PT-AM-CPE Certified Professional - PingAM Exam Questions and Answers

The JSON object structure provided refers to the Actor (act) claim used in OAuth 2.0 Token Exchange (RFC 8693) within PingAM 8.0.2. This claim is essential for scenarios involving delegation or impersonation, where one entity (the actor) is performing an action on behalf of another (the subject). In PingAM, the sub (subject) field within the act claim follows a specific internal format: (type!subject).

According to the PingAM 8.0.2 documentation regardingToken Exchange Configuration, the type part of this string is a mandatory prefix that identifies the category of the identity acting as the delegate. The documentation explicitly defines two primary valid values for this type field:

usr: This specifies that the subject is auser/identityfrom an identity store. For instance, if a user is acting on behalf of another user, the claim would appear as "(usr!username)".

age: This specifies that the subject is anOAuth 2.0/OpenID Connect-related agent or client. Examples include an OAuth 2.0 client, a Remote Consent Service agent, or a Web/Java Agent internal client. An example would be "(age!myClientID)".

While "user" and "agent" are the descriptive terms for these categories, theactual technical valuesrecognized and emitted by PingAM in the claim string are the three-letter shorthand codes. Therefore, usr (Option B) is the correct valid value. Choosing "user" (Option D) would be technically incorrect in the context of the exact string format required by the AM engine. This formatting ensures that when the token is introspected or validated, the resource server can correctly parse whether the actor is a human user or a machine client.

According to the PingAM 8.0.2 "Maintenance and Troubleshooting" documentation, the system generates two primary, distinct categories of logs for monitoring and problem-solving: Audit Logs and Debug Logs.

Audit Logs: These are high-level logs intended for security auditing, compliance, and reporting. They record specific "business events" or "state changes" within the system. Examples include successful logins, failed authentication attempts, administrative configuration changes (logged in config.audit.json), and policy evaluation decisions (logged in access.audit.json). These logs are structured (often in JSON) to be easily consumed by SIEM (Security Information and Event Management) tools.

Debug Logs: These are low-level, highly verbose logs intended for developers and support engineers. They record the internal "thought process" of the PingAM engine. They track the execution of specific Java classes, the results of LDAP queries, and the movement of data between authentication nodes. These logs are stored in the /debug directory and can be adjusted to different levels of verbosity (Error, Warning, Message, Info).

While PingAM runs within aJavaVirtual Machine (JVM), and you may see container logs (like catalina.out in Tomcat) or "Java logs" from the underlying web server, these are technically external to the PingAM application itself. The PingAM application's internal logging framework is strictly split betweenAudit(what happened at a functional level) andDebug(why it happened at a code level). Therefore, Option C is the most accurate technical description of the logs natively managed and written by the PingAM service.

When integrating PingAM 8.0.2 with an external LDAP directory (such as PingDS or Active Directory), the Identity Store configuration defines how AM interacts with that directory. A common task is defining which LDAP attribute should be used when a user attempts to log in with a username.

According to the "Identity Store Configuration Reference," the propertyLDAP Users Search Attributeis the correct attribute to modify. This field defines the LDAP attribute name that AM uses in its search filter to find a matching user entry. For example, if this property is set to uid, AM will execute a search like (&(objectClass=person)(uid=username)). If the requirement changes such that users should log in using their email addresses, the administrator would update this property to mail.

LDAP Users Search Attribute (Option A): Directly controls the attribute used in the user lookup query.

LDAP Users Bind Attribute (Option C): This is used to specify which attribute forms the Distinguished Name (DN) during a bind operation, but the initial "finding" of the user is governed by the Search Attribute.

Option B and D: These are not standard property names within the PingAM Data Store configuration UI.

Understanding this mapping is essential for aligning PingAM with the existing schema of an organization's directory. This setting is typically found underRealms > [Realm Name] > Identity Stores > [Store Name] > LDAP Secondary Configuration.

PingAM 8.0.2 supports various Multi-Factor Authentication (MFA) methods, each with different hardware and software requirements.7 The question asks specifically for methods that require both a separate device and a specific application.

Push Authentication: This requires a mobile device (separate from the computer used to log in) and theForgeRock/Ping Authenticator app(or a custom app using the SDK) to receive and approve the notification.8

Open Authentication (OATH): This refers toTOTP(Time-based One-Time Password). It requires a separate device (smartphone or hardware token) and an application (like ForgeRock Authenticator, Google Authenticator, or Authy) to generate the 6-digit rotating codes.

Why WebAuthn is excluded: WhileWebAuthn(Option A, B, and C) can use separate devices (like a YubiKey or a secondary phone), it is specifically designed to worknatively with the browser and the operating system(using the FIDO2 standard). It doesnotrequire a specific "Authenticator Application" to be installed by the user; instead, it uses the platform's built-in authenticators (like TouchID, FaceID, or Windows Hello) or a hardware key handled directly by the browser's WebAuthn API.

Therefore, the two methods that strictly fit the "Separate Device + App" criteria in the PingAM ecosystem areOpen Authentication and Push, making Option D the correct answer.

In PingAM 8.0.2, the term Affinity Mode (or session affinity) is strictly related to Load Balancing (Option B). It describes a configuration where a load balancer ensures that all requests belonging to a specific user session are consistently routed to the same PingAM server instance in a cluster.

According to the "Load Balancing" and "Deployment Planning" documentation:

Affinity is critical for performance in stateful deployments. While PingAM can operate in a "stateless" manner by retrieving sessions from the Core Token Service (CTS) on every request, this creates unnecessary overhead. Affinity Mode allows the AM server to satisfy requests using its local "In-memory" session cache.

There are two primary levels of affinity discussed in PingAM documentation:

Client-to-AM Affinity: Usually handled by the load balancer using a cookie (like the AMLB cookie) to keep the user on the same AM node.

AM-to-DS Affinity: Used when AM connects to the CTS (PingDS). This ensures that an AM server always talks to the same directory server node to avoid "replication lag" where a session might be written to one DS node but not yet visible on another.

Without affinity, the system remains functional due to the CTS, but performance decreases as every request requires a cross-network database lookup. Therefore, affinity is a core concept of theLoad Balancingand high-availability architecture.

When PingAM 8.0.2 evaluates an authorization policy, the primary output is a "Permit" or "Deny" decision. However, applications and Policy Enforcement Points (PEPs)—like PingGateway or a Web Agent—often require additional metadata about the user or the session to function correctly (e.g., the user's employee ID, department, or a specific preference).

According to the PingAM documentation on "Policies" and "Requesting Decisions":

The mechanism used to provide this extra information is Response Attributes. When defining a policy in the PingAM UI or via REST, an administrator can configure "Response Attributes" which map internal attributes (from the User Profile or the Session) to keys that are sent back in the policy decision payload.

How it works: If a policy is configured with a response attribute mapping uid to User-ID, when PingGateway asks "Can user X access resource Y?", PingAM responds with "Permit" AND a map containing User-ID: X.

Consumption: PingGateway or the Web Agent can then take these attributes and inject them into HTTP headers (e.g., X-User-ID) so the downstream application can consume them without having to query AM again.

Subjects(Option A),Resources(Option B), andActions(Option D) are allinputcomponents used to define the scope of a policy; they are not used to return data to the enforcer. OnlyResponse Attributesserve the purpose of enriching the decision response with additional context.

============

The connection string format HOST:PORT|SERVERID|SITEID is a specific syntax used in PingAM 8.0.2 for Affinity Load Balancing, a feature almost exclusively associated with the Core Token Service (CTS). In high-volume deployments, the CTS handles thousands of session updates per second. To avoid replication lag issues—where an AM server might try to read a session token from a directory server (DS) before the update has replicated from another DS node—PingAM uses "Affinity."16

According to the "CtsDataStoreProperties" and "CTS Deployment Architectures" documentation, this specialized string allows the AM instance to prioritize connections based on theServer IDandSite ID.17The pipe (|) characters signify the optional affinity parameters:

01/02: These represent the Server IDs of the underlying Directory Servers.

Affinity Logic: By providing these IDs, PingAM can ensure that it always routes requests for the same CTS token to the same directory server node.18

While standard Identity Stores (Option A) and the Configuration Data Store (Option C) use LDAP connection strings, they typically utilize a comma-separated list of host:port pairs or rely on a hardware load balancer. The specific use ofserver and site IDs within the connection string itselfto manage LDAP request routing is a hallmark of the CTS affinity configuration.19The documentation explicitly states that "Each connection string is composed as follows: HOST:PORT[|SERVERID[|SITEID]]" within the context ofCTS external store configuration.20Therefore, this complex string is specifically designed for the Core Token Service to ensure data consistency and high performance in clustered environments.

When an OAuth2 client uses Private Key JWT or Client Secret JWT for authentication at the PingAM 8.0.2 token endpoint, it must present a JWT (JSON Web Token) containing specific claims that identify and authorize the client. This is governed by the OIDC and OAuth2 JWT Profile specifications (RFC 7523).

According to the PingAM documentation on "OAuth 2.0 Client Authentication" and the "JWT Profile for Client Authentication":

iss (Issuer): Mandatory. This must be the client_id of the OAuth2 client.

sub (Subject): Mandatory. This must also be the client_id of the OAuth2 client (as the client is the subject of the authentication).

aud (Audience): Mandatory. This must be the URL of the PingAM OAuth2 service (the token endpoint) or the issuer URL.

exp (Expiration Time): Mandatory. This protects against the long-term use of intercepted assertions.

Thejti (JWT ID)(Option A) provides a unique identifier for the token. In the context of standard JWT validation, jti is used to preventreplay attacksby ensuring that a specific token is only processed once. While highly recommended for security hardening, the PingAM 8.0.2 technical reference for OAuth2 client assertions marks jti asoptionalunless the server is explicitly configured to require it for replay detection. Without a jti, PingAM will still validate the iss, sub, aud, and exp claims to authenticate the client. Therefore, among the choices provided, jti is the claim that can be omitted without inherently violating the base OAuth2 JWT authentication request requirements.

============

In PingAM 8.0.2, the recommended and most secure flow for "Public Clients"—such as Single Page Applications (SPAs) written in JavaScript—is the Authorization Code Grant Flow with PKCE (Proof Key for Code Exchange).

Historically, theImplicit Grant Flow(Option B) was used for browser-based apps because they could not securely store a client_secret. However, the Implicit flow is now considered legacy and insecure due to the risk of access token leakage in the browser history or via referrer headers. TheResource Owner Password Credentials Grant(Option C) is also discouraged as it requires the application to handle user credentials directly, violating the core principle of delegated authorization.Client Credentials(Option D) is reserved strictly for machine-to-machine communication where no user is involved.

TheAuthorization Code Grant with PKCEaddresses the security limitations of public clients by replacing the static client_secret with a dynamically generated "code verifier" and "code challenge." The process works as follows:

Challenge Generation: The JavaScript app creates a cryptographically strong random string (Verifier) and transforms it (Challenge).

Authorization Request: The app sends the challenge to PingAM.21

Code Exchange: After user login, AM returns an authorization code. The app then sends the codeandthe original verifier to the token endpoint.

Verification: AM verifies that the verifier matches the initial challenge before issuing the Access Token.

This flow ensures that even if an attacker intercepts the authorization code, they cannot exchange it for a token without the original verifier, which never left the browser's execution context. PingAM 8.0.2 fully supports this flow and provides specific configuration options in the OAuth2 Provider settings to enforce PKCE for all public clients.

In PingAM 8.0.2, there are two distinct ways to implement Mutual TLS (mTLS) for OAuth2 client authentication: the PKI Approach (CA-signed) and the Self-Signed Approach.21

According to the documentation on "Mutual TLS using PKI":

The PKI approach relies on a chain of trust. The steps required are:

Step 1 (Trust): You mustimport the CA certificatesthat signed the client certificates into the truststore of the web container (Tomcat) or the AM Secret Store.22This allows AM to verify the signature of the client's certificate during the TLS handshake.

Step 2 (Mapping): You must configure aSecret Storeand map the am.services.oauth2.tls.client.cert.authentication secret label to the trusted CA aliases.23

Step 3 (Authentication Method): In the OAuth2 Client Profile, you must selecttls_client_auth.24This is the specific OIDC standard string for CA-based mTLS. (In contrast, self_signed_tls_client_auth (Step 4) is used only when you trust individual certificates directly without a CA).25

Step 5 (Identity Mapping): Because multiple clients might have certificates signed by the same CA, you mustprovide the Subject Distinguished Name (DN)(e.g., CN=myClientApp) in the client profile. PingAM uses this to ensure that the certificate presented by the client during the handshake actually belongs to that specific Client ID.

Why other steps are excluded:Step 7(Registering the certificate) is only required for theSelf-Signedapproach, as the PKI approach validates against the CA.Step 6(Revocation check) is a global provider setting or an optional enhancement, but not a fundamental "must-configure" step for the basic PKI identity mapping logic. Thus, the correct sequence for the PKI approach is1, 2, 3, and 5, making Option C the correct answer.

In PingAM 8.0.2, Multi-Factor Authentication (MFA) using the OATH standard supports two primary algorithms: TOTP (Time-based One-Time Password) and HOTP (HMAC-based One-Time Password).14 For an authentication journey to function correctly, the "Registration" phase (where the user's device and AM agree on a secret and algorithm) and the "Verification" phase (where AM checks the submitted code) must be perfectly synchronized.

According to the "Authentication Node Reference" for the OATH Token Verifier node and OATH Registration node:

Both nodes contain a configuration property named OATH Algorithm.15 This property determines how the six- or eight-digit code is generated and validated. If the OATH Registration node is configured to set up a user for TOTP, it will generate a QR code containing the TOTP parameters for the user's authenticator app.

When that user later attempts to log in, theOATH Token Verifier node(Option A) must also be set toTOTP.16If the verifier is accidentally set toHOTP(which uses a counter rather than a time step), the validation will consistently fail because the server will be looking for a counter-based value while the app is providing a time-based value.

Other nodes like theRecovery Code Collector Decision node(Option B) orOATH Device Storage node(Option D) handle subsequent or separate tasks (like account recovery or writing the final profile to LDAP) and do not directly participate in the real-time OATH mathematical validation logic. Thus, theOATH Token Verifieris the mandatory counterpart that must match the registration's algorithm setting.

In PingAM 8.0.2, device management is a critical part of the Multi-Factor Authentication (MFA) lifecycle. When a user registers a device for Push, OATH, or WebAuthn, that information is stored as a part of their identity profile. There are many scenarios where a device might need to be reset—for example, if a phone is lost, if the ForgeRock/Ping Authenticator app is reinstalled, or if an HOTP (HMAC-based One-Time Password) counter becomes desynchronized beyond the allowed window.

According to the PingAM documentation on "Managing Devices for MFA" and the "REST API for Device Management":

Administrator Capabilities: Administrators have the authority to manage device profiles for any user. They can list, rename, or delete (reset) device profiles using the /json/realms/root/realms/[realm]/users/[username]/devices endpoint. This is vital for helpdesk scenarios (Option D and B).

User Self-Service (The Incorrect Statement C): Statement C is technically incorrect because PingAM's REST API specifically supportsself-service device management. An authenticated end-user has the permission to manage theirowndevices. They can call the /json/realms/root/realms/[realm]/users/[username]/devices endpoint using their own valid SSO token to delete their own registered devices. This allows organizations to build self-service portals where users can "Unpair" a lost device without calling support (Option A).

The internal security of PingAM ensures that while a regular user can only access their own device sub-resource, an administrator with the appropriate amAdmin or Delegate Admin privileges can access the resources of all users. Therefore, the claim thatonlyadministrator accounts can use the REST API for these actions is false and contradicts the "User Self-Service" philosophy built into the PingAM 8 API architecture.

PingAM 8.0.2 adheres to the OpenID Connect Core 1.0 specification regarding standard scopes and claims. When a client requests the profile scope, the OpenID Provider (PingAM) is expected to return a specific set of claims that describe the user's basic profile.

According to the PingAM documentation on "Understanding OpenID Connect Scopes and Claims" and the default OIDC Claims Script (which maps internal LDAP attributes to OIDC claims):

The standard claims associated with the profile scope are strictly defined with lowercase, snake_case naming conventions. The default set includes:

name: The user's full name.

given_name: The user's first name.

family_name: The user's surname or last name.

middle_name: (Optional)

nickname: (Optional)

preferred_username: (Optional)

profile: URL to the profile page.

picture: URL to an image.

website: URL.

gender: (Optional)

birthdate: (Optional)

zoneinfo: Timezone.

locale: The user's preferred language/locale.

updated_at: Timestamp.

Option C is the only choice that correctly identifies the snake_case format (given_name, family_name, locale) required by the specification. Options A and B use camelCase or inconsistent naming that does not match the OIDC standard or PingAM's default mapping script. Option D includes preferred_locale, which is incorrect; the standard claim name for a user's language preference in OIDC is simply locale.

In PingAM 8.0.2, Authorization Policies can be configured to use complex conditions to determine if access should be granted. When a policy uses a Subject Condition based on an OpenID Connect (OIDC) ID Token, the policy engine looks for specific claims within that token (such as group membership or a specific user ID).

According to the "Authorization and Policy Evaluation" best practices, it is crucial to understand the separation of concerns between thePolicy Decision Point (PDP)and the client. The PingAM policy engine is designed to evaluate logic—it checks if claimX == valueY. However, the policy engine typically does not perform a full cryptographic validation of the ID token's signature every time it evaluates a condition, especially if the token is passed as a string in the evaluation request.

Therefore, the best practice is as follows:

The client application or the PEP (Policy Enforcement Point) must validate the ID token (ensuring it is signed by a trusted provider, has not expired, and contains the correct audience) before sending the claims to the AM policy service for evaluation. If an unvalidated or forged token is used to supply claims for a policy request, and the policy engine assumes the input is "trusted," it could result in unauthorized access.

By validating the token first (Option C), the implementation ensures that only legitimate identity data is processed by the authorization logic. Option D is incorrect because the policy engine's primary role is decision-making based on presented attributes, not act as a full OIDC validation service during a REST evaluation call. Option B is a security risk as it ignores the necessity of cryptographic proof of identity.

In PingAM 8.0.2, the management of sensitive data such as passwords and cryptographic keys is handled through a unified Secret Store framework. This framework abstracts the source of the secret from the component that consumes it using Secret IDs. One of the most critical secret IDs in a standard installation is storepass.

The storepass secret ID is specifically used by thedefault-keystore(which is typically a "Keystore secret store" pointing to keystore.jks or keystore.p12). Before AM can access the keys within the default-keystore to sign tokens or encrypt data, it must first unlock the keystore itself using the password mapped to the storepass secret ID.

According to the PingAM "Secrets, certificates, and keys" documentation, in adefault file-based configuration, PingAM initializes aFilesystem secret storeas its primary global store. This store is configured to look into a specific directory within the AM configuration path (usually .../openam/secrets/). Inside this directory, AM expects to find files named after the secret IDs they contain. For the storepass ID, there is typically a corresponding file (such as storepass or .storepass) containing the cleartext or encrypted password required to open the primary keystore.

While AM can be configured to use anEnvironment and system property secret store(Option B) for high-portability cloud deployments, the "out-of-the-box" default behavior during a standard installation relies on the filesystem. Option A is incorrect because the storepass is thekeyto the keystore, not a secretinsideit, and Option D refers to specialized hardware integrations not used in a default software-only setup. Therefore, theFilesystem secret storeis the correct technical answer for the default location of the storepass.

============

As defined in the PingAM 8.0.2 documentation under "Introduction to SAML 2.0," the acronym SAML stands for Security Assertion Markup Language. It is an XML-based framework specifically designed for communicating user authentication, entitlement, and attribute information between distinct entities. In a typical federation scenario, these entities are the Identity Provider (IdP), which asserts the identity of the user, and the Service Provider (SP), which consumes the assertion to grant access to resources.

SAML is governed byOASISand has become the industry standard for cross-domain Single Sign-On (SSO). The "Security" aspect of the name refers to the cryptographic methods used to ensure the integrity and confidentiality of the assertions. "Assertion" refers to the specific statements made by the IdP about a subject (usually a user). These assertions can includeAuthentication Statements(proving the user logged in),Attribute Statements(providing data like email or group membership), andAuthorization Decision Statements(indicating what the user is permitted to do). PingAM 8.0.2 fully supports the SAML 2.0 core specifications, protocols, bindings, and profiles. Understanding this fundamental terminology is essential for administrators configuring "Circle of Trust" (CoT) environments or importing metadata from external partners, as the XML namespaces and schema definitions consistently reference the "urn:oasis:names:tc:SAML:2.0" identifier.

Mutual TLS (mTLS) is a security enhancement where both the client and the server provide X.509 certificates to prove their identities.9 In PingAM 8.0.2, mTLS is frequently used for secure "Machine-to-Machine" (M2M) communication, such as between an OAuth2 client and the token endpoint, or between AM and a Directory Server (PingDS).

According to the PingAM documentation on "Secure Network Communication" and "mTLS for OAuth2," the handshake sequence for mTLS follows these logical steps:

Client Hello: The client initiates the request to the server.10

Server Hello & Certificate: The server responds by presenting its own certificate (verifying the server's identity to the client).11In an mTLS scenario, the server also includes aCertificateRequestmessage.12

Client Certificate & Key Exchange: The client validates the server's certificate. If valid, the client then sends its ownClient Certificateto the server, along with the encrypted pre-master secret or key exchange data.

Verification and Establishment: The server validates the client's certificate against its truststore. If the certificate is trusted and the cryptographic signatures match, themutually secure connectionis established.

Option D represents the most accurate "simplified" sequence. Option A is incorrect because the server presents its certificatebeforethe client sends its own certificate. Option B and C are incorrect because the server always responds to the initial "Client Hello" with its own identity (Server Certificate) before the client proceeds with identity submission. This "handshake" ensures that no data is transmitted until both parties have cryptographically verified each other.

The Device Authorization Grant (Device Flow), defined in RFC 8628 and implemented in PingAM 8.0.2, involves a polling mechanism where the device repeatedly asks the token endpoint for an access token using the device_code it received earlier.1

According to the PingAM documentation on "Device Authorization Grant" and "OAuth 2.0 Endpoints," during the period when the user is still navigating to the verification URL and entering their user code, the device's polling requests to the /oauth2/access_token endpoint will not result in a successful token issuance. Instead, PingAM returns a400 Bad Requeststatus code.

It is important to look at the JSON response body accompanying the 400 error. The body contains an error field with the value authorization_pending.2This specific error code tells the device that the authorization request is still valid and in progress, but the user has not yet completed their part. The device should continue to poll at the interval specified in the initial response.

Other error codes like403 Forbidden(Option A) would typically indicate a permanent rejection or that the device is polling too frequently (slow_down).401 Unauthorized(Option C) is generally reserved for invalid client credentials when the client is confidential.302 Found(Option D) is a redirect, which is not used in the back-channel polling phase of the Device Flow. Therefore, while a 400 error usually suggests a client error, in the context of the Device Flow, it is the standard protocol-level response used to communicate that the token is not yet ready because the user hasn't finished authorizing.

Push authentication in PingAM 8.0.2 utilizes the ForgeRock/Ping Authenticator app to provide a seamless, out-of-band multi-factor authentication (MFA) experience.3 To understand the correct statements, we must look at the technical requirements and the authentication lifecycle defined in the "MFA: Push Authentication" documentation.

Statement A is correct: For the initial setup, a device with a camera is required because the registration process involves scanning a QR code generated by PingAM. Additionally, the user must install the specific Authenticator app (available for iOS and Android) to handle the cryptographic exchange and receive push notifications.4

Statement D is correct: This accurately describes the runtime flow of a push journey. When a user reaches aPush Sendernode, PingAM communicates with the Push Notification Service (Apple APNs or Google FCM).5The user's device receives the notification, and PingAM enters a "waiting" state (via thePush Result Verifiernode) until the user either approves or denies the request within the app.6

Why other statements are incorrect:

Statement Bis incorrect because registration and authentication are typically handled byseparate trees. Best practice dictates a "Device Registration" tree for the initial onboarding and a "Login/MFA" tree for day-to-day access. Forcing them into the same tree would be inefficient and create a poor user experience.

Statement Cis a common point of confusion; while the user scans a code, the documentation refers to it as aQR code, not a standardbarcode. In technical certification contexts, this distinction is often strictly enforced.

Therefore, only statementsA and Drepresent the verified facts of the Push implementation in version 8.0.2, making Option C the correct answer.

This question tests the understanding of Session Cookie Domains and browser behavior in a PingAM 8.0.2 deployment. According to the "Secure Session Cookies" documentation, the Cookie Domain setting in a realm determines the scope of the SSO token.

Standard browser cookie rules (RFC 6265) dictate that a cookie set for a specific domain is visible to that domain and all of itssubdomains. However, a cookie isnotvisible to a parent domain or a "sibling" domain.

In this scenario, the cookie is set for am.example.com:

A. example.com: This is theparent domain. A cookie set for am.example.com isnotvisible here. To make it visible to example.com, the cookie domain would have to be explicitly set to .example.com.

B. am.example.com: The cookie is directly set for this domain, so it is obviouslyvisible.

C. sub.am.example.com: This is asubdomainof am.example.com. Under standard cookie rules, it will receive the cookie.

D. login.am.example.com: While this is also a subdomain, the question implies a specific selection.

Looking at the provided options (B and C), Option C accurately reflects the inheritance rule where the domain itself and its immediate sub-levels are covered. While login.am.example.com (Option D) is technically also a subdomain, the standard documentation examples for "Cross-domain" or "Sub-domain" visibility typically emphasize the relationship between the primary AM host and its child applications. Therefore, the combination ofB and Cis the most accurate representation of how the browser handles the scope of an am.example.com cookie.

============

In a Cross-Domain Single Sign-On (CDSSO) environment, PingAM must manage session cookies across multiple distinct DNS domains.2 By default, a standard SSO token could potentially be stolen and reused by a malicious actor to gain access to other domains within the same realm.3 To mitigate this specific threat, PingAM 8.0.2 utilizes Restricted Tokens.4

According to the documentation on "Securing CDSSO session cookies," a restricted token is a unique SSO token issued for each specific application or policy agent after successful user authentication.5When CDSSO is active with cookie hijacking protection enabled, PingAM issues a "master" SSO token for the domain where AM resides and separaterestricted tokensfor the other fully qualified domain names (FQDNs) where web or Java agents are located.6

The restricted token is "restricted" because it is inextricably linked to the specific agent and application that initiated the redirection. Internally, AM stores a correlation between the master session and these restricted tokens.7If an attacker attempts to hijack a restricted token and use it to access a different application or a different domain, the AM server performs a validation check on the constraint associated with the token (such as the agent's DN or IP). If the request does not originate from the authorized entity, a security violation is triggered, and access is denied. This mechanism ensures that even if a cookie is stolen in one domain, its utility is confined strictly to that domain and cannot be used for "lateral movement" across the enterprise’s other protected resources. It is important to note that restricted tokens requireserver-side sessionsto function; they are not supported for client-side (JWT-based) sessions.8

PingAM 8.0.2 provides a robust framework for Multi-Factor Authentication (MFA) centered around modern, secure protocols and the Intelligent Access (Authentication Trees) engine. When discussing supported "protocols" in the context of MFA in PingAM documentation, the focus is on standardized methods for secondary verification.

The primary supported MFA pillars in PingAM 8.0.2 are:

Open Authentication (OATH): AM supports the OATH standards, specificallyTOTP(Time-based One-Time Password) andHOTP(HMAC-based One-Time Password). This is implemented through the "OATH" authentication nodes, allowing users to use apps like ForgeRock Authenticator, Google Authenticator, or YubiKeys in OATH mode.

Web Authentication (WebAuthn): This is the implementation of theFIDO2standard. It allows for passwordless and secure second-factor authentication using biometrics (like TouchID/FaceID) or hardware security keys (like YubiKeys). It is the successor to older standards and is natively supported via WebAuthn nodes.

Push Authentication: This is a proprietary but highly secure protocol used specifically with theForgeRock/Ping Authenticator app. It allows a "Push" notification to be sent to a registered mobile device, which the user then approves or denies.

Why others are excluded from the selection:While PingAM supportsSecurity Questions(KBA) andUniversal 2nd Factor(U2F), they are often categorized differently in the 8.0.2 documentation. Security Questions are considered a "User Self-Service" or "Legacy" validation method rather than a modern MFA protocol. U2F is technically superseded by and included within theWebAuthnframework in PingAM 8.0.2. Thus, the most accurate grouping of distinct, core MFA protocols supported in the current version isA, C, and E, making Option C the correct answer.

In a SAML 2.0 Federation flow, once the Service Provider (SP) receives and validates a SAML Assertion from an Identity Provider (IdP), it must determine which local user account the assertion corresponds to. This is the role of the SAML2 Account Mapper.

According to the PingAM 8.0.2 documentation on "Federate Identities" and the "SAML 2.0 Reference":

The SP-side account mapper (specifically the SPAccountMapper interface or its scripted equivalent) is responsible for mapping the remote user (identified in the SAML assertion) to a local user profile in the SP's identity store.

This mapping can be achieved in several ways:

Account Linking: Finding an existing link between the NameID in the assertion and a local DN.

Attribute Matching: Using an attribute from the assertion (like mail) to search the local directory for a matching user.

Auto-Federation: If configured, creating a link or a new profile automatically based on the incoming data.

If the account mapper cannot find a corresponding local profile, the SP cannot create a local session, and the SSO process will fail, typically with a "User not found" or "Local identity not found" error. Thus, the purpose is strictly the identification of the local subject based on the remote assertion (Option D). Options A and B are incorrect as they describe aggregation or account merging which are not the primary function of the SAML mapper. Option C describes "Attribute Mapping," which is a separate step (handled by the Attribute Mapper) that occursafterthe identity has been successfully mapped.

Audit logging is a vital security feature in PingAM 8.0.2 that provides a record of system activity. To make these logs useful for modern analysis tools and to ensure they contain rich metadata, PingAM utilizes structured logging.

According to the PingAM "Audit Logging Service" documentation:

When an administrator enables audit logging in a new installation, the system is pre-configured with the JSON audit event handler as the default. This handler writes log entries to the local filesystem in a structured JSON format (e.g., access.audit.json).

The choice ofJSON(Option D) as the default is strategic:

Structure: JSON allows for complex, nested data structures, which is necessary to capture the full context of an authentication journey or a policy decision.

Interoperability: JSON is the "native language" of modern log aggregators and SIEM platforms like Splunk, ELK (Elasticsearch/Logstash/Kibana), and Sumo Logic.

Readability: While structured, it remains human-readable for quick manual inspection.

Why other options are incorrect:

CSV (B)andSyslog (C)are available handlers but must be explicitly added or configured; they are not the primary default.

Elasticsearch (A)is a powerful target for audit logs, but PingAM typically sends data there via an external collector reading the JSON files or via a specifically configured Elasticsearch handler, rather than it being the out-of-the-box default for a local installation.

The JSON handler ensures that from the moment logging is turned on, the data is stored in a format that balances detailed reporting with ease of integration.

PingAM 8.0.2 implements OpenID Connect (OIDC) 1.0 as an identity layer on top of the OAuth 2.0 protocol. While OAuth 2.0 is designed for authorization (accessing resources), OIDC is designed for authentication (verifying who the user is).

According to the "OpenID Connect 1.0" documentation in PingAM, the presence of a specific scope in the Authorization Request is what signals to the AM server that the request should be treated as an OIDC flow rather than a standard OAuth2 flow. This mandatory scope isopenid.

When PingAM receives an /oauth2/authorize request containing the scope=openid parameter:

It triggers the OIDC processing logic.

It ensures that anID Token(a signed JWT containing user identity information) is generated alongside (or instead of) the Access Token.

It allows the client to later access theUserInfo Endpointto retrieve further claims about the authenticated user.

Other scopes likeprofile(Option A),email, oraddressare optional OIDC scopes used to request specific sets of user claims, but they do not "activate" OIDC on their own.openid+connectandid(Options B and D) are not recognized standard scopes in the OIDC specification. Therefore,openidis the fundamental requirement for any OIDC interaction in PingAM 8.0.2.

In PingAM 8.0.2 Intelligent Access, the Set Session Properties node is a specialized utility node designed to modify the session object once it is created.

According to the "Authentication Node Reference":

During an authentication journey, data is typically stored in the sharedState. However, sharedState is transient and is destroyed once the tree finishes. If an administrator wants to take a piece of information (e.g., a "Risk Score" calculated during the tree, or a "Branch ID" retrieved from a legacy system) and make it a permanent part of the user's session, they must use the Set Session Properties node.

Functionality: This node allows you to map a value from the sharedState or transientState to a session property name. After the tree reaches aSuccessnode, these properties are persisted in the session (either in the CTS for server-side sessions or the JWT for client-side sessions).

Usage: Once set, these properties can be retrieved later forResponse Attributesin policies, or by applications using the /json/sessions endpoint.

Option A (Get Session Data node)is used toretrieveexisting properties from an active session, not set them.Option Bis incorrect because while webhooks can trigger external logic, the native way to modify the session within a tree is a node.Option C (Provision Dynamic Account node)is for creating user entries in the Identity Store (LDAP), not for managing session-level properties. Therefore,Set Session Properties(Option D) is the correct technical tool for this requirement in version 8.0.2.

According to the PingAM 8.0.2 Upgrade Guide and the "Plan the upgrade" documentation, a successful upgrade and potential rollback strategy rely on capturing the complete state of the application across three distinct locations on the filesystem. When PingAM is deployed in a container like Apache Tomcat, the configuration is not stored within the WAR file itself but is distributed to maintain persistence across redeployments.

The three critical areas that must be backed up are:

The Web Application Directory (/path/to/tomcat/webapps/openam/): This contains the expanded binaries, JSPs, and web-level configurations. While the upgrade involves replacing the openam.war file, backing up this folder preserves any manual customizations made to the UI, CSS, or specific library additions (JARs) in the WEB-INF/lib folder.

The Configuration Directory (<home directory>/openam/ or similar): This is the most vital component. By default, PingAM stores its instance-specific configuration, cryptographic keys (keystores), and internal metadata here. For file-based configurations (FBC), this directory holds the entire system state. Even with an external PingDS configuration store, this directory contains the bootstrap file and security secrets required to connect to that store.

The Bootstrap Configuration File (<home directory>/.openamcfg/): This hidden directory contains a file (usually named after the deployment path, e.g., am or openam) that tells the PingAM binaries where the actual configuration directory is located. Without this pointer, a restored PingAM instance will behave like a fresh installation and prompt for a new setup.

The documentation explicitly warns: "Always back up your deployment before you upgrade... For AM servers, you can roll back by restoring from a file system backup of the deployed servers and their configuration directories." Relying only on the webapps folder (Option A) or assuming automatic backups (Option B) will lead to data loss or an unrecoverable state.