Ping Identity PAP-001 Certified Professional - PingAccess Exam Practice Test

PingAccess is designed to work with modern identity protocols. It doesnotsupport legacy WS-* protocols directly.

Exact Extract:

“PingAccess integrates with OAuth 2.0 and OpenID Connect (OIDC) to provide authentication and authorization for web and API resources.”

Option A (SAML)is incorrect — PingAccess does not natively consume SAML assertions; SAML can be used indirectly via PingFederate.

Option B (WS-Fed)is not supported.

Option C (WS-Trust)is not supported.

Option D (OAuth2)is correct — used for authorization and token validation.

Option E (OIDC)is correct — used for user authentication and sessions.

For PingAccess to terminate SSL for a proxied application, it requires access to theprivate key and certificate chain. These are stored asKey Pairs.

Exact Extract:

“For SSL termination, you must import the server certificate and its private key as a PKCS#12 file intoKey Pairs.”

Option Ais incorrect — a public key alone cannot terminate SSL.

Option Bis incorrect — PKCS#12 files must go intoKey Pairs, not Certificates.

Option Cis incorrect — public keys alone are insufficient; PingAccess must have the private key.

Option Dis correct — the PKCS#12 file with full chain and private key is imported intoKey Pairs.

When applications depend solely onheader-based identity mapping, attackers can attempt to bypass PingAccess by injecting headers directly into requests sent to the backend. To prevent spoofing, PingAccess should be configured to passcryptographically verifiable tokens(e.g.,ID tokens from OIDC) instead of relying on plain headers.

Exact Extract:

“Headers can be spoofed if not protected. Use signed tokens, such as ID tokens or JWTs, to provide strong identity assurance and prevent header injection attacks.”

Option A (Use ID Tokens)is correct — ID tokens are signed and verifiable, preventing spoofing.

Option B (Add Site Authenticator)protects PingAccess-to-site authentication, not client-to-API spoofing.

Option C (Require HTTPS)prevents eavesdropping but does not stop header spoofing from inside the network.

Option D (Use Target Host Header)ensures host header integrity but not user identity.

Step-up authentication in PingAccess is enforced throughAuthentication Requirement Rules. If users are not prompted, the likely issues are:

The rule is missing from the application/resource.

The rule’s minimum authentication context does not include MFA.

Exact Extract:

“Authentication requirement rules determine whether PingAccess will challenge a user with additional authentication (such as MFA). Ensure that the rule is applied to the resource and that the authentication context is set correctly.”

Option Ais incorrect — rejection handlers define error handling, not MFA enforcement.

Option Bis correct — verify the authentication requirement rule is applied.

Option Cis correct — ensure the rule contains the right MFA requirements.

Option Dis incorrect — identity mappings do not enforce step-up authentication.

Option Eis incorrect — token validation rules check validity, not MFA levels.

When PingAccess is integrated with PingFederate as aToken Provider, the OAuth clients already configured in PingFederate become available in PingAccess. This enables administrators toautomatically select Client IDswhen creating Web Sessions.

Exact Extract:

“When PingAccess uses PingFederate as its token provider, PingFederate OAuth clients appear automatically in PingAccess for selection during web session configuration.”

Option Ais incorrect — this refers to Admin Console authentication, which is separate.

Option Bis incorrect — OAuth clients must be created in PingFederate, not from within PingAccess.

Option Cis incorrect — token issuance policies are managed in PingFederate, not PingAccess.

Option Dis correct — the Client ID dropdown is populated automatically from PingFederate.

When using multiple Access Token Managers, theSend Audienceoption ensures that tokens are scoped properly and validated against the intended resource/application.

Exact Extract:

“EnableSend Audiencein the token provider configuration to support environments with multiple Access Token Managers and enforce correct audience restrictions.”

Option A (Subject Attribute Name)is unrelated — it maps user identity but not token manager selection.

Option B (Send Audience)is correct — required when multiple ATMs are in use.

Option C (Use Token Introspection Endpoint)is optional and depends on deployment, not mandatory for multiple ATMs.

Option D (Client Secret)is part of OAuth client credentials, not specific to multiple ATMs.

In PingAccess, when an application relies on claims from an OAuth access token, you must configure PingAccess to evaluate those claims and potentially inject them into headers for the backend application.

Exact Extract from PingAccess documentation:

“OAuth rules allow you to evaluate claims in OAuth access tokens. You can configure PingAccess to look at specific claims and enforce policies or pass them to target applications.”

“To extract attributes from an access token, configure anOAuth Attribute Rule.”

This clearly matches optionD.

Analysis of each option:

A. An authentication requirement definition

Incorrect. Authentication requirements determine how users authenticate to applications (OIDC provider, etc.), but do not manage access token claims.

B. A web session attribute rule

Incorrect. Web session attribute rules map attributes from the authenticated user’s web session (SSO session), not from OAuth access tokens.

C. An identity mapping definition

Incorrect. Identity mappings transform user attributes (from IdP to app), but they don’t directly pull claims from OAuth tokens.

D. An OAuth attribute rule

Correct. This rule is specifically designed to extract and enforce policies onclaims from OAuth access tokens.

Therefore, the correct answer isD. An OAuth attribute rule.

PingAccess can be configured to log or suppress back-channel requests that occur duringtoken validationwith an OAuth/OpenID Connect provider such as PingFederate. These requests happen when PingAccess calls PingFederate to validate access tokens or retrieve key material.

Exact Extract from PingAccess documentation:

“Back-channel requests are logged during token validation by default. To prevent these requests from being written to the audit log, update theToken Validationsettings in PingAccess.”

This makesToken Validationthe correct location for changing the behavior without modifying application-specific configurations.

Why other options are wrong:

B. Web Sessions

Incorrect. Web Sessions control user session management and cookie handling, not back-channel token validation traffic.

C. Sites

Incorrect. Sites are the definitions of backend servers that PingAccess proxies to. This setting does not affect back-channel logging to PingFederate.

D. Token Provider

Incorrect. The Token Provider defines the OIDC/OAuth server (e.g., PingFederate) and its endpoints, but the logging of back-channel requests is not controlled here.

Thus, the correct answer isA. Token Validation.

When upgrading a PingAccess cluster, theAdmin Console node must always be upgraded firstbefore any replica admin or engine nodes. This ensures that the configuration and schema changes introduced in the new version are properly applied and replicated.

Exact Extract (from PingAccess documentation):

“In a clustered environment, you must first upgrade theadministrative console nodebefore upgrading any replica administrative nodes or engine nodes.”

Why A is correct:

A. Upgrade the Admin Console— This is correct because the admin console node acts as the configuration master in a PingAccess cluster. Upgrading it first ensures the new version schema is available to replicas and engines.

Why the other options are incorrect:

B. Disable cluster communication— This is not required for standard upgrades. Cluster communication remains in place to synchronize changes after the upgrade.

C. Disable Key Rolling— Key rolling is unrelated to the upgrade process. It is a feature used for key rotation, not version upgrades.

D. Upgrade the Replica Admin— This is incorrect because upgrading a replica admin before the primary administrative console is against the documented procedure and would cause replication issues.

Publicly trusted Certificate Authorities are already included in theJava Trust Store Certificate Group, which PingAccess can use directly. This avoids importing the certificate manually.

Exact Extract:

“If the target site uses a certificate from a well-known public CA, configure the site to use the Java Trust Store Certificate Group.”

Option Ais incorrect — Key Pairs store private keys for SSL termination, not public CA trust anchors.

Option Bis correct — Java Trust Store already contains trusted public CAs.

Option Cis incorrect — again, Key Pairs are not used for trust validation.

Option Dis unnecessary for public CAs — only internal/self-signed certs must be imported.

To prevent CORS errors, administrators must configure aCross-Origin Request (CORS) Processing Rule. The secure practice is to allow thespecific trusted domain(www.anycompany.com ) and, when cookies or credentials are required, to enableAllow Credentials.

Exact Extract:

“For secure CORS, specify exact origins rather than wildcards. Enable ‘Allow Credentials’ when client-side resources must include cookies or authentication data.”

Option Ais incomplete — multiple values are possible, but in this case onlywww.anycompany.com is required.

Option Bis less secure — using a wildcard (*.anycompany.com) broadens exposure unnecessarily.

Option Cis insecure —*with credentials is disallowed by CORS specifications.

Option Dis correct — restricts access to the trusted domain and allows credentialed requests.

For SSL termination, PingAccess requires aKey Pair(certificate + private key). During a POC/demo, when aself-signed certificateis used, the administrator can create it directly in theKey Pairssection of the console.

Exact Extract:

“Use the Key Pairs section to create self-signed certificates for testing or proof-of-concept deployments. For production, import a PKCS#12 file containing a certificate chain and private key.”

Option Ais incorrect — Certificates store trust anchors (CAs), not SSL termination certs.

Option Bis incorrect — an internal CA-signed cert requires PKCS#12 import, not self-signed creation.

Option Cis incorrect — a publicly trusted CA is not used for a demo phase.

Option Dis correct — creating a new certificate in Key Pairs generates a self-signed cert suitable for demos.

Mutual TLS (mTLS) is used to establishtwo-way authenticationwhere both the client and the server present certificates to prove their identity. In the case of PingAccess, aMutual TLS Site Authenticatoris configured when PingAccess acts as a reverse proxy making requests to a backend (target) server.

Exact Extract from PingAccess documentation:

“Mutual TLS site authenticators provide client certificate authentication when PingAccess connects to a backend site. This allows PingAccess to present its certificate to the target server during the TLS handshake.”

This means the purpose is forPingAccess (client) to authenticate itself to the backend server (target resource)when establishing a secure connection.

Why other options are wrong:

A. Allows the backend server to authenticate to PingAccess

Incorrect. That’s normal server-side TLS authentication (the server presents a cert to the client), not mutual TLS initiated by PingAccess.

B. Allows the user to authenticate to the backend server

Incorrect. End users do not directly use this setting; this is between PingAccess and the backend application server.

C. Allows PingAccess to authenticate to the backend server

Correct. This is exactly the definition of a Mutual TLS Site Authenticator in PingAccess.

D. Allows PingAccess to authenticate to the token provider

Incorrect. That would involve OIDC/OAuth token exchange and possibly TLS trust, but it’s not the role of the Site Authenticator.

Thus, the correct answer isC. Allows PingAccess to authenticate to the backend server.

When a resource is configured asanonymous, PingAccess does not challenge the user for authentication. However, certain processing and identity propagation still occur.

Exact Extract:

“Anonymous resources do not require authentication. Identity mappings and request/response processing rules still apply.”

Option Ais incorrect because rules such as identity mappings and processing still apply.

Option Bis correct — Identity Mappings can still forward attributes, even for anonymous access.

Option Cis correct — Processing rules (e.g., request/response modifications) still apply.

Option Dis incorrect — requestsarelogged; anonymous does not disable logging.

Option Eis incorrect — access control rules (authorization) are not evaluated for anonymous resources.

When APIs are remote, latency is introduced by frequent token validation requests. EnablingCache Tokenon the OAuth Resource Server reduces repeated validation calls and improves performance.

Exact Extract:

“The OAuth Resource Server configuration includes aCache Tokenoption that improves performance by reducing round trips for token validation.”

Option Ais incorrect — key rolling affects cryptographic keys, not API latency.

Option Bis incorrect — virtual hosts control external FQDNs, not performance.

Option Cis incorrect — token attribute size does not significantly affect remote latency.

Option Dis correct — caching tokens reduces validation overhead.

Applications consuming signed JWTs need theJSON Web Key Set (JWKS)endpoint to retrieve the public keys used for validating JWT signatures. PingAccess exposes this at/pa/authtoken/JWKS.

Exact Extract:

“When using JWT identity mapping, applications can obtain the signing keys from the/pa/authtoken/JWKSendpoint to validate the JWT signature.”

Option Ais correct —/pa/authtoken/JWKSprovides the key set for signature validation.

Option Bis incorrect — that’s an administrative API for configuring identity mappings, not a runtime validation endpoint.

Option Cis incorrect —/pa/aidc/cbis the OIDC callback endpoint.

Option Dis incorrect —/pa-admin-api/v3/authTokenManagementis for admin token management, not JWT validation.

Virtual Hostsin PingAccess define the external FQDNs (and ports) through which applications are accessed. An application can be bound to multiple virtual hosts to allow access via multiple FQDNs.

Exact Extract:

“A virtual host specifies the fully qualified domain name and port number through which an application is accessed.”

Option A (Virtual Hosts)is correct — multiple FQDNs can be supported by assigning multiple virtual hosts.

Option B (Applications)define resource protection but do not manage FQDN binding.

Option C (Sites)define back-end targets, not the public-facing FQDN.

Option D (Web Sessions)handle authentication state, unrelated to hostnames.

Identity Mapping in PingAccess relies on attributes provided by thetoken provider(e.g., PingFederate, OIDC provider). If the desired attributes are not present in the dropdown, it means they are not being provided in the token or userinfo response.

Exact Extract:

“Attributes available in identity mappings are those provided in the web session by the token provider. If attributes are missing, they must be added to the token by the identity provider.”

Option Ais correct — the token provider administrator must configure the IdP to include the additional attributes.

Option Bis incorrect — rewrite rules modify content but do not supply new identity attributes.

Option Cis incorrect — developers cannot directly add identity attributes; they must come from the IdP.

Option Dis incorrect — Web Session Attribute rules only evaluate available attributes; they don’t create new ones.

PingAccess usesobfuscated keysto secure sensitive configuration values (like passwords). Theobfuscate.bat(Windows) orobfuscate.sh(Linux) script is used to generate a new key and protect sensitive data.

Exact Extract:

“Useobfuscate.[bat|sh]to generate a new obfuscation key for protecting configuration values.”

Option A (db-passwd-rotate.bat)is not a valid PingAccess script.

Option B (memoryoptions.bat)configures JVM memory, not encryption.

Option C (run.bat)starts PingAccess.

Option D (obfuscate.bat)is correct — it is used to protect sensitive configuration.

PingAccess validates access tokens usingAccess Token Managers, which are typically backed byPingFederateor ageneric OIDC provider.

Exact Extract:

“PingAccess validates tokens through Access Token Managers, which can be configured against PingFederate or a common OIDC provider.”

Option A (PingFederate)is correct — the most common token provider.

Option B (Kerberos)is not supported for token validation.

Option C (SAML provider)is incorrect — PingAccess does not natively consume SAML assertions.

Option D (Common OIDC provider)is correct — tokens can be validated against any OIDC-compliant IdP.

Option E (PingAuthorize)is an authorization engine, not a token provider.

When usingHTTP Basic Authentication(admin.auth=native), PingAccess only supports asingle administrative account(the default admin user). For multiple administrators, SSO integration (e.g., OIDC) is required.

Exact Extract:

“When admin authentication is set to native (HTTP Basic), only one administrative user is supported. For multiple admins, configure UI authentication with an OIDC provider.”

Option A (1000)is incorrect.

Option B (1)is correct — only one basic auth admin account.

Option C (10)andOption D (100)are incorrect.