Which of the following are existing script types in PingAM? A) Decision node script for authentication trees B) End User user interface theme script C) OpenID Connect claims script D) Policy condition script
Correct Answer: D
PingAM 8.0.2 is highly extensible through its Scripting Engine, which supports Groovy and JavaScript. However, scripts can only be applied to specific "hooks" or "extension points" defined by the platform. According to the "Scripting" and "Script Types" reference in the PingAM 8.0.2 documentation, the standard supported script types are: Decision node script (A): Used within Authentication Trees via the "Scripted Decision Node." These scripts allow for complex logic, such as checking user attributes, calling external APIs, or evaluating risk before deciding which path a user should take in their journey. OpenID Connect claims script (C): This script type is used to customize the claims returned in OIDC ID Tokens or at the UserInfo endpoint. It allows administrators to transform internal LDAP attributes into the specific JSON format required by OIDC clients. Policy condition script (D): Used within Authorization Policies. These scripts define custom logic for granting or denying access (e.g., "Allow access only if the user is connecting from a specific IP range and it is between 9 AM and 5 PM"). Why Statement B is incorrect: There is no such thing as an "End User user interface theme script" in the PingAM scripting engine. UI customization (Themeing) in PingAM 8.0.2 is handled through the XUI framework using CSS, HTML templates, and configuration JSON files, or by building a custom UI using the Ping SDKs. It does not use the server-side Groovy/JavaScript scripting engine that governs authentication and authorization logic. Therefore, the valid script types are A, C, and D, making Option D the correct choice.
PT-AM-CPE Exam Question 27
When defining a policy and specifying a resource pattern, which of the following statements is true concerning the difference between the wildcards * and -*-?
Correct Answer: B
When configuring Authorization Policies in PingAM 8.0.2, defining the Resource Pattern is critical for determining which URLs the policy applies to. PingAM uses specific wildcard symbols to represent dynamic parts of a URI, but they behave differently regarding directory depth. According to the PingAM documentation on "Policies and Resource Types": The * Wildcard (One-Level Wildcard): This wildcard matches characters within a single path level. It does not match forward slashes (/). For example, http://example.com/* will match http://example.com/page1 but will not match http://example.com/folder/page1. The -*- Wildcard (Multi-Level Wildcard): This wildcard is designed to match any number of characters, including forward slashes (/), effectively spanning multiple levels of a directory hierarchy. For example, http://example.com/-*- will match http://example.com/page1, http://example.com/folder/page1, and even http://example.com/deeply/nested/resource. Statement B is the correct technical distinction. Statement A is incorrect because query parameters are typically handled by specifically enabling "Query Parameter Matching" in the Resource Type configuration, rather than being a primary distinction between these two wildcards. Statement C is technically discouraged because mixing them can lead to unpredictable or overly broad matches that are difficult to debug. Statement D is incorrect because wildcards can be used in the host/port portion of the URL if the resource type is configured to support it. Understanding the difference between single-level (*) and multi-level (-*-) matching is a fundamental skill for AM policy administrators to prevent security gaps.
PT-AM-CPE Exam Question 28
Sam wants to start a service provider-initiated single sign-on and redirect to their own application, myapp.com. Which of the following URLs is the correct one to perform this action?
Correct Answer: D
In SAML 2.0 federation with PingAM 8.0.2, there are two ways to initiate SSO: IdP-Initiated (where the user starts at the Identity Provider) and SP-Initiated (where the user starts at the Service Provider).3 According to the "SAML 2.0 Guide" for PingAM: SP-Initiated SSO: The correct JSP file for an SP-initiated flow is spSSOInit.jsp. 4This script is used by an SP (in this case, PingAM acting as an SP or a "Fedlet") to generate a SAML AuthnRequest and send it to the IdP. Redirecting to the Application: In the SAML 2.0 standard, the mechanism used to preserve state (like the final destination URL) across the redirect-heavy SSO process is the RelayState parameter. When the IdP sends the SAML assertion back to the SP, it also returns the RelayState value. The SP then uses this value to redirect the user to the final application. While PingAM uses the goto parameter for internal redirects (like standard web login), RelayState is the required parameter name for SAML-related JSPs to ensure interoperability with the SAML specification. Therefore, the correct URL is .../spSSOInit.jsp combined with the RelayState parameter (Option D). Using idpSSOInit.jsp (Options A and B) would trigger an IdP-initiated flow, which is not what the question describes. Option C is incorrect because it uses the non-SAML goto parameter in a SAML initialization context.
PT-AM-CPE Exam Question 29
Which set of Directory Server stores can be enabled for affinity in a PingAM cluster configuration?
Correct Answer: D
In a high-availability PingAM 8.0.2 cluster, Affinity Load Balancing is a mechanism used to ensure that requests related to a specific session or configuration are routed to the same Directory Server (DS) instance to avoid issues with replication lag. This is particularly important for stores where data changes frequently or where consistent reads are required immediately after a write. According to the PingAM documentation on "Load Balancing" and "External Data Stores," affinity can be configured for the following primary stores: Core Token Service (CTS) Store: This is the most critical area for affinity. Since the CTS handles stateful data like session tokens and OAuth2 tokens that are updated constantly, ensuring that an AM server consistently communicates with a specific DS node (using the HOST:PORT|SERVERID|SITEID syntax) prevents "token not found" errors that might occur if a request reached a DS node before the token was replicated. Configuration Store: This store holds the central configuration for the AM deployment. In multi-server environments, affinity ensures that configuration changes are read consistently across the cluster. Identity Stores: These hold the user profiles. While often read-heavy, affinity is used here to improve caching efficiency and ensure that profile updates (like password changes or attribute updates) are reflected immediately in subsequent authentication steps within the same cluster. Policy Data Store: This stores authorization policies. Similar to configuration, affinity ensures consistent policy evaluation. Option D is the correct answer because it includes the Core Token Service, Identity Stores, Configuration Store, and Policy Data Store. The "Application Data Store" (mentioned in other options) is often logically grouped with or replaced by the Policy Data Store in many 8.0.2 configurations, but the four stores listed in Option D are the specific ones explicitly called out in the "External Data Stores" secondary configuration documentation for supporting affinity settings.
PT-AM-CPE Exam Question 30
Which of the following best describes the relationship between users and realms?
Correct Answer: A
In PingAM 8.0.2, Realms are the primary organizational units used to group configuration, policies, and identities.13 A common misconception is that a user is "locked" into a single realm. However, according to the "Realms" and "Identity Stores" documentation, the relationship is highly flexible. A Realm does not actually "contain" users in a physical sense; instead, a realm is configured with one or more Identity Stores (such as an LDAP directory or a database). Multiple realms can be configured to point to the same underlying Identity Store. Therefore, if a user profile exists in an LDAP directory that is shared by "Realm A" and "Realm B," that user is effectively a member of both realms. They can authenticate to either realm and receive different policies or session properties based on the realm-specific configuration. Key points from the documentation: Logical Partitioning: Realms provide a way to apply different authentication logic (different trees) to the same set of users.14 Multi-tenancy: An organization can create separate realms for different departments or customer groups, even if they overlap in the back-end user database. Identity Store Mapping: Because a realm maps to an identity store, and an identity store can be reused across realms, a user's membership is determined by where the realm is "looking" for data. Thus, Option A is the correct description of the architecture: a user can be a member of one or more realms depending on how the administrator has mapped the identity repositories. Would you like me to proceed with more questions, or would you like to focus on a specific area such as OAuth2 Grant Flows?