
PT-AM-CPE PDF Dumps | Mar 11, 2026 Recently Updated Questions
PT-AM-CPE Exam Questions – Valid PT-AM-CPE Dumps Pdf
NEW QUESTION # 28
Examining the following JSON object, what is a valid value for the type part (shown in bold font) of the claim value in a PingAM implementation?
JSON
JSON
"act": {
"sub": "(type!subject)"
}
- A. agent
- B. usr
- C. uid
- D. user
Answer: B
Explanation:
The JSON object structure provided refers to the Actor (act) claim used in OAuth 2.0 Token Exchange (RFC 8693) within PingAM 8.0.2. This claim is essential for scenarios involving delegation or impersonation, where one entity (the actor) is performing an action on behalf of another (the subject). In PingAM, the sub (subject) field within the act claim follows a specific internal format: (type!subject).
According to the PingAM 8.0.2 documentation regarding Token Exchange Configuration, the type part of this string is a mandatory prefix that identifies the category of the identity acting as the delegate. The documentation explicitly defines two primary valid values for this type field:
usr: This specifies that the subject is a user/identity from an identity store. For instance, if a user is acting on behalf of another user, the claim would appear as "(usr!username)".
age: This specifies that the subject is an OAuth 2.0/OpenID Connect-related agent or client. Examples include an OAuth 2.0 client, a Remote Consent Service agent, or a Web/Java Agent internal client. An example would be "(age!myClientID)".
While "user" and "agent" are the descriptive terms for these categories, the actual technical values recognized and emitted by PingAM in the claim string are the three-letter shorthand codes. Therefore, usr (Option B) is the correct valid value. Choosing "user" (Option D) would be technically incorrect in the context of the exact string format required by the AM engine. This formatting ensures that when the token is introspected or validated, the resource server can correctly parse whether the actor is a human user or a machine client.
NEW QUESTION # 29
Which one of the default PingAM audit log file contains messages related to changes made to sessions by end users?
- A. config.audit.json
- B. activity.audit.json
- C. access.audit.json
- D. authentication.audit.json
Answer: C
Explanation:
In PingAM 8.0.2, the audit logging service is designed to provide a comprehensive record of events for security, compliance, and troubleshooting. The audit logs are categorized by the type of event they record. According to the "Audit Logging Reference," PingAM generates several default log files, typically in JSON format.
The access.audit.json file is the primary log for events related to the lifecycle of a session and access to resources. This includes:
Session Creation: When a user successfully authenticates and a new session is established.
Session Termination: When a user logs out or a session expires.
Session Updates: Any changes made to the session, such as a Session Upgrade or modification of session properties by the end user or an application.
Policy Evaluations: Records of when a user requests access to a protected resource and the resulting permit or deny decision.
By contrast, the config.audit.json (Option B) records administrative changes to the system configuration (e.g., modifying a realm or a node). The authentication.audit.json (Option C) focuses specifically on the steps within an authentication tree, such as which nodes were visited and whether they succeeded or failed. While session changes happen after or as a result of authentication, the resulting session management event is logged in the access audit. The activity.audit.json (Option D) is generally used for internal system tasks and background processes. Therefore, for monitoring end-user session modifications, the access.audit.json is the correct authoritative source defined in the PingAM 8 documentation.
NEW QUESTION # 30
If there is a need to reset a registered device over the REST API, which one of the following statements is incorrect?
- A. Administrators can call the REST API to reset a device that is out of sync, where the HOTP counter exceeds the HOTP threshold window and requires a reset
- B. Administrators can provide authenticated users with a self-service page to reset their devices via the REST API
- C. Administrators can call the REST API to reset a user's device profile
- D. Only administrator accounts, not user accounts, have the ability to use the REST API for resetting a device profile
Answer: D
Explanation:
In PingAM 8.0.2, device management is a critical part of the Multi-Factor Authentication (MFA) lifecycle. When a user registers a device for Push, OATH, or WebAuthn, that information is stored as a part of their identity profile. There are many scenarios where a device might need to be reset-for example, if a phone is lost, if the ForgeRock/Ping Authenticator app is reinstalled, or if an HOTP (HMAC-based One-Time Password) counter becomes desynchronized beyond the allowed window.
According to the PingAM documentation on "Managing Devices for MFA" and the "REST API for Device Management":
Administrator Capabilities: Administrators have the authority to manage device profiles for any user. They can list, rename, or delete (reset) device profiles using the /json/realms/root/realms/[realm]/users/[username]/devices endpoint. This is vital for helpdesk scenarios (Option D and B).
User Self-Service (The Incorrect Statement C): Statement C is technically incorrect because PingAM's REST API specifically supports self-service device management. An authenticated end-user has the permission to manage their own devices. They can call the /json/realms/root/realms/[realm]/users/[username]/devices endpoint using their own valid SSO token to delete their own registered devices. This allows organizations to build self-service portals where users can "Unpair" a lost device without calling support (Option A).
The internal security of PingAM ensures that while a regular user can only access their own device sub-resource, an administrator with the appropriate amAdmin or Delegate Admin privileges can access the resources of all users. Therefore, the claim that only administrator accounts can use the REST API for these actions is false and contradicts the "User Self-Service" philosophy built into the PingAM 8 API architecture.
NEW QUESTION # 31
A customer wishes to customize the OpenID Connect (OIDC) id_token JSON Web Token (JWT) to include the subject's employee number. Which of the following scripts should be customized to meet this requirement?
- A. OIDC parameters script
- B. OIDC claims script
- C. OIDC JWT script
- D. OIDC attributes script
Answer: B
Explanation:
In PingAM 8.0.2, the OpenID Connect (OIDC) Claims Script is the specific extensibility point designed to govern how user information is mapped and transformed into claims within an OIDC ID token or the UserInfo response. While PingAM supports standard scopes like profile and email out of the box, specialized business requirements-such as including an "employee number" which might be stored as employeenumber in an LDAP directory-require a custom transformation.
According to the "OIDC Claims Script" reference in the PingAM documentation:
The script acts as a bridge between the Identity Store (the source of truth) and the OIDC Provider (the issuer). When a client requests a token, PingAM executes this script, providing it with a claimObjects map and the userProfile. The developer can then write Groovy or JavaScript logic to retrieve the employeeNumber attribute from the user's profile and add it to the resulting claims set.
The script typically follows this logical flow:
Identify the requested claims from the OIDC scope.
Fetch the corresponding raw attributes from the Identity Store (e.g., PingDS or AD).
Format and name the claim as per the OIDC specification or the specific client requirement (e.g., mapping LDAP employeenumber to OIDC claim emp_id).
Return the claims to be signed and embedded into the JWT.
Why other options are incorrect: Options A, C, and D reference script types that do not exist under those specific names in the standard PingAM 8.0.2 scripting engine. While there are "Access Token Modification" scripts and "Client Registration" scripts, the OIDC Claims Script is the only one authorized and designed to manage the payload of the id_token.
NEW QUESTION # 32
What is the purpose of the extended metadata in PingAM?
- A. It specifies the certificates and keys for the SAML2 entity
- B. It specifies additional information about a SAML2 entity specific to PingAM
- C. It is a standard way to communicate supported SAML2 features
- D. It specifies the policy to invoke during SAML2 federation
Answer: B
Explanation:
In SAML 2.0 Federation, there is a standard XML schema (defined by OASIS) that all vendors use to describe an Identity Provider (IdP) or Service Provider (SP). This is known as "Standard Metadata." However, standard metadata does not include every configuration option required to run a sophisticated Access Management server.
PingAM 8.0.2 uses Extended Metadata to store implementation-specific settings that fall outside the OASIS SAML 2.0 specification. According to the "SAML 2.0 Guide," extended metadata is stored as a separate configuration file (or JSON entry in newer versions) and includes parameters such as:
Identity Store Mapping: Which attribute in the local datastore matches the SAML NameID.
Session Information: How AM should handle the session lifecycle after a successful SAML assertion.
Attribute Mapping: Detailed instructions on how to transform local LDAP attributes into SAML attributes (and vice versa).
Authentication Trees: Which specific tree should be triggered when a request arrives at the IdP.
Option D is the correct description. Option C is incorrect because extended metadata is not a standard way to communicate features; in fact, other SAML products (like ADFS or Okta) cannot read or process PingAM's extended metadata. Option A is incorrect because basic certificates/keys are usually part of the standard metadata (KeyDescriptor), and Option B is incorrect because SAML federation usually triggers authentication journeys or attribute mapping rather than a standard authorization "policy."
NEW QUESTION # 33
The OAuth2 authorize endpoint supports the CSRF parameter. What is CSRF?
- A. Cross System Rest Federation
- B. Cross Script Response Feature
- C. Cross Site Request Forgery
- D. Cross Site Request Forgery
Answer: C
Explanation:
CSRF stands for Cross-Site Request Forgery.8 It is a common web security vulnerability where an attacker tricks a victim's browser into performing an unwanted action on a different website where the victim is currently authenticated.9 In the context of PingAM 8.0.2 and the OAuth 2.0 /authorize endpoint, CSRF protection is vital.10 If an attacker can forge an authorization request, they might be able to inject their own authorization code into a victim's session or link a victim's account to an attacker-controlled client.
To mitigate this, the OAuth 2.0 protocol uses a parameter (often named state in the RFC, but referred to in PingAM's security configuration and logging as a CSRF-related check) to ensure that the request returning to the client is the same one that the client initiated.11 PingAM's "Security Considerations" documentation explains that the server enforces Cross-Site Request Forgery protection by verifying that requests originate from trusted sources and include unpredictable tokens that an external malicious site could not guess or recreate.12 In AM 8.0.2, you can configure the "CSRF Protection Filter" which can be applied to various endpoints to prevent unauthorized state-changing commands.13 This is particularly important for the administration UI and the authentication endpoints where a user's session is active. Understanding that CSRF stands for Cross-Site Request Forgery is a fundamental requirement for any security professional working with identity protocols and PingAM hardening.
NEW QUESTION # 34
After installing a PingAM instance with the configuration directory path set to /home/forgerock/am, where is the default directory that contains the debug log files?
- A. /home/forgerock/am/logs
- B. /home/forgerock/am/debug
- C. /home/forgerock/am/var/logs
- D. /home/forgerock/am/var/debug
Answer: B
Explanation:
When PingAM is installed, it creates a specific directory structure within its Configuration Directory (also known as the AM_HOME or .openamcfg pointer target). This structure is standardized across versions to ensure that administrators and automated scripts can locate critical files.
According to the PingAM 8.0.2 "File System Reference" and "Debug Logging" documentation:
The primary directory for engine-level troubleshooting files (debug logs) is named debug.17 This directory is located immediately within the root of the configuration directory. Therefore, if the configuration path is explicitly set to /home/forgerock/am, the resulting path for debug files will be /home/forgerock/am/debug (Option D).
It is important to distinguish between Audit Logs and Debug Logs:
Audit Logs: (e.g., access.audit.json) are usually found in the .../openam/log or .../openam/logs directory (making Option A a common distractor).
Debug Logs: (e.g., amAuth, amSession, amCore) are strictly stored in the debug directory.
The var directory (Options B and C) is a convention used in some ForgeRock "ForgeOps" containerized deployments (like those in Kubernetes) to separate variable data from static config. However, in a standard standalone installation as described in the question, the direct .../debug path is the verified default behavior of the PingAM installation wizard and configurator tool.
NEW QUESTION # 35
Which of the following best represents the information that is typically contained in the debug output?
- A. The component that created the debug entry, A header with the time and date, The debug level, A general message, Optional stack trace
- B. The component that created the debug entry, A header with the time and date, The running thread ID, The debug level, A general message, Optional stack trace
- C. The component that created the debug entry, A header with the time and date, The running thread ID, A general message, Optional stack trace
- D. A header with the time and date, The running thread ID, The debug level, A general message, Optional stack trace
Answer: B
Explanation:
In PingAM 8.0.2, troubleshooting complex issues often requires moving beyond audit logs to Debug Logs. These logs capture the internal operations of the AM engine and its various components (e.g., Authentication, Core Token Service, Session Management).7 According to the "Debug Logging" section of the PingAM 8.0.2 Maintenance Guide, the standard format for a debug log entry is designed to provide maximum context for support engineers and developers. A typical entry includes:
Time and Date Header: Precise timestamp of when the event occurred.
The Component (Category): Identifies which part of the code issued the message (e.g., amAuth, amSession, amOAuth2).
The Debug Level: Indicates the verbosity/severity, such as ERROR, WARNING, INFO, MESSAGE, or OFF.
The Thread ID: Crucial for multi-threaded environments like Tomcat, allowing administrators to trace a single user's request across multiple log entries.
The Message: A descriptive string explaining the internal operation or the error encountered.
Stack Trace: If the entry is recording an exception, a full Java stack trace is optionally included to pinpoint the exact line of code where the failure occurred.
Option A is the most complete and accurate representation of this structured output. Options B, C, and D are incorrect because they omit essential troubleshooting fields like the Thread ID or the Component name, which are necessary for correlating logs in a high-concurrency production environment. Understanding this structure is fundamental for any administrator using tools like ssoadm or the REST API to capture and analyze troubleshooting information.
NEW QUESTION # 36
In a default PingAM configuration, what type of keystore stores the secret ID named storepass, which contains the encrypted password of the default-keystore secret store?
- A. Hardware Security Module secret store
- B. Environment and system property secret store
- C. Keystore secret store
- D. Filesystem secret store
Answer: D
Explanation:
In PingAM 8.0.2, the management of sensitive data such as passwords and cryptographic keys is handled through a unified Secret Store framework. This framework abstracts the source of the secret from the component that consumes it using Secret IDs. One of the most critical secret IDs in a standard installation is storepass.
The storepass secret ID is specifically used by the default-keystore (which is typically a "Keystore secret store" pointing to keystore.jks or keystore.p12). Before AM can access the keys within the default-keystore to sign tokens or encrypt data, it must first unlock the keystore itself using the password mapped to the storepass secret ID.
According to the PingAM "Secrets, certificates, and keys" documentation, in a default file-based configuration, PingAM initializes a Filesystem secret store as its primary global store. This store is configured to look into a specific directory within the AM configuration path (usually .../openam/secrets/). Inside this directory, AM expects to find files named after the secret IDs they contain. For the storepass ID, there is typically a corresponding file (such as storepass or .storepass) containing the cleartext or encrypted password required to open the primary keystore.
While AM can be configured to use an Environment and system property secret store (Option B) for high-portability cloud deployments, the "out-of-the-box" default behavior during a standard installation relies on the filesystem. Option A is incorrect because the storepass is the key to the keystore, not a secret inside it, and Option D refers to specialized hardware integrations not used in a default software-only setup. Therefore, the Filesystem secret store is the correct technical answer for the default location of the storepass.
NEW QUESTION # 37
Which of the following parameters must be provided by the edge client when requesting step-up authentication or transactional authorization?
- A. authIndexType and authIndexValue
- B. service, authIndexType, and authIndexValue
- C. service and ForceAuth
- D. ForceAuth, authIndexType, and authIndexValue
Answer: A
Explanation:
In PingAM 8.0.2, when a client needs to trigger a specific authentication path-such as a higher-level tree for step-up authentication or a specific module for transactional authorization-it must tell the /authenticate endpoint which "Index" to use.
According to the PingAM "Authenticate over REST" and "Session Upgrade" documentation, these are governed by two mandatory parameters:
authIndexType: This defines the category of the authentication mechanism being requested. Valid values include service (for Authentication Trees/Chains), module (for individual modules), or level (to request any mechanism that meets a specific Auth Level).
authIndexValue: This defines the name of the specific instance. For example, if authIndexType is service, the authIndexValue would be the name of the Authentication Tree (e.g., StepUpMFA).
For a step-up or transactional request to succeed, the client must send these two parameters. While service (Option B and D) is a common value for authIndexType, it is not a parameter name itself. ForceAuth (Option C and D) is an optional boolean used to force a fresh login even if a session exists, but it is not a requirement for the basic routing of the request to the correct tree. Therefore, authIndexType and authIndexValue (Option A) are the fundamental parameters required by the AM engine to identify and initiate the intended authentication journey.7
NEW QUESTION # 38
Which of the following statements about the PingAM tree designer is not true?
- A. The PingAM tree designer is able to display custom and Ping Identity Marketplace nodes to use together with shipped nodes
- B. The PingAM tree designer lets you terminate the tree with a success node, a failure node, or a node linking to another authentication tree
- C. The PingAM tree designer lets you integrate inner trees in the authentication flow
- D. The PingAM tree designer lets you create complex authentication by linking nodes together, creating loops, and nesting nodes within a tree
Answer: D
Explanation:
The Tree Designer in PingAM 8.0.2 is a visual, drag-and-drop tool used to build sophisticated login journeys. While it is highly flexible, it follows specific structural rules to ensure the authentication engine can execute the logic predictably.
Analysis of the statements:
Statement A is true: Trees must terminate in an outcome. Success and Failure nodes are standard. Additionally, the Inner Tree Evaluator node allows one tree to hand off processing to another "child" tree.
Statement C is true: The designer is extensible. Administrators can develop their own Java or Scripted nodes, and the Ping Identity Marketplace provides a wide range of third-party nodes (e.g., for biometric providers or specialized risk engines) that appear in the designer palette once installed.
Statement D is true: "Inner trees" are a supported concept, allowing for modularity where common logic (like MFA) can be built once and called from multiple parent trees.
Statement B is the "not true" statement. While the designer allows for complex logic and loops (e.g., looping back to a username prompt if a password is wrong), it does not support nesting nodes within a tree. In PingAM architecture, nodes are atomic components placed on a flat canvas. You cannot "nest" a node inside another node's configuration in the visual designer. Complexity is achieved through the branching and linking of these atomic nodes. If logic needs to be "nested" or grouped, it is done by creating a separate tree and calling it as an Inner Tree. Understanding this structural limitation is key for architects designing modular authentication frameworks.
NEW QUESTION # 39
To ensure the user's full name is displayed on the consent screen for an OpenID Connect application, which string should be added into the Support Claims property on the OpenID Connect tab page of the OAuth2 Provider service in PingAM?
- A. name|en|Full name
- B. name|en|given_name+' '+family_name
- C. full_name|Full name
- D. Full name|en|name
Answer: A
Explanation:
When a client requests an OpenID Connect (OIDC) scope (like profile), PingAM 8.0.2 may present a Consent Screen to the user, asking permission to share specific claims. To make this screen user-friendly, PingAM allows administrators to map technical claim names to human-readable labels and specify localizations.
According to the PingAM documentation on "Supported Claims" in the OAuth2/OIDC Provider settings:
The format for the Supported Claims property entry is:
ClaimName|Locale|DisplayName
In this syntax:
ClaimName: The technical OIDC claim (e.g., name, email, given_name).
Locale: The ISO language code (e.g., en, fr).
DisplayName: The text that will actually appear on the UI (the "Full name" label).
Therefore, the string name|en|Full name (Option A) is the correct configuration.
Option B is incorrect because it reverses the technical name and the display name.
Option C is incorrect as it lacks the required locale component and uses full_name (which is not the standard OIDC claim name; the standard is name).
Option D attempts to perform a logic operation (+) within a configuration field where only static mapping strings are allowed. Claim composition (concatenating first and last names) is handled by the OIDC Claims Script, not by the Supported Claims UI property.
NEW QUESTION # 40
What are the possible outcomes of the Push Result Verifier node?
- A. Success, Failure, Waiting, Retry
- B. Success, Failure, Expired, Retry
- C. Success, Failure, Expired, Waiting, Retry
- D. Success, Failure, Expired, Waiting
Answer: D
Explanation:
The Push Result Verifier node is a core component of the "MFA: Push Authentication" journey in PingAM 8.0.2. Its primary function is to check the status of a push notification that was previously dispatched to a user's mobile device (usually via the Push Sender node).22 According to the "Authentication Node Reference" for version 8.0.2, the node evaluates the state of the push request and yields exactly four distinct outcomes:
Success: This path is followed if the user has actively approved the push notification on their registered device using the ForgeRock/Ping Authenticator app.
Failure: This path is taken if the user explicitly denies or rejects the push notification on their device, indicating a potential unauthorized login attempt.
Expired: This outcome occurs if the notification reaches its "Message Timeout" limit (defined in the Push Sender node) without any response from the user.23 In standard trees, this path often loops back to allow the user to try a different MFA method or resend the push.
Waiting: This outcome is triggered if a response has not yet been received but the timeout has not yet been reached. This is used in conjunction with a Push Wait or Polling mechanism to create a "check-and-loop" logic until a final result (Success, Failure, or Expired) is determined.
The Retry outcome (mentioned in other options) is notably absent from this specific node's metadata. While a "Retry" might be implemented in the overall tree logic (for example, by using a Retry Limit Decision node after an Expired outcome), the Push Result Verifier node itself only reports the state of the specific push transaction it is tracking. Understanding these four discrete states is vital for designing resilient authentication journeys that handle user delays or network issues gracefully.
NEW QUESTION # 41
Which OAuth2 flow is most appropriate to support the use case of a client application implemented in a browser using a scripted language such as JavaScript?
- A. Resource owner grant flow
- B. Authorization code grant flow with PKCE
- C. Client credentials grant flow
- D. Implicit grant flow
Answer: B
Explanation:
In PingAM 8.0.2, the recommended and most secure flow for "Public Clients"-such as Single Page Applications (SPAs) written in JavaScript-is the Authorization Code Grant Flow with PKCE (Proof Key for Code Exchange).
Historically, the Implicit Grant Flow (Option B) was used for browser-based apps because they could not securely store a client_secret. However, the Implicit flow is now considered legacy and insecure due to the risk of access token leakage in the browser history or via referrer headers. The Resource Owner Password Credentials Grant (Option C) is also discouraged as it requires the application to handle user credentials directly, violating the core principle of delegated authorization. Client Credentials (Option D) is reserved strictly for machine-to-machine communication where no user is involved.
The Authorization Code Grant with PKCE addresses the security limitations of public clients by replacing the static client_secret with a dynamically generated "code verifier" and "code challenge." The process works as follows:
Challenge Generation: The JavaScript app creates a cryptographically strong random string (Verifier) and transforms it (Challenge).
Authorization Request: The app sends the challenge to PingAM.21
Code Exchange: After user login, AM returns an authorization code. The app then sends the code and the original verifier to the token endpoint.
Verification: AM verifies that the verifier matches the initial challenge before issuing the Access Token.
This flow ensures that even if an attacker intercepts the authorization code, they cannot exchange it for a token without the original verifier, which never left the browser's execution context. PingAM 8.0.2 fully supports this flow and provides specific configuration options in the OAuth2 Provider settings to enforce PKCE for all public clients.
NEW QUESTION # 42
Which statements are correct about PingAM sessions?
A) When a web browser is involved, the web browser is instructed to set a cookie as the session reference.
B) When no browser is involved, PingAM returns the session reference in the JSON response.
C) PingAM can only track the session in the Core Token Service store.
D) The default session cookie name created in a web browser is iPlanetDirectoryPro.
- A. A, B, and D only
- B. A, B, and C only
- C. A, C, and D only
- D. A and B only
Answer: A
Explanation:
This question explores the fundamental architecture of Session Management in PingAM 8.0.2. PingAM is designed to be highly flexible, supporting both traditional browser-based Single Sign-On (SSO) and modern API-driven interactions.
Analysis of the statements based on PingAM documentation:
Statement A is correct: For browser-based flows, PingAM uses HTTP cookies to maintain session state. Upon successful authentication, AM sends a Set-Cookie header to the browser containing the session token (the session reference).
Statement B is correct: For "headless" or REST-based authentication (such as a mobile app or a back-end service calling /json/realms/root/authenticate), there is no browser to handle cookies automatically. In this case, PingAM returns the tokenId directly in the JSON response body, allowing the client to manage the token manually in subsequent API calls.
Statement D is correct: For historical reasons, the default value for the SSO Cookie Name in PingAM is iPlanetDirectoryPro. While administrators are encouraged to change this for security (obfuscation), it remains the default "out-of-the-box" configuration.
Statement C is incorrect: This is the "distractor" in the question. PingAM 8.0.2 supports multiple session storage models. While the Core Token Service (CTS) is the standard for server-side stateful sessions, AM also supports Client-side sessions (where the state is stored in a signed/encrypted JWT in the cookie itself) and In-memory sessions (primarily used for short-lived authentication journeys). Since AM is not restricted only to the CTS, Statement C is false.
Therefore, the combination of A, B, and D accurately reflects the session capabilities of PingAM 8.0.2, making Option A the correct answer.
NEW QUESTION # 43
A SAML2 identity provider (IdP) is configured in a subrealm. Which of the following URLs can be used to export the IdP metadata?
- A. http://myserver.domain.com:8080/openam/saml2/jsp/exportmetadata.jsp?entityid=http://myserver.domain.com:8080/openam&realm=/idprealm
- B. http://myserver.domain.com:8080/openam/saml2/jsp/exportmetadata.jsp?idp=http://myserver.domain.com:8080/openam&realm=/idprealm
- C. It cannot be exported via a JSP, and the Amster tool has to be used
- D. http://myserver.domain.com:8080/openam/saml2/jsp/exportmetadata.jsp
Answer: A
Explanation:
To facilitate federation between a SAML2 Identity Provider (IdP) and a Service Provider (SP), metadata must be exchanged. PingAM 8.0.2 provides a built-in utility page, exportmetadata.jsp, specifically for this purpose.
When an IdP is configured within a subrealm (rather than the Top Level Realm), the metadata export URL must be qualified with specific query parameters to ensure the correct entity configuration is retrieved. According to the "SAML 2.0 Reference" and "Exporting SAML 2.0 Metadata" documentation:
entityid: This parameter is mandatory when there are multiple entities configured. It specifies the unique URI of the IdP (e.g., http://myserver.domain.com:8080/openam). This tells the JSP which specific provider's metadata to generate.
realm: This parameter is crucial for subrealm deployments. By default, the JSP looks in the root realm (/). If the IdP resides in a subrealm named /idprealm, the URL must explicitly include &realm=/idprealm.
Option D is the correct technical string. Option B is incorrect as it lacks parameters and would only attempt to export default root-level metadata. Option C is incorrect because the parameter name is entityid, not idp. While Amster (Option A) can indeed be used to export configuration, the exportmetadata.jsp remains the standard and most common method for generating the XML-formatted metadata required by external partners.
NEW QUESTION # 44
What is session denylisting used for?
- A. Keeping track of logged out sessions
- B. Keeping track of restricted sessions
- C. Keeping track of absolute session timeouts
- D. Keeping track of session inactivity
Answer: A
Explanation:
Session Denylisting is a critical security feature in PingAM 8.0.2, primarily used when a realm is configured for client-side sessions.9 In a client-side session model, the session state is stored in a signed and encrypted JWT within the user's browser cookie rather than in the server's memory or the Core Token Service (CTS).10 Because the server does not "own" the session state, a logout event typically only involves deleting the cookie from the browser. However, if a malicious actor had previously copied that cookie, they could still use it until it naturally expires.
To solve this, PingAM uses Session Denylisting to keep track of logged out sessions.11 When a user logs out, or when a session is invalidated (e.g., during a session upgrade or administrative action), AM records the session identifier in a denylist stored within the Core Token Service (CTS).12 For every subsequent request, AM checks the incoming client-side session token against this denylist.13 If the session ID is found in the denylist, AM rejects the token as invalid, even if the cryptographic signature is correct and the expiration time has not passed.
The documentation emphasizes that this feature is essential for "tracking session logouts across multiple AM servers" in a cluster. Without denylisting, there would be no way to perform a "global logout" for client-side sessions that is immediately effective across all nodes.14 Administrators can configure properties such as the Denylist Purge Delay (to account for clock skew) and the Denylist Poll Interval (to balance security speed with system performance).15 By effectively managing the lifecycle of revoked tokens, session denylisting ensures that a logout is a cryptographically and operationally certain event.
NEW QUESTION # 45
Which statements are correct about push notification authentication implemented with PingAM?
A . The user must have a device with a camera and install the Authenticator app.
B . The registration and authentication steps must be part of the same authentication tree.
C . To register a device the user scans a barcode with the Authenticator installed on their device.1 D . During subsequent authentication processes, PingAM instructs the push server to send a notification to the registered device, and waits for the user to use the Authenticator app to approve the request.2 Options:
- A. A and D only
- B. B, C, and D only
- C. A, B, and C only
- D. A and B only
Answer: A
Explanation:
Push authentication in PingAM 8.0.2 utilizes the ForgeRock/Ping Authenticator app to provide a seamless, out-of-band multi-factor authentication (MFA) experience.3 To understand the correct statements, we must look at the technical requirements and the authentication lifecycle defined in the "MFA: Push Authentication" documentation.
Statement A is correct: For the initial setup, a device with a camera is required because the registration process involves scanning a QR code generated by PingAM. Additionally, the user must install the specific Authenticator app (available for iOS and Android) to handle the cryptographic exchange and receive push notifications.4 Statement D is correct: This accurately describes the runtime flow of a push journey. When a user reaches a Push Sender node, PingAM communicates with the Push Notification Service (Apple APNs or Google FCM).5 The user's device receives the notification, and PingAM enters a "waiting" state (via the Push Result Verifier node) until the user either approves or denies the request within the app.6 Why other statements are incorrect:
Statement B is incorrect because registration and authentication are typically handled by separate trees. Best practice dictates a "Device Registration" tree for the initial onboarding and a "Login/MFA" tree for day-to-day access. Forcing them into the same tree would be inefficient and create a poor user experience.
Statement C is a common point of confusion; while the user scans a code, the documentation refers to it as a QR code, not a standard barcode. In technical certification contexts, this distinction is often strictly enforced.
Therefore, only statements A and D represent the verified facts of the Push implementation in version 8.0.2, making Option C the correct answer.
NEW QUESTION # 46
A user enters their credentials, but is faced with the error message "user requires profile to login". What is a possible cause of this message?
- A. Policies have not been defined to allow a user to access their profile page
- B. The realm has not been set to user profile ignore mode
- C. The user has not entered the correct credentials
- D. The user has not filled in the required information in their profile
Answer: B
Explanation:
This error message is directly related to the User Profile configuration within a specific realm in PingAM 8.0.2. In the "Core Authentication Attributes" of a realm, PingAM defines how it should handle user identities after they have successfully provided valid credentials through an authentication tree or chain.
There are primarily four modes for the User Profile setting:
Required: This is often the default. It specifies that after a user successfully authenticates, PingAM must be able to locate a corresponding user entry in the configured Identity Store. If the user exists in the datastore, the session is created. If the user does not exist, authentication fails with the error message "user requires profile to login" (or a similar profile-related exception in the logs).
Ignored: In this mode, PingAM issues an SSO session token immediately upon successful credential validation, regardless of whether a user profile exists in the back-end repository. This is useful for temporary or guest access where no permanent record is needed.
Dynamic: AM attempts to find the user; if the user is not found, it automatically creates a new profile in the identity store.
Dynamic with User Alias: Similar to dynamic creation but supports aliasing.
If an administrator sees the "user requires profile to login" error, it confirms that the credentials themselves were technically correct (the user passed the authentication nodes), but the realm is currently in Required mode (it has not been set to Ignore or Dynamic) and no matching entry exists in the identity store. This frequently happens in migration scenarios or when using external identity providers (like Social IDPs) where the "Link" or "Provisioning" step has not been properly configured in the authentication journey. To resolve this, the administrator must either pre-provision the user, set the mode to Ignore, or implement a Create Object node within the authentication tree to handle dynamic provisioning.
NEW QUESTION # 47
In PingAM, which OpenID Connect endpoint can be used to validate an unencrypted ID token?
- A. /oauth2/userinfo
- B. /oauth2/idtokeninfo
- C. /oauth2/introspect
- D. /oauth2/tokeninfo
Answer: B
Explanation:
While OpenID Connect (OIDC) is built on top of OAuth2, it introduces specific endpoints for handling ID Tokens (the identity layer). In PingAM 8.0.2, when a client receives an ID Token, it is recommended to validate it locally using the provider's public keys. However, PingAM also provides a convenience endpoint for validation.
According to the "OpenID Connect 1.0 Endpoints" documentation:
/oauth2/idtokeninfo (Option A): This is the dedicated endpoint designed to receive an ID Token as a parameter.8 It validates the token's signature, checks the expiration and audience, and returns the claims contained within the token in a JSON format. This is specifically used for unencrypted ID tokens.
/oauth2/userinfo (Option B): This endpoint returns claims about the authenticated user but requires a valid Access Token in the authorization header, not an ID Token.9
/oauth2/introspect (Option C): This is a standard OAuth2 endpoint (RFC 7662) used to check the metadata and "activeness" of Access Tokens or Refresh Tokens, not the internal identity claims of an OIDC ID Token.10
/oauth2/tokeninfo (Option D): This is a legacy/non-standard endpoint that was used in older versions for Access Token validation and is not the primary OIDC validation endpoint in version 8.0.2.11 Therefore, for the specific task of validating an ID Token and retrieving its claims, /oauth2/idtokeninfo is the correct and authoritative endpoint in the PingAM 8.0.2 OIDC implementation.
NEW QUESTION # 48
When defining a policy and specifying a resource pattern, which of the following statements is true concerning the difference between the wildcards * and -*-?
- A. Neither the * wildcard nor the -*- wildcard can be used to match the port number
- B. The wildcard * and the wildcard -*- can be mixed liberally within the same pattern
- C. The wildcard * will match query parameters, whereas -*- will not match query parameters.
- D. The wildcard * will match multiple levels in a path, whereas -*- will match only a single level
Answer: D
Explanation:
When configuring Authorization Policies in PingAM 8.0.2, defining the Resource Pattern is critical for determining which URLs the policy applies to. PingAM uses specific wildcard symbols to represent dynamic parts of a URI, but they behave differently regarding directory depth.
According to the PingAM documentation on "Policies and Resource Types":
The * Wildcard (One-Level Wildcard): This wildcard matches characters within a single path level. It does not match forward slashes (/). For example, http://example.com/* will match http://example.com/page1 but will not match http://example.com/folder/page1.
The -*- Wildcard (Multi-Level Wildcard): This wildcard is designed to match any number of characters, including forward slashes (/), effectively spanning multiple levels of a directory hierarchy. For example, http://example.com/-*- will match http://example.com/page1, http://example.com/folder/page1, and even http://example.com/deeply/nested/resource.
Statement B is the correct technical distinction. Statement A is incorrect because query parameters are typically handled by specifically enabling "Query Parameter Matching" in the Resource Type configuration, rather than being a primary distinction between these two wildcards. Statement C is technically discouraged because mixing them can lead to unpredictable or overly broad matches that are difficult to debug. Statement D is incorrect because wildcards can be used in the host/port portion of the URL if the resource type is configured to support it. Understanding the difference between single-level (*) and multi-level (-*-) matching is a fundamental skill for AM policy administrators to prevent security gaps.
NEW QUESTION # 49
......
PT-AM-CPE dumps Sure Practice with 102 Questions: https://www.exam4docs.com/PT-AM-CPE-study-questions.html
PT-AM-CPE Practice Test Questions Answers Updated 102 Questions: https://drive.google.com/open?id=1FVklFWMJfK-HhQVvOg7SxbEvyxF9faOA

