Ping Identity Certified Professional - PingAM PT-AM-CPE Exam Questions

Answer : C

According to the PingAM 8.0.2 'Maintenance and Troubleshooting' documentation, the system generates two primary, distinct categories of logs for monitoring and problem-solving: Audit Logs and Debug Logs.

Audit Logs: These are high-level logs intended for security auditing, compliance, and reporting. They record specific 'business events' or 'state changes' within the system. Examples include successful logins, failed authentication attempts, administrative configuration changes (logged in config.audit.json), and policy evaluation decisions (logged in access.audit.json). These logs are structured (often in JSON) to be easily consumed by SIEM (Security Information and Event Management) tools.

Debug Logs: These are low-level, highly verbose logs intended for developers and support engineers. They record the internal 'thought process' of the PingAM engine. They track the execution of specific Java classes, the results of LDAP queries, and the movement of data between authentication nodes. These logs are stored in the /debug directory and can be adjusted to different levels of verbosity (Error, Warning, Message, Info).

While PingAM runs within a Java Virtual Machine (JVM), and you may see container logs (like catalina.out in Tomcat) or 'Java logs' from the underlying web server, these are technically external to the PingAM application itself. The PingAM application's internal logging framework is strictly split between Audit (what happened at a functional level) and Debug (why it happened at a code level). Therefore, Option C is the most accurate technical description of the logs natively managed and written by the PingAM service.

Answer : B

In PingAM 8.0.2, a Session Upgrade occurs when a user is required to authenticate at a higher security level (Auth Level). The outcomes of these upgrades depend on the session storage (server-side vs. client-side) and the parameters used.

Statement B is incorrect because it claims that a new token is issued only when the current session does not meet requirements. In reality, if a request explicitly includes a parameter like ForceAuth=true or prompt=login, PingAM will force a re-authentication and issue a new session token regardless of the current session's state.

According to the 'Session Upgrade' and 'Step-up Authentication' documentation:

Statement A is correct: When ForceAuth=true is used, the AM engine ignores the existing session's Auth Level and forces the user through the tree. A new session/token is generated upon success.

Statement C is correct: This describes the standard 'Advice' flow (e.g., from a policy). AM creates a new session, copies existing properties from the old one, and replaces the token.

Statement D is correct: In client-side sessions, since the state is in a JWT cookie, any change (like an Auth Level increase) requires the issuance of a brand-new signed JWT to replace the old one.

Therefore, because PingAM allows for forced re-authentication even when requirements are met, the restrictive 'only when' condition in Statement B makes it the incorrect (and thus the target) answer. This behavior is key for security scenarios where a fresh proof of presence is required regardless of previous activity.

============

Answer : C

Session Denylisting is a critical security feature in PingAM 8.0.2, primarily used when a realm is configured for client-side sessions.9 In a client-side session model, the session state is stored in a signed and encrypted JWT within the user's browser cookie rather than in the server's memory or the Core Token Service (CTS).10 Because the server does not 'own' the session state, a logout event typically only involves deleting the cookie from the browser. However, if a malicious actor had previously copied that cookie, they could still use it until it naturally expires.

To solve this, PingAM uses Session Denylisting to keep track of logged out sessions.11 When a user logs out, or when a session is invalidated (e.g., during a session upgrade or administrative action), AM records the session identifier in a denylist stored within the Core Token Service (CTS).12 For every subsequent request, AM checks the incoming client-side session token against this denylist.13 If the session ID is found in the denylist, AM rejects the token as invalid, even if the cryptographic signature is correct and the expiration time has not passed.

The documentation emphasizes that this feature is essential for 'tracking session logouts across multiple AM servers' in a cluster. Without denylisting, there would be no way to perform a 'global logout' for client-side sessions that is immediately effective across all nodes.14 Administrators can configure properties such as the Denylist Purge Delay (to account for clock skew) and the Denylist Poll Interval (to balance security speed with system performance).15 By effectively managing the lifecycle of revoked tokens, session denylisting ensures that a logout is a cryptographically and operationally certain event.

Answer : D

In a Cross-Domain Single Sign-On (CDSSO) environment, PingAM must manage session cookies across multiple distinct DNS domains.2 By default, a standard SSO token could potentially be stolen and reused by a malicious actor to gain access to other domains within the same realm.3 To mitigate this specific threat, PingAM 8.0.2 utilizes Restricted Tokens.4

According to the documentation on 'Securing CDSSO session cookies,' a restricted token is a unique SSO token issued for each specific application or policy agent after successful user authentication.5 When CDSSO is active with cookie hijacking protection enabled, PingAM issues a 'master' SSO token for the domain where AM resides and separate restricted tokens for the other fully qualified domain names (FQDNs) where web or Java agents are located.6

The restricted token is 'restricted' because it is inextricably linked to the specific agent and application that initiated the redirection. Internally, AM stores a correlation between the master session and these restricted tokens.7 If an attacker attempts to hijack a restricted token and use it to access a different application or a different domain, the AM server performs a validation check on the constraint associated with the token (such as the agent's DN or IP). If the request does not originate from the authorized entity, a security violation is triggered, and access is denied. This mechanism ensures that even if a cookie is stolen in one domain, its utility is confined strictly to that domain and cannot be used for 'lateral movement' across the enterprise's other protected resources. It is important to note that restricted tokens require server-side sessions to function; they are not supported for client-side (JWT-based) sessions.8

Answer : D

The Device Authorization Grant (commonly referred to as the Device Flow, RFC 8628) is a specialized OAuth 2.0 grant flow supported by PingAM 8.0.2. It is designed for internet-connected devices that either lack a browser or have limited input capabilities (e.g., Smart TVs, IoT devices, or CLI tools).

In this flow, the interaction is split between the 'Device' and a 'Secondary Device' (like a smartphone or laptop) that has a full browser. The User Code is a fundamental component of this process:

Device Request: The device requests a code from PingAM.

PingAM Response: AM returns a Device Code (for the device) and a User Code (a short, human-readable string like BCDF-GHJK).

User Action: The device displays the User Code and a verification URL to the user.

Authorization: The user navigates to the URL on their smartphone, logs into PingAM, and enters the User Code.

Token Issuance: Once the user authorizes the request, the device (which has been polling AM using the Device Code) receives the Access and Refresh tokens.

The User Code is unique to the Device Flow (Option D). It is not used in the Client Credentials Grant (which is machine-to-machine), the Authorization Code Grant (which uses a redirect-based code), or the Resource Owner Password Credentials Grant (which uses direct username/password submission). In PingAM 8.0.2, administrators can configure the length, character set, and expiration time of these user codes within the OAuth2 Provider settings.

Answer : A

In PingAM 8.0.2, Realms are the primary organizational units used to group configuration, policies, and identities.13 A common misconception is that a user is 'locked' into a single realm. However, according to the 'Realms' and 'Identity Stores' documentation, the relationship is highly flexible.

A Realm does not actually 'contain' users in a physical sense; instead, a realm is configured with one or more Identity Stores (such as an LDAP directory or a database). Multiple realms can be configured to point to the same underlying Identity Store. Therefore, if a user profile exists in an LDAP directory that is shared by 'Realm A' and 'Realm B,' that user is effectively a member of both realms. They can authenticate to either realm and receive different policies or session properties based on the realm-specific configuration.

Key points from the documentation:

Logical Partitioning: Realms provide a way to apply different authentication logic (different trees) to the same set of users.14

Multi-tenancy: An organization can create separate realms for different departments or customer groups, even if they overlap in the back-end user database.

Identity Store Mapping: Because a realm maps to an identity store, and an identity store can be reused across realms, a user's membership is determined by where the realm is 'looking' for data.

Thus, Option A is the correct description of the architecture: a user can be a member of one or more realms depending on how the administrator has mapped the identity repositories.

Would you like me to proceed with more questions, or would you like to focus on a specific area such as OAuth2 Grant Flows?

Answer : C

PingAM 8.0.2 provides a 'Recovery Code' mechanism as part of its Multi-Factor Authentication (MFA) suite. This allows users to regain access to their accounts if they lose their MFA device (such as a smartphone used for Push or OATH).

According to the PingAM 'Authentication Node Reference' for version 8.0.2:

The node responsible for the validation of these codes is the Recovery Code Collector Decision node. This node performs a dual function:

Collection: It renders the UI callback to the user (a text input field) asking for the recovery code.

Decision/Validation: Once the user submits a code, the node checks the input against the stored, hashed recovery codes in the user's profile.

Analysis of the other options:

Recovery Code Display node (Option A): This node is used during the registration phase to show the user their newly generated codes so they can save them. It does not validate them.

Recovery Code Verifier node (Option D): This is a common distractor name. While 'Verifier' sounds logical, the actual name in the AM designer is the 'Collector Decision' node, reflecting the pattern of nodes that both collect data and make a branching decision.

Recovery Code Comparator node (Option B): Not a standard node in PingAM 8.0.2.

The Recovery Code Collector Decision node typically has two outcomes: Success (code matched and was consumed/removed) or Failure (code was invalid). This node is vital for ensuring that 'Account Recovery' journeys remain secure and functional within the Intelligent Access framework.

============