PT-AM-CPE Certified Professional - PingAM Exam
Q1. Which component of PingAM is primarily responsible for evaluating login
policies and determining whether a user can authenticate?
• A. Policy Agent
• B. Authentication Tree
• C. Data Store
• D. Session Service
Answer: B. Authentication Tree
Explanation: Authentication Trees provide flexible, node-based flows to
evaluate credentials and contextual information for login. They replace static
authentication chains in newer versions.
Q2. What is the default protocol PingAM uses for federated single sign-on
(SSO) between service providers and identity providers?
• A. OAuth2
• B. OpenID Connect
• C. SAML 2.0
• D. Kerberos
Answer: C. SAML 2.0
Explanation: While PingAM supports multiple federation standards, SAML
2.0 is the primary standard for enterprise SSO between IdPs and SPs.
Q3. In OAuth2, which grant type is most secure for mobile/native applications
that cannot keep a client secret?
• A. Implicit Grant
• B. Authorization Code with PKCE
, • C. Client Credentials
• D. Resource Owner Password
Answer: B. Authorization Code with PKCE
Explanation: PKCE (Proof Key for Code Exchange) mitigates code
interception attacks and is recommended for mobile/public clients.
Q4. Which PingAM feature allows applying risk-based adaptive
authentication by evaluating context such as IP, device, and location?
• A. Service Profiles
• B. Intelligent Access Trees
• C. OAuth2 Scopes
• D. Session Stickiness
Answer: B. Intelligent Access Trees
Explanation: Intelligent Access lets admins design adaptive, conditional flows
to apply MFA or risk checks during authentication.
Q5. A customer wants PingAM to issue short-lived access tokens for API
calls. Which configuration should be adjusted?
• A. Token Lifetime in OAuth2 Provider settings
• B. Session Timeout in Core Config
• C. Data Store Replication
• D. Authentication Tree Nodes
Answer: A. Token Lifetime in OAuth2 Provider settings
Explanation: Token lifetime is controlled at the OAuth2 Provider configuration
level, independent of user session settings.
Q6. Which is TRUE about PingAM session tokens?
• A. They are stored only in the identity store
• B. They can be stateless (JWT) or stateful
• C. They cannot be revoked until they expire
, • D. They are always tied to OAuth2 tokens
Answer: B. They can be stateless (JWT) or stateful
Explanation: PingAM supports both stateful sessions stored in memory and
stateless JWT sessions for scalability.
Q7. When deploying PingAM behind a load balancer, which feature ensures
session consistency across nodes?
• A. Sticky Sessions or Session Clustering
• B. OAuth2 Refresh Tokens
• C. Global Services Registry
• D. Data Store Failover
Answer: A. Sticky Sessions or Session Clustering
Explanation: Either sticky sessions at the LB or PingAM session clustering
ensures requests from a client map to the correct session state.
Q8. In SAML 2.0, what is the role of the Assertion Consumer Service (ACS)
URL)?
• A. It validates the IdP’s metadata
• B. It receives the SAML assertion at the SP
• C. It initiates logout
• D. It handles token refresh
Answer: B. It receives the SAML assertion at the SP
Explanation: The ACS endpoint is where the IdP posts the SAML assertion
after successful authentication.
Q9. Which PingAM feature allows administrators to integrate with third-party
MFA solutions like PingID or Duo?
• A. Authentication Trees with MFA Nodes
• B. OAuth2 Scopes
• C. Core Config Realms
, • D. Policy Enforcement Points
Answer: A. Authentication Trees with MFA Nodes
Explanation: MFA nodes can call external MFA providers as part of
authentication flows.
Q10. Which OAuth2 flow is designed for machine-to-machine
communication?
• A. Authorization Code
• B. Client Credentials
• C. Implicit
• D. Hybrid
Answer: B. Client Credentials
Explanation: Client Credentials grant issues tokens directly to the client
(without user context) for service accounts.
Q11. What does PingAM use to map roles/attributes from the user directory
into SAML or OIDC tokens?
• A. Identity Gateway
• B. Attribute Mapper
• C. Session Service
• D. Federation Metadata
Answer: B. Attribute Mapper
Explanation: Attribute Mappers control which attributes (e.g., email, roles) are
included in tokens/claims.
Q12. Which option is best for ensuring high availability in a global PingAM
deployment?
• A. Use a single data center with sticky sessions
• B. Replicate DS across multiple regions with global load balancing
• C. Enable only JWT sessions
Q1. Which component of PingAM is primarily responsible for evaluating login
policies and determining whether a user can authenticate?
• A. Policy Agent
• B. Authentication Tree
• C. Data Store
• D. Session Service
Answer: B. Authentication Tree
Explanation: Authentication Trees provide flexible, node-based flows to
evaluate credentials and contextual information for login. They replace static
authentication chains in newer versions.
Q2. What is the default protocol PingAM uses for federated single sign-on
(SSO) between service providers and identity providers?
• A. OAuth2
• B. OpenID Connect
• C. SAML 2.0
• D. Kerberos
Answer: C. SAML 2.0
Explanation: While PingAM supports multiple federation standards, SAML
2.0 is the primary standard for enterprise SSO between IdPs and SPs.
Q3. In OAuth2, which grant type is most secure for mobile/native applications
that cannot keep a client secret?
• A. Implicit Grant
• B. Authorization Code with PKCE
, • C. Client Credentials
• D. Resource Owner Password
Answer: B. Authorization Code with PKCE
Explanation: PKCE (Proof Key for Code Exchange) mitigates code
interception attacks and is recommended for mobile/public clients.
Q4. Which PingAM feature allows applying risk-based adaptive
authentication by evaluating context such as IP, device, and location?
• A. Service Profiles
• B. Intelligent Access Trees
• C. OAuth2 Scopes
• D. Session Stickiness
Answer: B. Intelligent Access Trees
Explanation: Intelligent Access lets admins design adaptive, conditional flows
to apply MFA or risk checks during authentication.
Q5. A customer wants PingAM to issue short-lived access tokens for API
calls. Which configuration should be adjusted?
• A. Token Lifetime in OAuth2 Provider settings
• B. Session Timeout in Core Config
• C. Data Store Replication
• D. Authentication Tree Nodes
Answer: A. Token Lifetime in OAuth2 Provider settings
Explanation: Token lifetime is controlled at the OAuth2 Provider configuration
level, independent of user session settings.
Q6. Which is TRUE about PingAM session tokens?
• A. They are stored only in the identity store
• B. They can be stateless (JWT) or stateful
• C. They cannot be revoked until they expire
, • D. They are always tied to OAuth2 tokens
Answer: B. They can be stateless (JWT) or stateful
Explanation: PingAM supports both stateful sessions stored in memory and
stateless JWT sessions for scalability.
Q7. When deploying PingAM behind a load balancer, which feature ensures
session consistency across nodes?
• A. Sticky Sessions or Session Clustering
• B. OAuth2 Refresh Tokens
• C. Global Services Registry
• D. Data Store Failover
Answer: A. Sticky Sessions or Session Clustering
Explanation: Either sticky sessions at the LB or PingAM session clustering
ensures requests from a client map to the correct session state.
Q8. In SAML 2.0, what is the role of the Assertion Consumer Service (ACS)
URL)?
• A. It validates the IdP’s metadata
• B. It receives the SAML assertion at the SP
• C. It initiates logout
• D. It handles token refresh
Answer: B. It receives the SAML assertion at the SP
Explanation: The ACS endpoint is where the IdP posts the SAML assertion
after successful authentication.
Q9. Which PingAM feature allows administrators to integrate with third-party
MFA solutions like PingID or Duo?
• A. Authentication Trees with MFA Nodes
• B. OAuth2 Scopes
• C. Core Config Realms
, • D. Policy Enforcement Points
Answer: A. Authentication Trees with MFA Nodes
Explanation: MFA nodes can call external MFA providers as part of
authentication flows.
Q10. Which OAuth2 flow is designed for machine-to-machine
communication?
• A. Authorization Code
• B. Client Credentials
• C. Implicit
• D. Hybrid
Answer: B. Client Credentials
Explanation: Client Credentials grant issues tokens directly to the client
(without user context) for service accounts.
Q11. What does PingAM use to map roles/attributes from the user directory
into SAML or OIDC tokens?
• A. Identity Gateway
• B. Attribute Mapper
• C. Session Service
• D. Federation Metadata
Answer: B. Attribute Mapper
Explanation: Attribute Mappers control which attributes (e.g., email, roles) are
included in tokens/claims.
Q12. Which option is best for ensuring high availability in a global PingAM
deployment?
• A. Use a single data center with sticky sessions
• B. Replicate DS across multiple regions with global load balancing
• C. Enable only JWT sessions
