Ping Identity PT-AM-CPE Exam Dumps

This question tests the understanding of Session Cookie Domains and browser behavior in a PingAM 8.0.2 deployment. According to the 'Secure Session Cookies' documentation, the Cookie Domain setting in a realm determines the scope of the SSO token.

Standard browser cookie rules (RFC 6265) dictate that a cookie set for a specific domain is visible to that domain and all of its subdomains. However, a cookie is not visible to a parent domain or a 'sibling' domain.

In this scenario, the cookie is set for am.example.com:

A . example.com: This is the parent domain. A cookie set for am.example.com is not visible here. To make it visible to example.com, the cookie domain would have to be explicitly set to .example.com.

B . am.example.com: The cookie is directly set for this domain, so it is obviously visible.

C . sub.am.example.com: This is a subdomain of am.example.com. Under standard cookie rules, it will receive the cookie.

D . login.am.example.com: While this is also a subdomain, the question implies a specific selection.

Looking at the provided options (B and C), Option C accurately reflects the inheritance rule where the domain itself and its immediate sub-levels are covered. While login.am.example.com (Option D) is technically also a subdomain, the standard documentation examples for 'Cross-domain' or 'Sub-domain' visibility typically emphasize the relationship between the primary AM host and its child applications. Therefore, the combination of B and C is the most accurate representation of how the browser handles the scope of an am.example.com cookie.

============

To facilitate federation between a SAML2 Identity Provider (IdP) and a Service Provider (SP), metadata must be exchanged. PingAM 8.0.2 provides a built-in utility page, exportmetadata.jsp, specifically for this purpose.

When an IdP is configured within a subrealm (rather than the Top Level Realm), the metadata export URL must be qualified with specific query parameters to ensure the correct entity configuration is retrieved. According to the 'SAML 2.0 Reference' and 'Exporting SAML 2.0 Metadata' documentation:

entityid: This parameter is mandatory when there are multiple entities configured. It specifies the unique URI of the IdP (e.g., http://myserver.domain.com:8080/openam). This tells the JSP which specific provider's metadata to generate.

realm: This parameter is crucial for subrealm deployments. By default, the JSP looks in the root realm (/). If the IdP resides in a subrealm named /idprealm, the URL must explicitly include &realm=/idprealm.

Option D is the correct technical string. Option B is incorrect as it lacks parameters and would only attempt to export default root-level metadata. Option C is incorrect because the parameter name is entityid, not idp. While Amster (Option A) can indeed be used to export configuration, the exportmetadata.jsp remains the standard and most common method for generating the XML-formatted metadata required by external partners.

In PingAM 8.0.2, the OpenID Connect (OIDC) Claims Script is the specific extensibility point designed to govern how user information is mapped and transformed into claims within an OIDC ID token or the UserInfo response. While PingAM supports standard scopes like profile and email out of the box, specialized business requirements---such as including an 'employee number' which might be stored as employeenumber in an LDAP directory---require a custom transformation.

According to the 'OIDC Claims Script' reference in the PingAM documentation:

The script acts as a bridge between the Identity Store (the source of truth) and the OIDC Provider (the issuer). When a client requests a token, PingAM executes this script, providing it with a claimObjects map and the userProfile. The developer can then write Groovy or JavaScript logic to retrieve the employeeNumber attribute from the user's profile and add it to the resulting claims set.

The script typically follows this logical flow:

Identify the requested claims from the OIDC scope.

Fetch the corresponding raw attributes from the Identity Store (e.g., PingDS or AD).

Format and name the claim as per the OIDC specification or the specific client requirement (e.g., mapping LDAP employeenumber to OIDC claim emp_id).

Return the claims to be signed and embedded into the JWT.

Why other options are incorrect: Options A, C, and D reference script types that do not exist under those specific names in the standard PingAM 8.0.2 scripting engine. While there are 'Access Token Modification' scripts and 'Client Registration' scripts, the OIDC Claims Script is the only one authorized and designed to manage the payload of the id_token.

Amster is the lightweight command-line interface used for managing PingAM 8.0.2 configurations. To interact with specific components, Amster uses 'Entities.' According to the 'Amster Entity Reference' for version 8, the entity responsible for authentication trees is named AuthTree.8

When a user wants to retrieve or 'query' information about an entity, the syntax follows the pattern: query <EntityName> --realm <RealmPath> --filter <FilterCondition>.

Entity Name: The documentation specifies AuthTree as the correct entity name. Using the full descriptive name AuthenticationTree (Options A and B) will result in a 'Command not found' or 'Unknown entity' error in the Amster shell.

Filter: Amster requires a filter to narrow down results. To query all items within a realm, the standard practice is to use a filter that always evaluates to true, which is --filter true.

Therefore, the correct command is query AuthTree --realm /alpha --filter true (Option C). This command tells Amster to look into the /alpha realm and list every authentication tree configuration found there. Option D is incorrect because --query all is not a valid parameter for the Amster query command; the filtering logic is strictly handled by the --filter flag. Mastering this syntax is essential for DevOps engineers who need to export or audit configurations across different environments (Dev, Test, Prod).

In PingAM 8.0.2, device management is a critical part of the Multi-Factor Authentication (MFA) lifecycle. When a user registers a device for Push, OATH, or WebAuthn, that information is stored as a part of their identity profile. There are many scenarios where a device might need to be reset---for example, if a phone is lost, if the ForgeRock/Ping Authenticator app is reinstalled, or if an HOTP (HMAC-based One-Time Password) counter becomes desynchronized beyond the allowed window.

According to the PingAM documentation on 'Managing Devices for MFA' and the 'REST API for Device Management':

Administrator Capabilities: Administrators have the authority to manage device profiles for any user. They can list, rename, or delete (reset) device profiles using the /json/realms/root/realms/[realm]/users/[username]/devices endpoint. This is vital for helpdesk scenarios (Option D and B).

User Self-Service (The Incorrect Statement C): Statement C is technically incorrect because PingAM's REST API specifically supports self-service device management. An authenticated end-user has the permission to manage their own devices. They can call the /json/realms/root/realms/[realm]/users/[username]/devices endpoint using their own valid SSO token to delete their own registered devices. This allows organizations to build self-service portals where users can 'Unpair' a lost device without calling support (Option A).

The internal security of PingAM ensures that while a regular user can only access their own device sub-resource, an administrator with the appropriate amAdmin or Delegate Admin privileges can access the resources of all users. Therefore, the claim that only administrator accounts can use the REST API for these actions is false and contradicts the 'User Self-Service' philosophy built into the PingAM 8 API architecture.