Ping Identity Certified Professional - PingAccess PAP-001 Exam Questions

Answer : B

When using multiple Access Token Managers, the Send Audience option ensures that tokens are scoped properly and validated against the intended resource/application.

Exact Extract:

''Enable Send Audience in the token provider configuration to support environments with multiple Access Token Managers and enforce correct audience restrictions.''

Option A (Subject Attribute Name) is unrelated --- it maps user identity but not token manager selection.

Option B (Send Audience) is correct --- required when multiple ATMs are in use.

Option C (Use Token Introspection Endpoint) is optional and depends on deployment, not mandatory for multiple ATMs.

Option D (Client Secret) is part of OAuth client credentials, not specific to multiple ATMs.

Answer : C

All onboarding in PingAccess begins with defining an Application. Once the application exists, the administrator can define Resources within it and assign different rules to those resources.

Exact Extract:

''Before you can configure resources and rules, you must first create an application in PingAccess.''

Option A (Identity Mapping) may be required later but not the first step.

Option B (Web Session) can be shared but is not the first onboarding step.

Option C (Application) is correct --- the starting point for onboarding.

Option D (Resource) comes after creating the application.

Answer : A

Virtual Hosts in PingAccess define the external FQDNs (and ports) through which applications are accessed. An application can be bound to multiple virtual hosts to allow access via multiple FQDNs.

Exact Extract:

''A virtual host specifies the fully qualified domain name and port number through which an application is accessed.''

Option A (Virtual Hosts) is correct --- multiple FQDNs can be supported by assigning multiple virtual hosts.

Option B (Applications) define resource protection but do not manage FQDN binding.

Option C (Sites) define back-end targets, not the public-facing FQDN.

Option D (Web Sessions) handle authentication state, unrelated to hostnames.

Answer : C

PingAccess retains backup archives of its configuration in the data/archive directory. The number of retained backups is controlled in the run.properties file.

Exact Extract:

''The number of configuration backups retained in the data/archive directory is controlled by the archive.maxCount property in run.properties.''

Option A (log4j2.db.properties) is incorrect; this file controls database logging, not archive retention.

Option B (jvm-memory.options) is incorrect; this file sets JVM heap and memory arguments.

Option C (run.properties) is correct --- it contains system-level settings including archive.maxCount.

Option D (log4j2.xml) is incorrect; this file configures log appenders and levels, not archive backups.

Answer : D

In PingAccess, when an application relies on claims from an OAuth access token, you must configure PingAccess to evaluate those claims and potentially inject them into headers for the backend application.

Exact Extract from PingAccess documentation:

''OAuth rules allow you to evaluate claims in OAuth access tokens. You can configure PingAccess to look at specific claims and enforce policies or pass them to target applications.''

''To extract attributes from an access token, configure an OAuth Attribute Rule.''

This clearly matches option D.

Analysis of each option:

A . An authentication requirement definition

Incorrect. Authentication requirements determine how users authenticate to applications (OIDC provider, etc.), but do not manage access token claims.

B . A web session attribute rule

Incorrect. Web session attribute rules map attributes from the authenticated user's web session (SSO session), not from OAuth access tokens.

C . An identity mapping definition

Incorrect. Identity mappings transform user attributes (from IdP to app), but they don't directly pull claims from OAuth tokens.

D . An OAuth attribute rule

Correct. This rule is specifically designed to extract and enforce policies on claims from OAuth access tokens.

Therefore, the correct answer is D. An OAuth attribute rule.

Answer : A

PingAccess distinguishes between gateway rules and agent rules. Some processing rules, such as Rewrite Cookie Domain, only apply when PingAccess is acting as a reverse proxy (gateway), not when protecting applications via agents.

Exact Extract:

''Rewrite Cookie Domain rules are not supported for agent applications. They are only available for proxied (gateway) applications.''

Option A (Rewrite Cookie Domain) is correct --- unavailable with agent applications.

Option B (Network Range) is available for both agents and gateways.

Option C (Rate Limiting) is supported on both application types.

Option D (Cross-Origin Request) is also supported in both.

Answer : B

Applications in PingAccess can be associated with multiple Virtual Hosts. Each virtual host defines an FQDN and port combination through which the application is exposed, allowing protection across multiple domains or hostnames.

Exact Extract:

''Virtual hosts specify the fully qualified domain names (FQDNs) and ports that PingAccess uses to expose applications.''

Option A (Sites) represent the target back-end servers, not the external FQDN.

Option B (Virtual Hosts) is correct --- use multiple virtual hosts for multiple domains.

Option C (Redirects) are unrelated to multi-domain application protection.

Option D (Rules) define access policies, not hostnames.