Cisco
CompTIA
ISC
EC-Council
EXIN
Fortinet
ITIL
Juniper
Microsoft
VMware
Avaya
SAP
Google
NVIDIA
Salesforce
Amazon
Palo Alto Networks
ISC2
Splunk
ServiceNow
All Vendors
  2. Home
  3. Exams
  4. Ping Identity
  5. PT-AM-CPE

Ping Identity PT-AM-CPE Exam Questions
Certified Professional - PingAM (Page 3 )

Updated On: 27-Feb-2026
Page 3 of 21
PDF with 100 Questions

Which of the following approaches can be used to configure a basic installation of PingAM?

  1. Either the graphical user interface in a browser, or a command-line program
  2. The graphical user interface in a browser
  3. There is no basic configuration needed
  4. A command-line program

Answer(s): A

Explanation:

According to the PingAM 8.0.2 Installation Guide, once the am.war file has been deployed into a web container (such as Apache Tomcat), the administrator must perform an initial configuration to set up the configuration store and the primary administrative user (amAdmin). PingAM provides two primary pathways for this "basic" configuration to accommodate different environment needs:
GUI-based Configuration (Interactive): By accessing the AM deployment URL (e.g., https://auth.example.com:8443/am) in a standard web browser, the administrator is presented with an interactive setup wizard. This wizard guides the user through the license agreement, setting the amAdmin password, and defining the connection details for the Configuration Store (typically PingDS). This is the preferred method for single-instance setups or initial trials. Command-Line Configuration (Automated/Passive): For DevOps-centric deployments, headless environments, or automated scripts, PingAM provides the configurator.jar (often used for "Passive" installations). Additionally, for version 8 deployments, Amster is the primary command-line interface (CLI) tool. Amster allows administrators to import a full configuration state from JSON files, bypassing the GUI entirely. This is crucial for CI/CD pipelines and Kubernetes-based deployments (like the ForgeOps CDK/CDP).
The flexibility to use either the browser-based GUI or command-line tools ensures that PingAM can be deployed efficiently across diverse infrastructures, from traditional on-premises servers to modern cloud-native orchestration platforms. Therefore, Option A is the correct answer as it recognizes both valid administrative interfaces for the initial setup.



Which feature of PingAM protects against cookie hijacking in a cross-domain single sign-on environment?

  1. Random tokens
  2. Bound tokens
  3. Lockout tokens
  4. Restricted tokens1

Answer(s): D

Explanation:

In a Cross-Domain Single Sign-On (CDSSO) environment, PingAM must manage session cookies across multiple distinct DNS domains.2 By default, a standard SSO token could potentially be stolen and reused by a malicious actor to gain access to other domains within the same realm.3 To mitigate this specific threat, PingAM 8.0.2 utilizes Restricted Tokens.4 According to the documentation on "Securing CDSSO session cookies," a restricted token is a unique SSO token issued for each specific application or policy agent after successful user authentication.5 When CDSSO is active with cookie hijacking protection enabled, PingAM issues a "master" SSO token for the domain where AM resides and separate restricted tokens for the other fully qualified domain names (FQDNs) where web or Java agents are located.6
The restricted token is "restricted" because it is inextricably linked to the specific agent and application that initiated the redirection. Internally, AM stores a correlation between the master session and these restricted tokens.7 If an attacker attempts to hijack a restricted token and use it to access a different application or a different domain, the AM server performs a validation check on the constraint associated with the token (such as the agent's DN or IP). If the request does not originate from the authorized entity, a security violation is triggered, and access is denied. This mechanism ensures that even if a cookie is stolen in one domain, its utility is confined strictly to that domain and cannot be used for "lateral movement" across the enterprise's other protected resources. It is important to note that restricted tokens require server-side sessions to function; they are not supported for client-side (JWT-based) sessions.8



What is session denylisting used for?

  1. Keeping track of session inactivity
  2. Keeping track of restricted sessions
  3. Keeping track of logged out sessions
  4. Keeping track of absolute session timeouts

Answer(s): C

Explanation:

Session Denylisting is a critical security feature in PingAM 8.0.2, primarily used when a realm is configured for client-side sessions.9 In a client-side session model, the session state is stored in a signed and encrypted JWT within the user's browser cookie rather than in the server's memory or the Core Token Service (CTS).10 Because the server does not "own" the session state, a logout event typically only involves deleting the cookie from the browser. However, if a malicious actor had previously copied that cookie, they could still use it until it naturally expires. To solve this, PingAM uses Session Denylisting to keep track of logged out sessions.11 When a user logs out, or when a session is invalidated (e.g., during a session upgrade or administrative action), AM records the session identifier in a denylist stored within the Core Token Service (CTS).12 For every subsequent request, AM checks the incoming client-side session token against this denylist.13 If the session ID is found in the denylist, AM rejects the token as invalid, even if the cryptographic signature is correct and the expiration time has not passed. The documentation emphasizes that this feature is essential for "tracking session logouts across multiple AM servers" in a cluster. Without denylisting, there would be no way to perform a "global logout" for client-side sessions that is immediately effective across all nodes.14 Administrators can configure properties such as the Denylist Purge Delay (to account for clock skew) and the Denylist Poll Interval (to balance security speed with system performance).15 By effectively managing the lifecycle of revoked tokens, session denylisting ensures that a logout is a cryptographically and operationally certain event.



Consider the following LDAP connection string:
DS1.example.com:389|01, DS2.example.com:389|01, DS2.example.com:389|02, DS1.example.com:389|02
This connection string can be used in:

(A). Identity Store
(B). Core Token Service
(C). Configuration Data Store

Which of the above options are correct?

  1. Only A is correct
  2. Only B is correct
  3. Only C is correct
  4. A, B, and C are correct

Answer(s): B

Explanation:

The connection string format HOST:PORT|SERVERID|SITEID is a specific syntax used in PingAM 8.0.2 for Affinity Load Balancing, a feature almost exclusively associated with the Core Token Service (CTS). In high-volume deployments, the CTS handles thousands of session updates per second. To avoid replication lag issues--where an AM server might try to read a session token from a directory server (DS) before the update has replicated from another DS node--PingAM uses "Affinity."16 According to the "CtsDataStoreProperties" and "CTS Deployment Architectures" documentation, this specialized string allows the AM instance to prioritize connections based on the Server ID and Site ID.17 The pipe (|) characters signify the optional affinity parameters:
01/02: These represent the Server IDs of the underlying Directory Servers. Affinity Logic: By providing these IDs, PingAM can ensure that it always routes requests for the same CTS token to the same directory server node.18
While standard Identity Stores (Option A) and the Configuration Data Store (Option C) use LDAP connection strings, they typically utilize a comma-separated list of host:port pairs or rely on a hardware load balancer. The specific use of server and site IDs within the connection string itself to manage LDAP request routing is a hallmark of the CTS affinity configuration.19 The documentation explicitly states that "Each connection string is composed as follows:
HOST:PORT[|SERVERID[|SITEID]]" within the context of CTS external store configuration.20 Therefore, this complex string is specifically designed for the Core Token Service to ensure data consistency and high performance in clustered environments.



Which OAuth2 flow is most appropriate to support the use case of a client application implemented in a browser using a scripted language such as JavaScript?

  1. Authorization code grant flow with PKCE
  2. Implicit grant flow
  3. Resource owner grant flow
  4. Client credentials grant flow

Answer(s): A

Explanation:

In PingAM 8.0.2, the recommended and most secure flow for "Public Clients"--such as Single Page Applications (SPAs) written in JavaScript--is the Authorization Code Grant Flow with PKCE (Proof Key for Code Exchange).
Historically, the Implicit Grant Flow (Option B) was used for browser-based apps because they could not securely store a client_secret. However, the Implicit flow is now considered legacy and insecure due to the risk of access token leakage in the browser history or via referrer headers. The Resource Owner Password Credentials Grant (Option C) is also discouraged as it requires the application to handle user credentials directly, violating the core principle of delegated authorization. Client Credentials (Option D) is reserved strictly for machine-to-machine communication where no user is involved.
The Authorization Code Grant with PKCE addresses the security limitations of public clients by replacing the static client_secret with a dynamically generated "code verifier" and "code challenge."

The process works as follows:
Challenge Generation: The JavaScript app creates a cryptographically strong random string (Verifier) and transforms it (Challenge).
Authorization Request: The app sends the challenge to PingAM.21 Code Exchange: After user login, AM returns an authorization code. The app then sends the code and the original verifier to the token endpoint.
Verification: AM verifies that the verifier matches the initial challenge before issuing the Access Token.
This flow ensures that even if an attacker intercepts the authorization code, they cannot exchange it for a token without the original verifier, which never left the browser's execution context. PingAM 8.0.2 fully supports this flow and provides specific configuration options in the OAuth2 Provider settings to enforce PKCE for all public clients.






Post your Comments and Discuss Ping Identity PT-AM-CPE exam dumps with other Community members:

Join the PT-AM-CPE Discussion