Ping Identity Certified Professional - PingAM Exam PT-AM-CPE Exam Dumps: Updated Questions & Answers (January 2026)

The Device Authorization Grant (Device Flow), defined in RFC 8628 and implemented in PingAM 8.0.2, involves a polling mechanism where the device repeatedly asks the token endpoint for an access token using the device_code it received earlier.1

According to the PingAM documentation on "Device Authorization Grant" and "OAuth 2.0 Endpoints," during the period when the user is still navigating to the verification URL and entering their user code, the device's polling requests to the /oauth2/access_token endpoint will not result in a successful token issuance. Instead, PingAM returns a400 Bad Requeststatus code.

It is important to look at the JSON response body accompanying the 400 error. The body contains an error field with the value authorization_pending.2This specific error code tells the device that the authorization request is still valid and in progress, but the user has not yet completed their part. The device should continue to poll at the interval specified in the initial response.

Other error codes like403 Forbidden(Option A) would typically indicate a permanent rejection or that the device is polling too frequently (slow_down).401 Unauthorized(Option C) is generally reserved for invalid client credentials when the client is confidential.302 Found(Option D) is a redirect, which is not used in the back-channel polling phase of the Device Flow. Therefore, while a 400 error usually suggests a client error, in the context of the Device Flow, it is the standard protocol-level response used to communicate that the token is not yet ready because the user hasn't finished authorizing.

The Core Token Service (CTS) is a high-performance persistence layer in PingAM 8.0.2 designed to store short-lived, stateful data. Unlike the Configuration Store (which holds static system settings) or the Identity Store (which holds user profiles), the CTS is optimized for "token-like" data that is frequently created, updated, and deleted.

According to the "Core Token Service (CTS) Overview" in the PingAM 8.0.2 documentation, the primary purpose of the CTS is to provide a centralized repository for:

Session Tokens: For server-side sessions, the session state is stored in the CTS.

OAuth 2.0 Tokens: This includesAccess Tokens,Refresh Tokens, andAuthorization Codes. When an OAuth2 client requests a token, AM generates it and, if configured for server-side storage, persists it in the CTS so that any node in an AM cluster can validate it.

SAML 2.0 Tokens: Used for tracking assertions and managing Single Logout (SLO) states.

UMA (User-Managed Access) Labels and Resources: Various state information for the UMA protocol.

The documentation explicitly clarifies that the CTS isnota general-purpose database.Configuration(Option A) is strictly stored in the Configuration Data Store (usually a dedicated PingDS instance).Users(Option B) are stored in an Identity Store such as Active Directory or PingDS.Kerberos tokens(Option C) are part of a challenge-response handshake that is typically handled at the protocol layer and not stored as persistent records in the CTS. Therefore,OAuth2 tokensare the definitive type of data managed by the CTS among the choices provided. Utilizing the CTS for OAuth2 tokens is a prerequisite for supporting features like token revocation and refresh token persistence across multiple AM instances in a high-availability deployment.

============

According to the PingAM 8.0.2 documentation on "OAuth 2.0 Client Authentication," clients are categorized into two types based on their ability to maintain the confidentiality of their credentials: Public and Confidential.

AConfidential Clientis defined as an application that is capable of securely storing a client_secret or a private key.1These are typically applications where the code and configuration are not exposed to the end user.Web Applications(Option D) are the classic example of confidential clients because they run on a secure back-end server.2The server-side code can store and use a secret to authenticate with PingAM's token endpoint without the risk of the secret being leaked to the user-agent or a third party.

In contrast:

Web Browsers(Option C) andJavaScript clients(Option B) are consideredPublic Clients.3Since the code runs within the user's browser, any secret embedded in the application would be visible to the user via "View Source" or developer tools.4

Desktop clients(Option A) and native mobile apps are also categorized as public clients in the OAuth2 specification (RFC 6749) because they are distributed to end-user devices.5Even if the secret is obfuscated, it can be extracted through reverse engineering or decompilation.

For confidential clients, PingAM 8.0.2 supports various authentication methods at the token endpoint, including client_secret_basic, client_secret_post, and more secure options likeMutual TLS (mTLS)orPrivate Key JWT. By correctly identifying a client as confidential, administrators can enforce these stronger authentication requirements, ensuring that the client is indeed the entity it claims to be before granting access or refresh tokens.

PingAM 8.0.2 is highly extensible through its Scripting Engine, which supports Groovy and JavaScript. However, scripts can only be applied to specific "hooks" or "extension points" defined by the platform.

According to the "Scripting" and "Script Types" reference in the PingAM 8.0.2 documentation, the standard supported script types are:

Decision node script (A): Used withinAuthentication Treesvia the "Scripted Decision Node." These scripts allow for complex logic, such as checking user attributes, calling external APIs, or evaluating risk before deciding which path a user should take in their journey.

OpenID Connect claims script (C): This script type is used to customize the claims returned in OIDC ID Tokens or at the UserInfo endpoint. It allows administrators to transform internal LDAP attributes into the specific JSON format required by OIDC clients.

Policy condition script (D): Used withinAuthorization Policies. These scripts define custom logic for granting or denying access (e.g., "Allow access only if the user is connecting from a specific IP range and it is between 9 AM and 5 PM").

Why Statement B is incorrect:There is no such thing as an "End User user interface theme script" in the PingAM scripting engine. UI customization (Themeing) in PingAM 8.0.2 is handled through theXUIframework using CSS, HTML templates, and configuration JSON files, or by building a custom UI using the Ping SDKs. It does not use the server-side Groovy/JavaScript scripting engine that governs authentication and authorization logic. Therefore, the valid script types areA, C, and D, making Option D the correct choice.

In PingAM 8.0.2, when a client needs to trigger a specific authentication path—such as a higher-level tree for step-up authentication or a specific module for transactional authorization—it must tell the /authenticate endpoint which "Index" to use.

According to the PingAM "Authenticate over REST" and "Session Upgrade" documentation, these are governed by two mandatory parameters:

authIndexType: This defines thecategoryof the authentication mechanism being requested. Valid values include service (for Authentication Trees/Chains), module (for individual modules), or level (to request any mechanism that meets a specific Auth Level).

authIndexValue: This defines thenameof the specific instance. For example, if authIndexType is service, the authIndexValue would be the name of the Authentication Tree (e.g., StepUpMFA).

For a step-up or transactional request to succeed, the client must send these two parameters. While service (Option B and D) is a commonvaluefor authIndexType, it is not a parameter name itself.ForceAuth(Option C and D) is an optional boolean used to force a fresh login even if a session exists, but it is not a requirement for the basic routing of the request to the correct tree. Therefore,authIndexTypeandauthIndexValue(Option A) are the fundamental parameters required by the AM engine to identify and initiate the intended authentication journey.7

To enforce complex authorization logic based on session duration, PingAM 8.0.2 administrators must move beyond the static "Out-of-the-Box" conditions.

Analysis of the options based on the "Policy Conditions" documentation:

Time Condition (Option A): This condition is used to restrict access based on theclock time of dayorday of the week(e.g., "Allow access only between 9 AM and 5 PM"). It does not track the elapsed time of a specific user session.

Current Session Properties (Option B): This condition checks for the presence of specific key-value pairs in a session. While a session contains a startTime property, this condition is designed for matching static values (like department=HR), not for performing mathematical time calculations.

Active Session Time (Option D): This is not a standard default condition name in the PingAM 8.0.2 policy engine.

The Correct Approach (Option C): AScripted Policy Conditionis required for this use case. Within a Policy Condition script, the administrator has access to the session object. The script can retrieve the startTime (or creationTime) of the session and compare it against the current system time (currentTime).

Example logic in the script:

var sessionStartTime = session.getProperty("startTime");

var maxDuration = 10 * 60 * 1000; // 10 minutes in milliseconds

if ((currentTime - sessionStartTime) > maxDuration) { authorized = false; }

By using a script, PingAM can dynamically calculate the age of the session at the moment of the access request and return a "Deny" decision if the 10-minute threshold has been exceeded. This provides the granular control needed for high-security environments where "session freshness" is a requirement for specific sensitive resources.

While OpenID Connect (OIDC) is built on top of OAuth2, it introduces specific endpoints for handling ID Tokens (the identity layer). In PingAM 8.0.2, when a client receives an ID Token, it is recommended to validate it locally using the provider's public keys. However, PingAM also provides a convenience endpoint for validation.

According to the "OpenID Connect 1.0 Endpoints" documentation:

/oauth2/idtokeninfo (Option A): This is the dedicated endpoint designed to receive an ID Token as a parameter.8It validates the token's signature, checks the expiration and audience, and returns the claims contained within the token in a JSON format. This is specifically used forunencryptedID tokens.

/oauth2/userinfo (Option B): This endpoint returns claims about the authenticated user but requires a validAccess Tokenin the authorization header, not an ID Token.9

/oauth2/introspect (Option C): This is a standard OAuth2 endpoint (RFC 7662) used to check the metadata and "activeness" ofAccess TokensorRefresh Tokens, not the internal identity claims of an OIDC ID Token.10

/oauth2/tokeninfo (Option D): This is a legacy/non-standard endpoint that was used in older versions for Access Token validation and is not the primary OIDC validation endpoint in version 8.0.2.11

Therefore, for the specific task of validating an ID Token and retrieving its claims,/oauth2/idtokeninfois the correct and authoritative endpoint in the PingAM 8.0.2 OIDC implementation.

In PingAM 8.0.2, Realms are the primary organizational units used to group configuration, policies, and identities.13 A common misconception is that a user is "locked" into a single realm. However, according to the "Realms" and "Identity Stores" documentation, the relationship is highly flexible.

ARealmdoes not actually "contain" users in a physical sense; instead, a realm is configured with one or moreIdentity Stores(such as an LDAP directory or a database). Multiple realms can be configured to point to the same underlying Identity Store. Therefore, if a user profile exists in an LDAP directory that is shared by "Realm A" and "Realm B," that user is effectively amember of both realms. They can authenticate to either realm and receive different policies or session properties based on the realm-specific configuration.

Key points from the documentation:

Logical Partitioning: Realms provide a way to apply different authentication logic (different trees) to the same set of users.14

Multi-tenancy: An organization can create separate realms for different departments or customer groups, even if they overlap in the back-end user database.

Identity Store Mapping: Because a realm maps to an identity store, and an identity store can be reused across realms, a user's membership is determined by where the realm is "looking" for data.

Thus,Option Ais the correct description of the architecture: a user can be a member of one or more realms depending on how the administrator has mapped the identity repositories.

Would you like me to proceed with more questions, or would you like to focus on a specific area such asOAuth2 Grant Flows?

In PingAM 8.0.2, especially when utilizing File-Based Configuration (FBC), the startup sequence relies on a "bootstrap" phase to locate the system's configuration. According to the "Installation Guide" and "Configuration Directory Structure," the primary file involved in this process is named boot.json.

The boot.json file contains the essential connection details required for the AM binaries to find and unlock the configuration store (usually PingDS). This includes the LDAP host, port, bind DN, and references to the secret stores needed to decrypt the configuration.

The location of this file is determined by theConfiguration Directorypath specified during the initial setup. By default, PingAM creates its configuration directory in the home directory of the user running the web container. The standard path structure is //. Therefore, the boot.json file is located at the root of this instance directory:<user-home>/<am-instance-dir>/boot.json.

Options A and Dare incorrect because they place the file inside a /config subdirectory; while AM has many config files in subdirectories, the boot.json sits at the root to be accessible as the first point of entry.

Option Bis incorrect because it suggests the file is stored within the Tomcat webapps folder. PingAM specifically avoids storing configuration data within the web application binaries to ensure that configuration persists even if the .war file is deleted or redeployed.

Understanding the location of boot.json is vital for DevOps engineers who need to automate the deployment of PingAM using tools like Amster or when troubleshooting a "Failed to connect to the configuration store" error during server startup.

When an OAuth2 client uses Private Key JWT or Client Secret JWT for authentication at the PingAM 8.0.2 token endpoint, it must present a JWT (JSON Web Token) containing specific claims that identify and authorize the client. This is governed by the OIDC and OAuth2 JWT Profile specifications (RFC 7523).

According to the PingAM documentation on "OAuth 2.0 Client Authentication" and the "JWT Profile for Client Authentication":

iss (Issuer): Mandatory. This must be the client_id of the OAuth2 client.

sub (Subject): Mandatory. This must also be the client_id of the OAuth2 client (as the client is the subject of the authentication).

aud (Audience): Mandatory. This must be the URL of the PingAM OAuth2 service (the token endpoint) or the issuer URL.

exp (Expiration Time): Mandatory. This protects against the long-term use of intercepted assertions.

Thejti (JWT ID)(Option A) provides a unique identifier for the token. In the context of standard JWT validation, jti is used to preventreplay attacksby ensuring that a specific token is only processed once. While highly recommended for security hardening, the PingAM 8.0.2 technical reference for OAuth2 client assertions marks jti asoptionalunless the server is explicitly configured to require it for replay detection. Without a jti, PingAM will still validate the iss, sub, aud, and exp claims to authenticate the client. Therefore, among the choices provided, jti is the claim that can be omitted without inherently violating the base OAuth2 JWT authentication request requirements.

============