Free Ping Identity PT-AM-CPE Exam Dumps June 2026

The Authentication Context Class Reference (acr) is a standard parameter in OpenID Connect (OIDC) used by a client (Relying Party) to request a specific level or method of authentication from the OpenID Provider (PingAM 8.0.2).

According to the 'OpenID Connect 1.0' and 'OAuth2 Provider Service' documentation in PingAM, there is a specific configuration mapping for ACR to Authentication Tree. In the AM console, under the OAuth2 Provider > OpenID Connect tab, administrators define a list of mappings. Each entry consists of an ACR string (e.g., urn:mace:incommon:iap:silver or simply MFA) and its corresponding Authentication Tree name.

When an OIDC client sends a request to the /authorize endpoint containing the acr_values parameter, PingAM performs a lookup:

It checks the incoming acr_values against the configured map.

If a match is found, PingAM ignores the default realm authentication configuration and initiates the Authentication Tree mapped to that specific ACR value.

Upon successful completion, the resulting ID Token will contain the acr claim with the requested value, confirming to the client that the specific journey was completed.

This mechanism allows developers to programmatically request 'Step-up' or 'Social Login' or 'MFA' specifically from their application code by leveraging OIDC standard parameters. While ACR values are often related to Authentication Levels (Option D) conceptually, in PingAM's internal architecture, they are directly used to select and trigger a specific Authentication Tree (Option A).

In PingAM 8.0.2, the OpenID Connect (OIDC) Claims Script is the specific extensibility point designed to govern how user information is mapped and transformed into claims within an OIDC ID token or the UserInfo response. While PingAM supports standard scopes like profile and email out of the box, specialized business requirements---such as including an 'employee number' which might be stored as employeenumber in an LDAP directory---require a custom transformation.

According to the 'OIDC Claims Script' reference in the PingAM documentation:

The script acts as a bridge between the Identity Store (the source of truth) and the OIDC Provider (the issuer). When a client requests a token, PingAM executes this script, providing it with a claimObjects map and the userProfile. The developer can then write Groovy or JavaScript logic to retrieve the employeeNumber attribute from the user's profile and add it to the resulting claims set.

The script typically follows this logical flow:

Identify the requested claims from the OIDC scope.

Fetch the corresponding raw attributes from the Identity Store (e.g., PingDS or AD).

Format and name the claim as per the OIDC specification or the specific client requirement (e.g., mapping LDAP employeenumber to OIDC claim emp_id).

Return the claims to be signed and embedded into the JWT.

Why other options are incorrect: Options A, C, and D reference script types that do not exist under those specific names in the standard PingAM 8.0.2 scripting engine. While there are 'Access Token Modification' scripts and 'Client Registration' scripts, the OIDC Claims Script is the only one authorized and designed to manage the payload of the id_token.

In SAML 2.0 Federation, there is a standard XML schema (defined by OASIS) that all vendors use to describe an Identity Provider (IdP) or Service Provider (SP). This is known as 'Standard Metadata.' However, standard metadata does not include every configuration option required to run a sophisticated Access Management server.

PingAM 8.0.2 uses Extended Metadata to store implementation-specific settings that fall outside the OASIS SAML 2.0 specification. According to the 'SAML 2.0 Guide,' extended metadata is stored as a separate configuration file (or JSON entry in newer versions) and includes parameters such as:

Identity Store Mapping: Which attribute in the local datastore matches the SAML NameID.

Session Information: How AM should handle the session lifecycle after a successful SAML assertion.

Attribute Mapping: Detailed instructions on how to transform local LDAP attributes into SAML attributes (and vice versa).

Authentication Trees: Which specific tree should be triggered when a request arrives at the IdP.

Option D is the correct description. Option C is incorrect because extended metadata is not a standard way to communicate features; in fact, other SAML products (like ADFS or Okta) cannot read or process PingAM's extended metadata. Option A is incorrect because basic certificates/keys are usually part of the standard metadata (KeyDescriptor), and Option B is incorrect because SAML federation usually triggers authentication journeys or attribute mapping rather than a standard authorization 'policy.'

PingAM 8.0.2 provides a 'Recovery Code' mechanism as part of its Multi-Factor Authentication (MFA) suite. This allows users to regain access to their accounts if they lose their MFA device (such as a smartphone used for Push or OATH).

According to the PingAM 'Authentication Node Reference' for version 8.0.2:

The node responsible for the validation of these codes is the Recovery Code Collector Decision node. This node performs a dual function:

Collection: It renders the UI callback to the user (a text input field) asking for the recovery code.

Decision/Validation: Once the user submits a code, the node checks the input against the stored, hashed recovery codes in the user's profile.

Analysis of the other options:

Recovery Code Display node (Option A): This node is used during the registration phase to show the user their newly generated codes so they can save them. It does not validate them.

Recovery Code Verifier node (Option D): This is a common distractor name. While 'Verifier' sounds logical, the actual name in the AM designer is the 'Collector Decision' node, reflecting the pattern of nodes that both collect data and make a branching decision.

Recovery Code Comparator node (Option B): Not a standard node in PingAM 8.0.2.

The Recovery Code Collector Decision node typically has two outcomes: Success (code matched and was consumed/removed) or Failure (code was invalid). This node is vital for ensuring that 'Account Recovery' journeys remain secure and functional within the Intelligent Access framework.

============