Get Ping Identity PT-AM-CPE Exam Practice Questions - Real and Updated

Answer : B

The OAuth2 May Act script type in PingAM 8.0.2 allows administrators to programmatically determine if a token exchange request (impersonation or delegation) should be allowed by adding a may_act claim to the token.

According to the 'Scripting' and 'Token Exchange Scripting API' documentation, when this script is executed, the AM engine provides a specific set of 'Bindings' or variables. These allow the script to inspect the context of the request before deciding to modify the token. The documented variables for the OAuth2 May Act script are:

clientProperties: A map of the OAuth2 client's configuration properties.

identity: The identity object for the user/subject.

logger: The logging object for debugging within the script.

requestProperties: Properties of the incoming HTTP request.

scopes: The set of scopes requested or associated with the token.

scriptName: The name of the script being executed.

session: The user's SSO session (if available).

requestedToken: This is the most important variable; it represents the token being issued. Methods like .addMayAct() or .setMayAct() are called on this specific object.

Why other options are incorrect:

Option B correctly lists the bindings.

Options A and D are incorrect because they use the variable name token. While token is a common variable name in other OAuth2 script types (like the Access Token Modification script), the Token Exchange script specifically uses requestedToken to distinguish the new token from the subject_token or actor_token provided in the request.

Option C uses scopeList, which is not the standard variable name for the scopes in this specific script context; the documentation defines it as scopes.

Answer : D

According to the PingAM 8.0.2 Upgrade Guide and best practices for high-availability environments, performing an upgrade on a multi-server cluster requires a controlled redirection of traffic. While several methods can technically stop traffic, the load balancer is the primary tool for managing availability during maintenance.

In a production environment, PingAM instances are typically situated behind a load balancer that performs health checks and distributes user requests. By disabling access from the load balancer (specifically, by draining connections or marking nodes as 'out of service'), administrators can gracefully prevent new external users from reaching the servers undergoing the upgrade. This approach is superior to shutting down the PingAM instances (Option A) immediately, as it allows existing sessions to complete their current operations or be handled by other nodes in the cluster if a 'rolling upgrade' strategy is being used.

Shutting down the PingDS instances (Option B) is dangerous, as the directory service is required by PingAM for both configuration and user data; losing the data store while the AM application is still active can lead to severe system errors and data corruption. While a firewall (Option C) can block traffic, it is generally a 'blunt instrument' that does not provide the sophisticated session management or health-probe handling that a load balancer offers. The load balancer allows for a 'Maintenance Page' to be displayed to users, providing a better user experience during the downtime. Therefore, for a professional multi-server upgrade, managing the traffic flow at the load balancer layer is the verified best practice in PingAM 8 documentation.

Answer : B

The connection string format HOST:PORT|SERVERID|SITEID is a specific syntax used in PingAM 8.0.2 for Affinity Load Balancing, a feature almost exclusively associated with the Core Token Service (CTS). In high-volume deployments, the CTS handles thousands of session updates per second. To avoid replication lag issues---where an AM server might try to read a session token from a directory server (DS) before the update has replicated from another DS node---PingAM uses 'Affinity.'16

According to the 'CtsDataStoreProperties' and 'CTS Deployment Architectures' documentation, this specialized string allows the AM instance to prioritize connections based on the Server ID and Site ID.17 The pipe (|) characters signify the optional affinity parameters:

01/02: These represent the Server IDs of the underlying Directory Servers.

Affinity Logic: By providing these IDs, PingAM can ensure that it always routes requests for the same CTS token to the same directory server node.18

While standard Identity Stores (Option A) and the Configuration Data Store (Option C) use LDAP connection strings, they typically utilize a comma-separated list of host:port pairs or rely on a hardware load balancer. The specific use of server and site IDs within the connection string itself to manage LDAP request routing is a hallmark of the CTS affinity configuration.19 The documentation explicitly states that 'Each connection string is composed as follows: HOST:PORT[|SERVERID[|SITEID]]' within the context of CTS external store configuration.20 Therefore, this complex string is specifically designed for the Core Token Service to ensure data consistency and high performance in clustered environments.

Answer : B

The Tree Designer in PingAM 8.0.2 is a visual, drag-and-drop tool used to build sophisticated login journeys. While it is highly flexible, it follows specific structural rules to ensure the authentication engine can execute the logic predictably.

Analysis of the statements:

Statement A is true: Trees must terminate in an outcome. Success and Failure nodes are standard. Additionally, the Inner Tree Evaluator node allows one tree to hand off processing to another 'child' tree.

Statement C is true: The designer is extensible. Administrators can develop their own Java or Scripted nodes, and the Ping Identity Marketplace provides a wide range of third-party nodes (e.g., for biometric providers or specialized risk engines) that appear in the designer palette once installed.

Statement D is true: 'Inner trees' are a supported concept, allowing for modularity where common logic (like MFA) can be built once and called from multiple parent trees.

Statement B is the 'not true' statement. While the designer allows for complex logic and loops (e.g., looping back to a username prompt if a password is wrong), it does not support nesting nodes within a tree. In PingAM architecture, nodes are atomic components placed on a flat canvas. You cannot 'nest' a node inside another node's configuration in the visual designer. Complexity is achieved through the branching and linking of these atomic nodes. If logic needs to be 'nested' or grouped, it is done by creating a separate tree and calling it as an Inner Tree. Understanding this structural limitation is key for architects designing modular authentication frameworks.

Answer : A

In the 'Additional Cookie Security' section of the PingAM 8.0.2 documentation, HttpOnly is described as a critical security attribute for session cookies (like iPlanetDirectoryPro). Its primary purpose is to mitigate the risk of session hijacking via Cross-Site Scripting (XSS) attacks.

When a cookie is marked with the HttpOnly flag, the browser is instructed to restrict access to that cookie. Specifically, it prevents client-side scripts---such as those written in JavaScript---from accessing the cookie through the document.cookie API. If an attacker successfully injects a malicious script into a page, the script will be unable to 'read' the session token, even though the cookie is still automatically sent by the browser with every valid HTTP request to the server.

Option B describes the Secure flag, which ensures cookies are only sent over encrypted (HTTPS) connections.

Option C is incorrect because the server must be able to read the cookie to validate the user's session.

Option D is a common misconception; the HttpOnly flag does not restrict the transport to 'HTTP-only' (non-secure) protocols; rather, it restricts the access method within the browser environment.

By default, PingAM 8.0.2 enables the HttpOnly flag for all session cookies. This is considered a best practice in modern identity management because it ensures that even if a web application has a vulnerability that allows for script injection, the user's primary authentication token remains protected from being exfiltrated by the attacker's script.