Ping Identity PT-AM-CPE Exam Questions

When an OAuth2 client uses Private Key JWT or Client Secret JWT for authentication at the PingAM 8.0.2 token endpoint, it must present a JWT (JSON Web Token) containing specific claims that identify and authorize the client. This is governed by the OIDC and OAuth2 JWT Profile specifications (RFC 7523).

According to the PingAM documentation on 'OAuth 2.0 Client Authentication' and the 'JWT Profile for Client Authentication':

iss (Issuer): Mandatory. This must be the client_id of the OAuth2 client.

sub (Subject): Mandatory. This must also be the client_id of the OAuth2 client (as the client is the subject of the authentication).

aud (Audience): Mandatory. This must be the URL of the PingAM OAuth2 service (the token endpoint) or the issuer URL.

exp (Expiration Time): Mandatory. This protects against the long-term use of intercepted assertions.

The jti (JWT ID) (Option A) provides a unique identifier for the token. In the context of standard JWT validation, jti is used to prevent replay attacks by ensuring that a specific token is only processed once. While highly recommended for security hardening, the PingAM 8.0.2 technical reference for OAuth2 client assertions marks jti as optional unless the server is explicitly configured to require it for replay detection. Without a jti, PingAM will still validate the iss, sub, aud, and exp claims to authenticate the client. Therefore, among the choices provided, jti is the claim that can be omitted without inherently violating the base OAuth2 JWT authentication request requirements.

============

Upgrading PingAM 8.0.2 is a complex process that involves updating binaries, modifying schemas in the configuration store, and potentially migrating scripts to the 'Next-Generation' scripting engine. To ensure that the system is not only 'running' but also 'production-ready,' a comprehensive testing phase is required.

According to the 'Post-Upgrade Tasks' and 'Best Practices for Upgrading' documentation:

A successful upgrade verification must cover two distinct categories of testing:

Functional Tests: These verify that the core features still work as intended. Can users log in? Do the authentication trees execute correctly? Are SAML assertions being generated? This ensures the 'Logic' of the identity platform is intact.

Non-Functional Tests: These are equally critical in an upgrade scenario. An upgrade can sometimes introduce performance regressions, change the way memory is utilized by the JVM, or alter the connection pool behavior to the CTS. Testing for performance, high availability (failover), security (vulnerability scanning), and monitoring ensures the system can handle production loads and meets the organization's Service Level Agreements (SLAs).

While setting version flags (Option D) might be a technical step in some internal processes, it does not 'ensure a successful upgrade' in the way that rigorous validation does. Running only functional tests (Option A) or only non-functional tests (Option C) leaves the environment vulnerable to either logic errors or system crashes. Thus, the verified best practice is to run both functional and non-functional tests (Option B) before redirecting production traffic to the upgraded instances.

In PingAM 8.0.2, device management is a critical part of the Multi-Factor Authentication (MFA) lifecycle. When a user registers a device for Push, OATH, or WebAuthn, that information is stored as a part of their identity profile. There are many scenarios where a device might need to be reset---for example, if a phone is lost, if the ForgeRock/Ping Authenticator app is reinstalled, or if an HOTP (HMAC-based One-Time Password) counter becomes desynchronized beyond the allowed window.

According to the PingAM documentation on 'Managing Devices for MFA' and the 'REST API for Device Management':

Administrator Capabilities: Administrators have the authority to manage device profiles for any user. They can list, rename, or delete (reset) device profiles using the /json/realms/root/realms/[realm]/users/[username]/devices endpoint. This is vital for helpdesk scenarios (Option D and B).

User Self-Service (The Incorrect Statement C): Statement C is technically incorrect because PingAM's REST API specifically supports self-service device management. An authenticated end-user has the permission to manage their own devices. They can call the /json/realms/root/realms/[realm]/users/[username]/devices endpoint using their own valid SSO token to delete their own registered devices. This allows organizations to build self-service portals where users can 'Unpair' a lost device without calling support (Option A).

The internal security of PingAM ensures that while a regular user can only access their own device sub-resource, an administrator with the appropriate amAdmin or Delegate Admin privileges can access the resources of all users. Therefore, the claim that only administrator accounts can use the REST API for these actions is false and contradicts the 'User Self-Service' philosophy built into the PingAM 8 API architecture.

The connection string format HOST:PORT|SERVERID|SITEID is a specific syntax used in PingAM 8.0.2 for Affinity Load Balancing, a feature almost exclusively associated with the Core Token Service (CTS). In high-volume deployments, the CTS handles thousands of session updates per second. To avoid replication lag issues---where an AM server might try to read a session token from a directory server (DS) before the update has replicated from another DS node---PingAM uses 'Affinity.'16

According to the 'CtsDataStoreProperties' and 'CTS Deployment Architectures' documentation, this specialized string allows the AM instance to prioritize connections based on the Server ID and Site ID.17 The pipe (|) characters signify the optional affinity parameters:

01/02: These represent the Server IDs of the underlying Directory Servers.

Affinity Logic: By providing these IDs, PingAM can ensure that it always routes requests for the same CTS token to the same directory server node.18

While standard Identity Stores (Option A) and the Configuration Data Store (Option C) use LDAP connection strings, they typically utilize a comma-separated list of host:port pairs or rely on a hardware load balancer. The specific use of server and site IDs within the connection string itself to manage LDAP request routing is a hallmark of the CTS affinity configuration.19 The documentation explicitly states that 'Each connection string is composed as follows: HOST:PORT[|SERVERID[|SITEID]]' within the context of CTS external store configuration.20 Therefore, this complex string is specifically designed for the Core Token Service to ensure data consistency and high performance in clustered environments.

In PingAM 8.0.2, the OAuth 2.0 Token Exchange (RFC 8693) implementation allows for complex identity delegation scenarios. The may_act claim is a specific claim used to indicate that one entity is authorized to act on behalf of another. When customizing the behavior of token exchange via the OAuth2 Token Exchange Script, developers interact with specific scriptable objects provided by the PingAM engine.

According to the 'Scripting API' for OAuth2 and the 'Token Exchange' developer guide, the requestedToken object is the primary interface used to modify the structure of the token being issued during the exchange. To insert the may_act claim, the API provides the addMayAct() method.

The may_act claim is technically a JSON object that contains a sub (subject) claim of the entity that is allowed to act as the subject of the token. In the scripting environment:

The requestedToken variable represents the token currently being minted.

The .addMayAct() method is the defined function signature to append this delegation metadata.

Why other options are incorrect:

Options A and D: The object name token is not the standard binding used for the target token in the Token Exchange script context; requestedToken is the correct binding.

Option C: The method name setMayAct is incorrect. The PingAM API uses the add prefix for these types of claims (similar to addActor), reflecting the underlying structure where these claims are added to the claim set of the JWT.

Using the correct syntax requestedToken.addMayAct(mayAct) ensures that the resulting Access Token or ID Token contains the correctly formatted delegation information required by resource servers to validate that the 'Actor' has the permission to represent the 'Subject.'