PT-AM-CPE Certified Professional - PingAM Exam Questions With Correct Answers Verified Instant Download Pdf

1 A user accesses the login page with an active session but appends ?ForceAuth=true to the URL. What is the expected behavior? • A) PingAM ignores the existing session and forces re-authentication. • B) The user is redirected to the default application without logging in. • C) PingAM throws an "Invalid Parameter" error. • D) The session is terminated immediately. Correct Answer: A Explanation: The ForceAuth=true parameter is a standard directive supported by PingAM. Even if a valid session (iPlanetDirectoryPro cookie) exists, this parameter forces the authentication engine to ignore the current session and present the login page to the user. This is critical for high-security transactions (e.g., changing a password or confirming a bank transfer) . 2 In PingAM, what is the primary function of the Core Token Service (CTS)? • A) Storing user profile attributes from LDAP. • B) Storing server-side session tokens and OAuth2 tokens. • C) Storing the configuration file. • D) Storing static system configuration data. Correct Answer: B Explanation: The CTS is a high-performance persistence layer designed specifically for short-lived, stateful data. Unlike the Configuration Store (static settings) or Identity Store(user profiles), the CTS handles session tokens, OAuth2 access tokens, refresh tokens, and authorization codes. This separation allows for distributed deployments and high availability . 3 For directories that do not support persistent search, how must PingAM be configured and what is the performance impact? • A) Enable caching; positive impact. • B) Enable caching; negative impact. • C) Disable caching; positive impact. • D) Disable caching; negative impact. Correct Answer: D Explanation: Persistent search allows PingAM to receive real-time updates from the directory. Without it, enabling caching would lead to stale data (e.g., incorrect group membership). Therefore, caching must be disabled to ensure "read-through" accuracy. However, this forces every request to hit the LDAP server directly, increasing latency and load (negative performance impact) . 4 In the context of Certificate-Bound Proof-of-Possession (PoP) for OAuth2 tokens (mTLS), what must the client present to the authorization server to prove token ownership? • A) A nonce. • B) The client JSON Web Key (JWK). • C) The state parameter. • D) The client private certificate. Correct Answer: D Explanation: According to RFC 8705, a Certificate-Bound Access Token is "pinned" to a client certificate. When the token is presented, the client must perform Mutual TLS (mTLS) and present the private certificate during the TLS handshake. The server validatesthat the certificate matches the thumbprint (cnf claim) embedded in the token. Without the private key proof, the token is rejected . 5 Which statement is true regarding the "Auto-Federation" feature in PingAM SAML2 configurations? • A) It requires the user to log in to both the IdP and the SP to link accounts. • B) It links accounts based on the SAML NameID format only. • C) It links accounts by matching a common attribute value (e.g., email) automatically. • D) It requires manual approval from an administrator. Correct Answer: C Explanation: Auto-federation allows "Just-in-Time" (JIT) provisioning. It uses a common attribute (like mail) found in the SAML assertion to search the local identity store. If a match is found, the accounts are linked. The user only needs to log in to the Identity Provider (IdP); the linking happens seamlessly in the background without prompting the user to log in again at the SP . 6 You are building an authentication tree using the OATH nodes. If the OATH Registration node is set to "TOTP" (Time-based), which node must also be set to "TOTP" to validate the code correctly? • A) OATH Token Verifier. • B) Recovery Code Collector Decision node. • C) Push Sender node. • D) OATH Device Storage node. Correct Answer: A Explanation: The OATH Registration node sets up the shared secret and algorithm (TOTP or HOTP) on the user's device. The OATH Token Verifier must use the identical algorithm to validate the one-time password. If the verifier is set to HOTP (counterbased) while the app generates TOTP (time-based), validation will consistently fail due to mismatched expectations . 7 When PingAM starts up, it relies on a specific file to locate the configuration store (LDAP). What is the default path and filename for this bootstrap file? • A) user-home/.openam/config/ • B) tomcat-home/webapps/openam/WEB-INF/ • C) user-home/am-instance-dir/ • D) user-home/am-instance-dir/config/ Correct Answer: C Explanation: The file is the bootstrap configuration file. It contains essential connection details (LDAP host, port, bind DN) for the configuration store. It is located at the root of the AM instance directory, typically ~/instance-dir/. It is not stored inside the webapps folder (to survive redeploys) nor inside a /config subfolder (as it is the first file read) . 8 Which outcome is NOT a standard possible outcome of the Push Result Verifier node? • A) Success • B) Failure • C) Expired • D) Retry Correct Answer: D Explanation: The Push Result Verifier node checks the status of a dispatched push notification. The four distinct outcomes are: Success (user approved), Failure (user denied), Expired (timeout reached), and Waiting (still pending response). While a "Retry" logic can be built in the tree using loops, the node itself does not have a "Retry" outcome .9 What is the purpose of the "Step-Up Authentication" feature in PingAM? • A) To increase the logging level of the authentication server. • B) To require a higher level of authentication (e.g., MFA) when accessing a highvalue resource. • C) To upgrade the PingAM software version automatically. • D) To move a user session from a staging server to a production server. Correct Answer: B Explanation: Step-up authentication allows an application to request that a user reauthenticate or provide a second factor, even if they already have an active session. If a user is at authentication level 0 (password) and tries to access a resource requiring level 1, PingAM prompts for OTP or biometrics. It creates a new session with the higher level while preserving session properties . 10 What is the default session token type used for client-side sessions in PingAM 8.0.2? • A) Plain text session ID. • B) Signed and encrypted JWT (JSON Web Token). • C) CTS pointer only. • D) Base64 encoded username. Correct Answer: B Explanation: In modern PingAM deployments (especially stateless configurations), client-side sessions use signed and encrypted JWTs. This allows the session state to be stored client-side (in a cookie) rather than server-side, reducing CTS load. The signature prevents tampering, and the encryption prevents information disclosure . 11 When configuring PingAM clustering for high availability, which service is critical for replicating session states across nodes? • A) The local file system.• B) The Core Token Service (CTS). • C) The local disk cache. • D) The individual node's . Correct Answer: B Explanation: In a cluster, a user might be authenticated by Node A but hit Node B on the next request. To enable this, sessions must be "visible" to all nodes. The CTS acts as a centralized, highly available repository that stores session tokens, allowing any node in the cluster to retrieve the session state .