Which of the following options represents best practice for an implementation that configures an ID token in a subject condition for policies validating the token's claims?
Correct Answer: C
In PingAM 8.0.2, Authorization Policies can be configured to use complex conditions to determine if access should be granted. When a policy uses a Subject Condition based on an OpenID Connect (OIDC) ID Token, the policy engine looks for specific claims within that token (such as group membership or a specific user ID). According to the "Authorization and Policy Evaluation" best practices, it is crucial to understand the separation of concerns between the Policy Decision Point (PDP) and the client. The PingAM policy engine is designed to evaluate logic-it checks if claimX == valueY. However, the policy engine typically does not perform a full cryptographic validation of the ID token's signature every time it evaluates a condition, especially if the token is passed as a string in the evaluation request. Therefore, the best practice is as follows: The client application or the PEP (Policy Enforcement Point) must validate the ID token (ensuring it is signed by a trusted provider, has not expired, and contains the correct audience) before sending the claims to the AM policy service for evaluation. If an unvalidated or forged token is used to supply claims for a policy request, and the policy engine assumes the input is "trusted," it could result in unauthorized access. By validating the token first (Option C), the implementation ensures that only legitimate identity data is processed by the authorization logic. Option D is incorrect because the policy engine's primary role is decision-making based on presented attributes, not act as a full OIDC validation service during a REST evaluation call. Option B is a security risk as it ignores the necessity of cryptographic proof of identity.
PT-AM-CPE Exam Question 47
Consider the following LDAP connection string: DS1.example.com:389|01, DS2.example.com:389|01, DS2.example.com:389|02, DS1.example.com:389|02 This connection string can be used in: A . Identity Store B . Core Token Service C . Configuration Data Store Which of the above options are correct?
Correct Answer: B
The connection string format HOST:PORT|SERVERID|SITEID is a specific syntax used in PingAM 8.0.2 for Affinity Load Balancing, a feature almost exclusively associated with the Core Token Service (CTS). In high-volume deployments, the CTS handles thousands of session updates per second. To avoid replication lag issues-where an AM server might try to read a session token from a directory server (DS) before the update has replicated from another DS node-PingAM uses "Affinity."16 According to the "CtsDataStoreProperties" and "CTS Deployment Architectures" documentation, this specialized string allows the AM instance to prioritize connections based on the Server ID and Site ID.17 The pipe (|) characters signify the optional affinity parameters: 01/02: These represent the Server IDs of the underlying Directory Servers. Affinity Logic: By providing these IDs, PingAM can ensure that it always routes requests for the same CTS token to the same directory server node.18 While standard Identity Stores (Option A) and the Configuration Data Store (Option C) use LDAP connection strings, they typically utilize a comma-separated list of host:port pairs or rely on a hardware load balancer. The specific use of server and site IDs within the connection string itself to manage LDAP request routing is a hallmark of the CTS affinity configuration.19 The documentation explicitly states that "Each connection string is composed as follows: HOST:PORT[|SERVERID[|SITEID]]" within the context of CTS external store configuration.20 Therefore, this complex string is specifically designed for the Core Token Service to ensure data consistency and high performance in clustered environments.
PT-AM-CPE Exam Question 48
Which of the following is an incorrect statement about session upgrade outcomes?
Correct Answer: B
In PingAM 8.0.2, a Session Upgrade occurs when a user is required to authenticate at a higher security level (Auth Level). The outcomes of these upgrades depend on the session storage (server-side vs. client-side) and the parameters used. Statement B is incorrect because it claims that a new token is issued only when the current session does not meet requirements. In reality, if a request explicitly includes a parameter like ForceAuth=true or prompt=login, PingAM will force a re-authentication and issue a new session token regardless of the current session's state. According to the "Session Upgrade" and "Step-up Authentication" documentation: Statement A is correct: When ForceAuth=true is used, the AM engine ignores the existing session's Auth Level and forces the user through the tree. A new session/token is generated upon success. Statement C is correct: This describes the standard "Advice" flow (e.g., from a policy). AM creates a new session, copies existing properties from the old one, and replaces the token. Statement D is correct: In client-side sessions, since the state is in a JWT cookie, any change (like an Auth Level increase) requires the issuance of a brand-new signed JWT to replace the old one. Therefore, because PingAM allows for forced re-authentication even when requirements are met, the restrictive "only when" condition in Statement B makes it the incorrect (and thus the target) answer. This behavior is key for security scenarios where a fresh proof of presence is required regardless of previous activity.
PT-AM-CPE Exam Question 49
Which of the following steps must be configured in PingAM to implement mutual TLS using the public key infrastructure (PKI) approach? Import the trusted certificates into the trust store used by the PingAM web container. Create a secret store in the realm that maps the appropriate secret ID with the certificate alias in the trust store.18 Select tls_client_auth as the authentication method in the client profile. Select self_signed_tls_client_auth as the authentication method in the client profile.19 Provide the certificate subject distinguished name in the client profile.20 Configure a revocation check in the client profile. Register the X.509 certificate in the client profile.
Correct Answer: C
In PingAM 8.0.2, there are two distinct ways to implement Mutual TLS (mTLS) for OAuth2 client authentication: the PKI Approach (CA-signed) and the Self-Signed Approach.21 According to the documentation on "Mutual TLS using PKI": The PKI approach relies on a chain of trust. The steps required are: Step 1 (Trust): You must import the CA certificates that signed the client certificates into the truststore of the web container (Tomcat) or the AM Secret Store.22 This allows AM to verify the signature of the client's certificate during the TLS handshake. Step 2 (Mapping): You must configure a Secret Store and map the am.services.oauth2.tls.client.cert.authentication secret label to the trusted CA aliases.23 Step 3 (Authentication Method): In the OAuth2 Client Profile, you must select tls_client_auth. 24This is the specific OIDC standard string for CA-based mTLS. (In contrast, self_signed_tls_client_auth (Step 4) is used only when you trust individual certificates directly without a CA).25 Step 5 (Identity Mapping): Because multiple clients might have certificates signed by the same CA, you must provide the Subject Distinguished Name (DN) (e.g., CN=myClientApp) in the client profile. PingAM uses this to ensure that the certificate presented by the client during the handshake actually belongs to that specific Client ID. Why other steps are excluded: Step 7 (Registering the certificate) is only required for the Self-Signed approach, as the PKI approach validates against the CA. Step 6 (Revocation check) is a global provider setting or an optional enhancement, but not a fundamental "must-configure" step for the basic PKI identity mapping logic. Thus, the correct sequence for the PKI approach is 1, 2, 3, and 5, making Option C the correct answer.
PT-AM-CPE Exam Question 50
What is the purpose of the extended metadata in PingAM?
Correct Answer: D
In SAML 2.0 Federation, there is a standard XML schema (defined by OASIS) that all vendors use to describe an Identity Provider (IdP) or Service Provider (SP). This is known as "Standard Metadata." However, standard metadata does not include every configuration option required to run a sophisticated Access Management server. PingAM 8.0.2 uses Extended Metadata to store implementation-specific settings that fall outside the OASIS SAML 2.0 specification. According to the "SAML 2.0 Guide," extended metadata is stored as a separate configuration file (or JSON entry in newer versions) and includes parameters such as: Identity Store Mapping: Which attribute in the local datastore matches the SAML NameID. Session Information: How AM should handle the session lifecycle after a successful SAML assertion. Attribute Mapping: Detailed instructions on how to transform local LDAP attributes into SAML attributes (and vice versa). Authentication Trees: Which specific tree should be triggered when a request arrives at the IdP. Option D is the correct description. Option C is incorrect because extended metadata is not a standard way to communicate features; in fact, other SAML products (like ADFS or Okta) cannot read or process PingAM's extended metadata. Option A is incorrect because basic certificates/keys are usually part of the standard metadata (KeyDescriptor), and Option B is incorrect because SAML federation usually triggers authentication journeys or attribute mapping rather than a standard authorization "policy."