PingAccess usesIdentity Mappingsto take identity attributes provided by the authentication source (e.g., PingFederate, OpenID Connect) and map them into HTTP request headers for back-end applications.
Exact Extract:
"An identity mapping allows you to map identity attributes from the user's session to HTTP headers, cookies, or query parameters that are then forwarded to the target application."
* Option A (Site Authenticators)is incorrect because Site Authenticators configure how PingAccess communicates with applications requiring authentication, not how attributes are inserted into headers.
* Option B (Identity Mappings)is correct - this is the feature designed specifically to expose user attributes to applications via HTTP headers.
* Option C (Web Sessions)manages how sessions are stored and validated, but not the mapping of attributes into requests.
* Option D (HTTP Requests)refers to request/response processing rules, but attributes are not mapped here.
Reference:PingAccess Administration Guide -Identity Mapping

For SSL termination, PingAccess requires aKey Pair(certificate + private key). During a POC/demo, when a self-signed certificateis used, the administrator can create it directly in theKey Pairssection of the console.
Exact Extract:
"Use the Key Pairs section to create self-signed certificates for testing or proof-of-concept deployments. For production, import a PKCS#12 file containing a certificate chain and private key."
* Option Ais incorrect - Certificates store trust anchors (CAs), not SSL termination certs.
* Option Bis incorrect - an internal CA-signed cert requires PKCS#12 import, not self-signed creation.
* Option Cis incorrect - a publicly trusted CA is not used for a demo phase.
* Option Dis correct - creating a new certificate in Key Pairs generates a self-signed cert suitable for demos.
Reference:PingAccess Administration Guide -Key Pairs and Certificates

When using theAuthorization Code Flowfor authentication, PingAccess must be configured with:
* AnOAuth Client IDthat identifies the application to the IdP.
* TheOpenID Connect Login Typeset to Authorization Code.
Exact Extract:
"When configuring an OIDC web session, specify the OAuth client ID and select the OpenID Connect login type (Authorization Code, Hybrid, or Implicit)."
* Option A (OAuth Token Introspection Endpoint)is not required for Authorization Code flow - token introspection is used in other cases.
* Option B (OAuth Client ID)is correct - required for OIDC authorization requests.
* Option C (OpenID Connect Issuer)is discovered automatically via metadata when you configure the token provider.
* Option D (Virtual Host)is required for application exposure but not specific to OIDC flow.
* Option E (OpenID Connect Login Type)is correct - must be set to "Authorization Code." Reference:PingAccess Administration Guide -Configuring OIDC Web Sessions

To transmit theid_tokenvia a back channel according to OIDC best practices, the application must use the Authorization Code Flow(login type =code). This ensures tokens are retrieved securely via the back channel instead of being exposed in the browser.
Exact Extract:
"For back-channel transmission of ID tokens, configure the OIDC login type as Authorization Code."
* Option Ais correct - setting login type to code ensures back-channel delivery.
* Option Bis incorrect - request preservation concerns request method persistence, not OIDC flow.
* Option Cis incorrect - POST is not a valid login type; only Code, Implicit, or Hybrid.
* Option Dis incorrect - request preservation has no bearing on token delivery.
Reference:PingAccess Administration Guide -Configuring OIDC Web Sessions

Publicly trusted Certificate Authorities are already included in theJava Trust Store Certificate Group, which PingAccess can use directly. This avoids importing the certificate manually.
Exact Extract:
"If the target site uses a certificate from a well-known public CA, configure the site to use the Java Trust Store Certificate Group."
* Option Ais incorrect - Key Pairs store private keys for SSL termination, not public CA trust anchors.
* Option Bis correct - Java Trust Store already contains trusted public CAs.
* Option Cis incorrect - again, Key Pairs are not used for trust validation.
* Option Dis unnecessary for public CAs - only internal/self-signed certs must be imported.
Reference:PingAccess Administration Guide -Trusted Certificate Groups