Ping Identity PT-AM-CPE Exam Questions

The connection string format HOST:PORT|SERVERID|SITEID is a specific syntax used in PingAM 8.0.2 for Affinity Load Balancing, a feature almost exclusively associated with the Core Token Service (CTS). In high-volume deployments, the CTS handles thousands of session updates per second. To avoid replication lag issues---where an AM server might try to read a session token from a directory server (DS) before the update has replicated from another DS node---PingAM uses 'Affinity.'16

According to the 'CtsDataStoreProperties' and 'CTS Deployment Architectures' documentation, this specialized string allows the AM instance to prioritize connections based on the Server ID and Site ID.17 The pipe (|) characters signify the optional affinity parameters:

01/02: These represent the Server IDs of the underlying Directory Servers.

Affinity Logic: By providing these IDs, PingAM can ensure that it always routes requests for the same CTS token to the same directory server node.18

While standard Identity Stores (Option A) and the Configuration Data Store (Option C) use LDAP connection strings, they typically utilize a comma-separated list of host:port pairs or rely on a hardware load balancer. The specific use of server and site IDs within the connection string itself to manage LDAP request routing is a hallmark of the CTS affinity configuration.19 The documentation explicitly states that 'Each connection string is composed as follows: HOST:PORT[|SERVERID[|SITEID]]' within the context of CTS external store configuration.20 Therefore, this complex string is specifically designed for the Core Token Service to ensure data consistency and high performance in clustered environments.

In PingAM 8.0.2, the OAuth 2.0 Token Exchange (RFC 8693) implementation allows for complex identity delegation scenarios. The may_act claim is a specific claim used to indicate that one entity is authorized to act on behalf of another. When customizing the behavior of token exchange via the OAuth2 Token Exchange Script, developers interact with specific scriptable objects provided by the PingAM engine.

According to the 'Scripting API' for OAuth2 and the 'Token Exchange' developer guide, the requestedToken object is the primary interface used to modify the structure of the token being issued during the exchange. To insert the may_act claim, the API provides the addMayAct() method.

The may_act claim is technically a JSON object that contains a sub (subject) claim of the entity that is allowed to act as the subject of the token. In the scripting environment:

The requestedToken variable represents the token currently being minted.

The .addMayAct() method is the defined function signature to append this delegation metadata.

Why other options are incorrect:

Options A and D: The object name token is not the standard binding used for the target token in the Token Exchange script context; requestedToken is the correct binding.

Option C: The method name setMayAct is incorrect. The PingAM API uses the add prefix for these types of claims (similar to addActor), reflecting the underlying structure where these claims are added to the claim set of the JWT.

Using the correct syntax requestedToken.addMayAct(mayAct) ensures that the resulting Access Token or ID Token contains the correctly formatted delegation information required by resource servers to validate that the 'Actor' has the permission to represent the 'Subject.'

The Device Authorization Grant (commonly referred to as the Device Flow, RFC 8628) is a specialized OAuth 2.0 grant flow supported by PingAM 8.0.2. It is designed for internet-connected devices that either lack a browser or have limited input capabilities (e.g., Smart TVs, IoT devices, or CLI tools).

In this flow, the interaction is split between the 'Device' and a 'Secondary Device' (like a smartphone or laptop) that has a full browser. The User Code is a fundamental component of this process:

Device Request: The device requests a code from PingAM.

PingAM Response: AM returns a Device Code (for the device) and a User Code (a short, human-readable string like BCDF-GHJK).

User Action: The device displays the User Code and a verification URL to the user.

Authorization: The user navigates to the URL on their smartphone, logs into PingAM, and enters the User Code.

Token Issuance: Once the user authorizes the request, the device (which has been polling AM using the Device Code) receives the Access and Refresh tokens.

The User Code is unique to the Device Flow (Option D). It is not used in the Client Credentials Grant (which is machine-to-machine), the Authorization Code Grant (which uses a redirect-based code), or the Resource Owner Password Credentials Grant (which uses direct username/password submission). In PingAM 8.0.2, administrators can configure the length, character set, and expiration time of these user codes within the OAuth2 Provider settings.

PingAM 8.0.2 supports advanced client authentication methods defined in the OpenID Connect and OAuth 2.0 specifications, including private_key_jwt and client_secret_jwt. These methods allow a client to authenticate without sending a static password/secret in the request. Instead, the client generates and signs a JSON Web Token (JWT).

According to the 'OAuth 2.0 Client Authentication' and 'JWT Profile for Client Authentication' (RFC 7523) documentation, when a client sends this JWT to the /oauth2/access_token endpoint, it must use the client_assertion parameter.

The request must also include the client_assertion_type parameter, which must be set to the constant value: urn:ietf:params:oauth:client-assertion-type:jwt-bearer.

Option A (client_credentials) is a grant type, not a parameter for providing a JWT.

Option B (client_token_value) is not a standard OAuth2 parameter name.

Option C (client_id) is often included in the request, but it is the identifier of the client, not the container for the cryptographic assertion itself.

When PingAM receives a request with a client_assertion, it extracts the JWT, verifies the signature using the client's public key (stored in the client's profile or retrieved via a JWKS URI), and validates the standard claims (iss, sub, aud, exp). This method is significantly more secure than simple secrets because it proves the client possesses the private key and limits the window for replay attacks through the token's expiration claim.

This question explores the fundamental architecture of Session Management in PingAM 8.0.2. PingAM is designed to be highly flexible, supporting both traditional browser-based Single Sign-On (SSO) and modern API-driven interactions.

Analysis of the statements based on PingAM documentation:

Statement A is correct: For browser-based flows, PingAM uses HTTP cookies to maintain session state. Upon successful authentication, AM sends a Set-Cookie header to the browser containing the session token (the session reference).

Statement B is correct: For 'headless' or REST-based authentication (such as a mobile app or a back-end service calling /json/realms/root/authenticate), there is no browser to handle cookies automatically. In this case, PingAM returns the tokenId directly in the JSON response body, allowing the client to manage the token manually in subsequent API calls.

Statement D is correct: For historical reasons, the default value for the SSO Cookie Name in PingAM is iPlanetDirectoryPro. While administrators are encouraged to change this for security (obfuscation), it remains the default 'out-of-the-box' configuration.

Statement C is incorrect: This is the 'distractor' in the question. PingAM 8.0.2 supports multiple session storage models. While the Core Token Service (CTS) is the standard for server-side stateful sessions, AM also supports Client-side sessions (where the state is stored in a signed/encrypted JWT in the cookie itself) and In-memory sessions (primarily used for short-lived authentication journeys). Since AM is not restricted only to the CTS, Statement C is false.

Therefore, the combination of A, B, and D accurately reflects the session capabilities of PingAM 8.0.2, making Option A the correct answer.