Ping Identity PAP-001 Certified Professional - PingAccess Exam Practice Test

PingAccess allows fine-grained authentication enforcement by applyingAuthentication Requirement rulesat the resource level. These rules can invoke MFA flows based on request context or policy.

Exact Extract:

“Authentication requirement rules determine whether PingAccess challenges a user to authenticate again (for example, with MFA) before allowing access to a protected resource.”

Option Ais incomplete. Creating a requirement does nothing unless it is applied.

Option Bis correct because applying the Authentication Requirement rule to thespecific resource (URL)enforces MFA only for that resource.

Option Cis incorrect; Web Session Attribute rules are about evaluating existing session attributes, not triggering MFA.

Option Dis incorrect; HTTP Request Parameter rules are used to evaluate request data, not enforce MFA policies.

To enableSingle Logout (SLO), theSLO scopemust be defined in the PingAccess Web Session configuration. This determines which sessions are ended when a logout request occurs.

Exact Extract:

“The SLO scope option in a web session specifies which applications are included in a logout event when Single Logout is triggered.”

Option A (SLO scope)is correct; it explicitly enables SLO support by linking session termination across apps.

Option B (Idle timeout)is unrelated; this controls session expiration, not SLO.

Option C (Validate Session)ensures session state is synchronized but does not configure SLO.

Option D (Refresh User Attributes)is unrelated; it only controls whether attributes are reloaded.

PingAccess supports logging directly to a relational database usingLog4j database appenders. To enable this:

Configurelog4j2.xmlto use a JDBC Appender.

Configurelog4j2.db.propertieswith the database connection information.

Provide the appropriate database driver in thePA_HOME/libdirectory.

Exact Extract:

“To log to a database, configure log4j2.xml and log4j2.db.properties, and place the JDBC driver JAR file in PA_HOME/lib.”

Option Ais correct — both files must be configured.

Option Bis incorrect — existing logs do not need removal.

Option Cis incorrect — enabling audit is unrelated to database logging.

Option Dis correct — the Oracle JDBC driver must be installed in PA_HOME/lib.

Option Eis incorrect unless TLS is used to connect to the DB, but it is not required for standard DB logging setup.

The requirement is:

Allow access ifuser is in sales

OR ifuser is in marketing AND is a manager

This is logically represented as:

(A) OR (B AND C)

To configure this in PingAccess:

Rule Set (D) = ANY (A)

Rule Set (E) = ALL (B, C)

Rule Set Group (F) = ANY (D, E)

Assign Group (F) to the resource

This exactly matchesOption D.

Option Ais incorrect — requires both A and (B AND C), which is stricter than the requirement.

Option Bis incorrect — ANY(A, B, C) would allow users in marketing or managers without requiring both.

Option Cis incorrect — it uses ALL(D, E), which would require both conditions instead of OR.

Option Dis correct — it models (A OR (B AND C)).

Applications in PingAccess can be associated with multipleVirtual Hosts. Each virtual host defines an FQDN and port combination through which the application is exposed, allowing protection across multiple domains or hostnames.

Exact Extract:

“Virtual hosts specify the fully qualified domain names (FQDNs) and ports that PingAccess uses to expose applications.”

Option A (Sites)represent the target back-end servers, not the external FQDN.

Option B (Virtual Hosts)is correct — use multiple virtual hosts for multiple domains.

Option C (Redirects)are unrelated to multi-domain application protection.

Option D (Rules)define access policies, not hostnames.

PingAccess usesobfuscated keysto secure sensitive configuration values (like passwords). Theobfuscate.bat(Windows) orobfuscate.sh(Linux) script is used to generate a new key and protect sensitive data.

Exact Extract:

“Useobfuscate.[bat|sh]to generate a new obfuscation key for protecting configuration values.”

Option A (db-passwd-rotate.bat)is not a valid PingAccess script.

Option B (memoryoptions.bat)configures JVM memory, not encryption.

Option C (run.bat)starts PingAccess.

Option D (obfuscate.bat)is correct — it is used to protect sensitive configuration.

When using multiple Access Token Managers, theSend Audienceoption ensures that tokens are scoped properly and validated against the intended resource/application.

Exact Extract:

“EnableSend Audiencein the token provider configuration to support environments with multiple Access Token Managers and enforce correct audience restrictions.”

Option A (Subject Attribute Name)is unrelated — it maps user identity but not token manager selection.

Option B (Send Audience)is correct — required when multiple ATMs are in use.

Option C (Use Token Introspection Endpoint)is optional and depends on deployment, not mandatory for multiple ATMs.

Option D (Client Secret)is part of OAuth client credentials, not specific to multiple ATMs.

When using theAuthorization Code Flowfor authentication, PingAccess must be configured with:

AnOAuth Client IDthat identifies the application to the IdP.

TheOpenID Connect Login Typeset to Authorization Code.

Exact Extract:

“When configuring an OIDC web session, specify the OAuth client ID and select the OpenID Connect login type (Authorization Code, Hybrid, or Implicit).”

Option A (OAuth Token Introspection Endpoint)is not required for Authorization Code flow — token introspection is used in other cases.

Option B (OAuth Client ID)is correct — required for OIDC authorization requests.

Option C (OpenID Connect Issuer)is discovered automatically via metadata when you configure the token provider.

Option D (Virtual Host)is required for application exposure but not specific to OIDC flow.

Option E (OpenID Connect Login Type)is correct — must be set to “Authorization Code.”

When PingAccess is first installed, theAdministrative Console(the web-based UI for managing configuration) is bound to adefault port of 9000. This is documented in the installation and configuration guides:

Exact Extract from documentation:

“By default, the administrative console is available athttps:// :9000.”

(PingAccess Installation Guide – Default Ports)

This means that unless the administrator has explicitly changed the port inrun.propertiesor during installation, the console will always be available onport 9000.

Option Analysis:

A. 9000✅Correct. Default administrative console port.

B. 3000❌Incorrect. This is not a PingAccess default port.

C. 9090❌Incorrect. Sometimes used by other Ping products for APIs, but not the PingAccess admin console.

D. 3030❌Incorrect. Not a default PingAccess port.

All onboarding in PingAccess begins with defining anApplication. Once the application exists, the administrator can defineResourceswithin it and assign different rules to those resources.

Exact Extract:

“Before you can configure resources and rules, you must first create an application in PingAccess.”

Option A (Identity Mapping)may be required later but not the first step.

Option B (Web Session)can be shared but is not the first onboarding step.

Option C (Application)is correct — the starting point for onboarding.

Option D (Resource)comes after creating the application.

Identity Mapping in PingAccess relies on attributes provided by thetoken provider(e.g., PingFederate, OIDC provider). If the desired attributes are not present in the dropdown, it means they are not being provided in the token or userinfo response.

Exact Extract:

“Attributes available in identity mappings are those provided in the web session by the token provider. If attributes are missing, they must be added to the token by the identity provider.”

Option Ais correct — the token provider administrator must configure the IdP to include the additional attributes.

Option Bis incorrect — rewrite rules modify content but do not supply new identity attributes.

Option Cis incorrect — developers cannot directly add identity attributes; they must come from the IdP.

Option Dis incorrect — Web Session Attribute rules only evaluate available attributes; they don’t create new ones.

Therun.propertiesfile in PingAccess is the primary configuration file that defines system-level runtime behavior. According to PingAccess documentation:

Exact Extract:

“Therun.propertiesfile contains configuration properties for PingAccess, including operational mode, logging levels, admin authentication fallback, cluster settings, and system defaults.”

(PingAccess Administrator’s Guide –run.properties Reference)

From this, we can determine:

C. Operational mode for PingAccess→CorrectThe propertypa.operational.modeinrun.propertiesdefines whether the node operates asSTANDALONE,CLUSTERED_CONSOLE,CLUSTERED_CONSOLE_REPLICA, orCLUSTERED_ENGINE. This is one of the core configurable options.

E. Logging levels→CorrectProperties such aslog.leveland other logging configurations are explicitly defined inrun.properties, allowing administrators to adjust the verbosity of logs (DEBUG, INFO, WARN, ERROR).

Why the others are incorrect:

A. Default logs location→IncorrectThe log file path is not controlled viarun.properties. It is defined inlog4j2.xml, not inrun.properties.

B. URL for heartbeat endpoint→IncorrectThe heartbeat endpoint (/pa/heartbeat.ping) is a fixed system endpoint and is not configurable inrun.properties.

D. X-Frame-Options header→IncorrectSecurity headers likeX-Frame-Optionsare managed under application security policies or global response headers, not inrun.properties.

Modern browsers enforce stricter cookie handling rules. If cookies are not configured correctly with theSameSiteattribute, behavior can differ across browsers, leading to inconsistent authentication and access denials. Security exceptions may appear when session cookies are blocked.

Exact Extract:

“The SameSite cookie setting defines how browsers send cookies in cross-site requests. Misconfigured SameSite values can lead to inconsistent application behavior across browsers.”

Option A (Enable PKCE)is related to OAuth flow security, not browser cookie behavior.

Option B (SameSite Cookie)is correct — this directly explains the inconsistent browser issues.

Option C (Request Preservation)ensures query parameters are kept, not related to cross-browser session handling.

Option D (Validate Session)checks session state but does not address browser inconsistencies.

PingAccess supports flexible path matching for resources using wildcards. If the requirement is to matchany path that contains a folder named "escalated", the correct format is:

*/escalated/→ matchesany locationof theescalateddirectory within the path.

Exact Extract:

“The asterisk (*) wildcard matches zero or more characters. Use it in resource paths to match folders at any depth.”

Option A (escalated/)only matches when the resource starts with “escalated/” at the root, not at arbitrary depth.

Option B (*/escalated/)is correct — it matches theescalatedfolder no matter where it occurs.

Option C (*/escalated/+ )is incorrect —+is not a valid PingAccess wildcard operator.

*Option D (/escalated/)matches only when the path starts with “escalated” at the first level, not arbitrary positions.

PingAccess can be configured to log or suppress back-channel requests that occur duringtoken validationwith an OAuth/OpenID Connect provider such as PingFederate. These requests happen when PingAccess calls PingFederate to validate access tokens or retrieve key material.

Exact Extract from PingAccess documentation:

“Back-channel requests are logged during token validation by default. To prevent these requests from being written to the audit log, update theToken Validationsettings in PingAccess.”

This makesToken Validationthe correct location for changing the behavior without modifying application-specific configurations.

Why other options are wrong:

B. Web Sessions

Incorrect. Web Sessions control user session management and cookie handling, not back-channel token validation traffic.

C. Sites

Incorrect. Sites are the definitions of backend servers that PingAccess proxies to. This setting does not affect back-channel logging to PingFederate.

D. Token Provider

Incorrect. The Token Provider defines the OIDC/OAuth server (e.g., PingFederate) and its endpoints, but the logging of back-channel requests is not controlled here.

Thus, the correct answer isA. Token Validation.

PingAccess usesEngine Listenersfor SSL termination of proxied applications. To minimize the number of certificates, administrators can:

Use awildcard certificate(e.g.,*.customer.com) on the engine listener.

Use aSubject Alternative Name (SAN) certificatethat covers multiple FQDNs under thecustomer.comdomain.

Exact Extract:

“PingAccess engine listeners can use certificates containing either wildcard entries or Subject Alternative Names to secure multiple applications under a single domain.”

Option Ais incorrect — assigning unique key pairs increases, not decreases, certificate management overhead.

Option Bis correct — a wildcard certificate covers all subdomains (e.g.,app1.customer.com,app2.customer.com).

Option Cis correct — a SAN certificate lists multiple FQDNs explicitly.

Option Dis incorrect — agent listeners don’t handle SSL termination for proxied apps.

Option Eis incorrect for the same reason — agent listeners aren’t used for SSL.

PingAccess supportsone primary administrative console (active)and any number ofreplica administrative consoles. Engines must be configured to connect to theactive console, with replicas available for failover.

Exact Extract:

“In a clustered environment, PingAccess supports one clustered console (active) and replica consoles. Engines can connect to any console node for high availability.”

Option Ais incomplete — only one replica limits redundancy.

Option Bis incorrect — multiple active consoles are not supported.

Option Cis incorrect — cannot run two active consoles.

Option Dis correct — one active admin console with multiple replicas ensures HA.

Processing Rulesin PingAccess apply transformations to HTTP traffic (requests or responses) in real time, such as modifying headers, handling CORS, or rewriting cookies.

Exact Extract:

“Processing rules allow PingAccess to modify HTTP requests and responses in real time, such as adding headers or enabling cross-origin requests.”

Option Ais incorrect — they are not for offline data collection.

Option Bis correct — their purpose is real-time modification of web traffic.

Option Cis incorrect — access control rules enforce or override authorization, not processing rules.

Option Dis incorrect — auditing is handled in log configurations, not processing rules.

All administrative API calls that change PingAccess configuration are logged inpingaccess_api_audit.log. This allows administrators to track who made configuration changes.

Exact Extract:

“Thepingaccess_api_audit.logfile contains entries for all administrative API calls and is used to audit configuration changes.”

Option A (pingaccess.log)contains runtime system messages but not detailed API audit entries.

Option B (pingaccess_engine_audit.log)is specific to engine request/response audit logging.

Option C (pingaccess_agent_audit.log)is used for PingAccess Agent traffic auditing, not administrative changes.

Option D (pingaccess_api_audit.log)is correct — it tracks admin API modifications.

When a back-end site requires HTTP Basic Authentication, PingAccess supports this via aBasic Authentication Site Authenticator. The authenticator is configured with credentials so that PingAccess can successfully authenticate to the target site.

Exact Extract:

“PingAccess can authenticate to target sites using a Site Authenticator. Use the Basic Authentication Site Authenticator when the site requires a username and password.”

Option Ais incorrect — identity mappings are used to forward user attributes, not for site-to-site authentication.

Option Bis incorrect — web sessions represent end-user sessions, not back-end credentials.

Option Cis correct — the Basic Authentication Site Authenticator should be configured on the Site.

Option Dis incorrect — mTLS authenticates with certificates, not username/password.

In Log4j2, theLoggerelement controls the log level (INFO,DEBUG,ERROR, etc.) for specific packages or classes.

Exact Extract:

“To modify logging levels, edit theelement inlog4j2.xmland change the level attribute.”

Option A (AsyncLogger)is a performance optimization, not for changing levels.

Option B (RollingFile)defines file rotation, not log levels.

Option C (Logger)is correct — this is where log levels are defined.

Option D (Appenders)define output destinations, not severity levels.