Ping Identity PT-AM-CPE Exam - Topic 4 Question 4 Discussion

This question explores the fundamental architecture of Session Management in PingAM 8.0.2. PingAM is designed to be highly flexible, supporting both traditional browser-based Single Sign-On (SSO) and modern API-driven interactions.

Analysis of the statements based on PingAM documentation:

Statement A is correct: For browser-based flows, PingAM uses HTTP cookies to maintain session state. Upon successful authentication, AM sends a Set-Cookie header to the browser containing the session token (the session reference).

Statement B is correct: For 'headless' or REST-based authentication (such as a mobile app or a back-end service calling /json/realms/root/authenticate), there is no browser to handle cookies automatically. In this case, PingAM returns the tokenId directly in the JSON response body, allowing the client to manage the token manually in subsequent API calls.

Statement D is correct: For historical reasons, the default value for the SSO Cookie Name in PingAM is iPlanetDirectoryPro. While administrators are encouraged to change this for security (obfuscation), it remains the default 'out-of-the-box' configuration.

Statement C is incorrect: This is the 'distractor' in the question. PingAM 8.0.2 supports multiple session storage models. While the Core Token Service (CTS) is the standard for server-side stateful sessions, AM also supports Client-side sessions (where the state is stored in a signed/encrypted JWT in the cookie itself) and In-memory sessions (primarily used for short-lived authentication journeys). Since AM is not restricted only to the CTS, Statement C is false.

Therefore, the combination of A, B, and D accurately reflects the session capabilities of PingAM 8.0.2, making Option A the correct answer.