entry.

Option Bis incorrect because it suggests the file is stored within the Tomcat webapps folder. PingAM specifically avoids storing configuration data within the web application binaries to ensure that configuration persists even if the .war file is deleted or redeployed.

Understanding the location of boot.json is vital for DevOps engineers who need to automate the deployment of PingAM using tools like Amster or when troubleshooting a "Failed to connect to the configuration store" error during server startup.