Ping Identity PT-AM-CPE Exam Dumps

In a SAML 2.0 Federation flow, once the Service Provider (SP) receives and validates a SAML Assertion from an Identity Provider (IdP), it must determine which local user account the assertion corresponds to. This is the role of the SAML2 Account Mapper.

According to the PingAM 8.0.2 documentation on 'Federate Identities' and the 'SAML 2.0 Reference':

The SP-side account mapper (specifically the SPAccountMapper interface or its scripted equivalent) is responsible for mapping the remote user (identified in the SAML assertion) to a local user profile in the SP's identity store.

This mapping can be achieved in several ways:

Account Linking: Finding an existing link between the NameID in the assertion and a local DN.

Attribute Matching: Using an attribute from the assertion (like mail) to search the local directory for a matching user.

Auto-Federation: If configured, creating a link or a new profile automatically based on the incoming data.

If the account mapper cannot find a corresponding local profile, the SP cannot create a local session, and the SSO process will fail, typically with a 'User not found' or 'Local identity not found' error. Thus, the purpose is strictly the identification of the local subject based on the remote assertion (Option D). Options A and B are incorrect as they describe aggregation or account merging which are not the primary function of the SAML mapper. Option C describes 'Attribute Mapping,' which is a separate step (handled by the Attribute Mapper) that occurs after the identity has been successfully mapped.

PingAM 8.0.2 is highly extensible through its Scripting Engine, which supports Groovy and JavaScript. However, scripts can only be applied to specific 'hooks' or 'extension points' defined by the platform.

According to the 'Scripting' and 'Script Types' reference in the PingAM 8.0.2 documentation, the standard supported script types are:

Decision node script (A): Used within Authentication Trees via the 'Scripted Decision Node.' These scripts allow for complex logic, such as checking user attributes, calling external APIs, or evaluating risk before deciding which path a user should take in their journey.

OpenID Connect claims script (C): This script type is used to customize the claims returned in OIDC ID Tokens or at the UserInfo endpoint. It allows administrators to transform internal LDAP attributes into the specific JSON format required by OIDC clients.

Policy condition script (D): Used within Authorization Policies. These scripts define custom logic for granting or denying access (e.g., 'Allow access only if the user is connecting from a specific IP range and it is between 9 AM and 5 PM').

Why Statement B is incorrect: There is no such thing as an 'End User user interface theme script' in the PingAM scripting engine. UI customization (Themeing) in PingAM 8.0.2 is handled through the XUI framework using CSS, HTML templates, and configuration JSON files, or by building a custom UI using the Ping SDKs. It does not use the server-side Groovy/JavaScript scripting engine that governs authentication and authorization logic. Therefore, the valid script types are A, C, and D, making Option D the correct choice.

Amster is the lightweight command-line interface used for managing PingAM 8.0.2 configurations. To interact with specific components, Amster uses 'Entities.' According to the 'Amster Entity Reference' for version 8, the entity responsible for authentication trees is named AuthTree.8

When a user wants to retrieve or 'query' information about an entity, the syntax follows the pattern: query <EntityName> --realm <RealmPath> --filter <FilterCondition>.

Entity Name: The documentation specifies AuthTree as the correct entity name. Using the full descriptive name AuthenticationTree (Options A and B) will result in a 'Command not found' or 'Unknown entity' error in the Amster shell.

Filter: Amster requires a filter to narrow down results. To query all items within a realm, the standard practice is to use a filter that always evaluates to true, which is --filter true.

Therefore, the correct command is query AuthTree --realm /alpha --filter true (Option C). This command tells Amster to look into the /alpha realm and list every authentication tree configuration found there. Option D is incorrect because --query all is not a valid parameter for the Amster query command; the filtering logic is strictly handled by the --filter flag. Mastering this syntax is essential for DevOps engineers who need to export or audit configurations across different environments (Dev, Test, Prod).

The Security Token Service (STS) in PingAM 8.0.2 acts as a broker that translates security tokens from one format to another, allowing for interoperability between different security domains (e.g., translating a web-based session into a SOAP-based SAML assertion).

According to the PingAM 'Security Token Service (STS)' documentation and the 'Rest-Based STS' reference, the service supports a specific set of input and output token types. Supported input (source) tokens typically include Username Tokens, SAML2 Tokens, X.509 Certificates, Kerberos Tokens, and the internal PingAM Session Token (SSOToken). The service can transform these into output (target) tokens such as SAML2 Assertions or OIDC ID Tokens.

Analysis of the options:

Option A (Username token -> SAML2): Supported. This is a common use case where a client provides a username and password (WS-Security format) and receives a SAML2 assertion.

Option B (Kerberos -> SAML2): Supported. Used in Windows Desktop SSO environments where a SPNEGO/Kerberos token is exchanged for a SAML assertion for cloud applications.

Option D (PingAM SessionToken -> SAML2): Supported. This allows a user who already has a valid AM session to obtain a SAML2 token for a back-end web service.

Option C (OpenID Connect -> SAML2): Not supported by the REST STS implementation in version 8.0.2. While PingAM supports OIDC and SAML2 federation generally, the specialized STS service does not list an OIDC ID Token as a valid input token type for transformation into a SAML2 assertion within its specific state machine. OIDC to SAML 'bridging' is typically handled via the standard Federation service rather than the STS broker.

============

In PingAM 8.0.2, there are two distinct ways to implement Mutual TLS (mTLS) for OAuth2 client authentication: the PKI Approach (CA-signed) and the Self-Signed Approach.21

According to the documentation on 'Mutual TLS using PKI':

The PKI approach relies on a chain of trust. The steps required are:

Step 1 (Trust): You must import the CA certificates that signed the client certificates into the truststore of the web container (Tomcat) or the AM Secret Store.22 This allows AM to verify the signature of the client's certificate during the TLS handshake.

Step 2 (Mapping): You must configure a Secret Store and map the am.services.oauth2.tls.client.cert.authentication secret label to the trusted CA aliases.23

Step 3 (Authentication Method): In the OAuth2 Client Profile, you must select tls_client_auth. 24This is the specific OIDC standard string for CA-based mTLS. (In contrast, self_signed_tls_client_auth (Step 4) is used only when you trust individual certificates directly without a CA).25

Step 5 (Identity Mapping): Because multiple clients might have certificates signed by the same CA, you must provide the Subject Distinguished Name (DN) (e.g., CN=myClientApp) in the client profile. PingAM uses this to ensure that the certificate presented by the client during the handshake actually belongs to that specific Client ID.

Why other steps are excluded: Step 7 (Registering the certificate) is only required for the Self-Signed approach, as the PKI approach validates against the CA. Step 6 (Revocation check) is a global provider setting or an optional enhancement, but not a fundamental 'must-configure' step for the basic PKI identity mapping logic. Thus, the correct sequence for the PKI approach is 1, 2, 3, and 5, making Option C the correct answer.