Ping Identity PAP-001 Certified Professional - PingAccess Exam Practice Test

When a PingAccess agent is compromised, the secure approach is toinvalidate the existing credentials and issue a new configuration filefrom the PingAccess Admin Console. This provides a freshagent.propertiesfile with new secrets, ensuring compromised keys cannot be reused.

Exact Extract:

“If an agent is compromised, revoke and regenerate the agent configuration by downloading a newagent.propertiesfile from the administrative console.”

Option Ais incorrect — manually changing the secret in the file does not propagate it to PingAccess.

Option Bis incorrect — trusted certificates are not tied to agent authentication.

Option Cis unnecessary — reinstalling the agent does not reset credentials.

Option Dis correct — downloading a newagent.propertiesfile re-secures the agent.

When applications depend solely onheader-based identity mapping, attackers can attempt to bypass PingAccess by injecting headers directly into requests sent to the backend. To prevent spoofing, PingAccess should be configured to passcryptographically verifiable tokens(e.g.,ID tokens from OIDC) instead of relying on plain headers.

Exact Extract:

“Headers can be spoofed if not protected. Use signed tokens, such as ID tokens or JWTs, to provide strong identity assurance and prevent header injection attacks.”

Option A (Use ID Tokens)is correct — ID tokens are signed and verifiable, preventing spoofing.

Option B (Add Site Authenticator)protects PingAccess-to-site authentication, not client-to-API spoofing.

Option C (Require HTTPS)prevents eavesdropping but does not stop header spoofing from inside the network.

Option D (Use Target Host Header)ensures host header integrity but not user identity.

PingAccess distinguishes betweengateway rulesandagent rules. Some processing rules, such asRewrite Cookie Domain, only apply when PingAccess is acting as areverse proxy (gateway), not when protecting applications viaagents.

Exact Extract:

“Rewrite Cookie Domain rules are not supported for agent applications. They are only available for proxied (gateway) applications.”

Option A (Rewrite Cookie Domain)is correct — unavailable with agent applications.

Option B (Network Range)is available for both agents and gateways.

Option C (Rate Limiting)is supported on both application types.

Option D (Cross-Origin Request)is also supported in both.

PingAccess can be configured to log or suppress back-channel requests that occur duringtoken validationwith an OAuth/OpenID Connect provider such as PingFederate. These requests happen when PingAccess calls PingFederate to validate access tokens or retrieve key material.

Exact Extract from PingAccess documentation:

“Back-channel requests are logged during token validation by default. To prevent these requests from being written to the audit log, update theToken Validationsettings in PingAccess.”

This makesToken Validationthe correct location for changing the behavior without modifying application-specific configurations.

Why other options are wrong:

B. Web Sessions

Incorrect. Web Sessions control user session management and cookie handling, not back-channel token validation traffic.

C. Sites

Incorrect. Sites are the definitions of backend servers that PingAccess proxies to. This setting does not affect back-channel logging to PingFederate.

D. Token Provider

Incorrect. The Token Provider defines the OIDC/OAuth server (e.g., PingFederate) and its endpoints, but the logging of back-channel requests is not controlled here.

Thus, the correct answer isA. Token Validation.

When using theAuthorization Code Flowfor authentication, PingAccess must be configured with:

AnOAuth Client IDthat identifies the application to the IdP.

TheOpenID Connect Login Typeset to Authorization Code.

Exact Extract:

“When configuring an OIDC web session, specify the OAuth client ID and select the OpenID Connect login type (Authorization Code, Hybrid, or Implicit).”

Option A (OAuth Token Introspection Endpoint)is not required for Authorization Code flow — token introspection is used in other cases.

Option B (OAuth Client ID)is correct — required for OIDC authorization requests.

Option C (OpenID Connect Issuer)is discovered automatically via metadata when you configure the token provider.

Option D (Virtual Host)is required for application exposure but not specific to OIDC flow.

Option E (OpenID Connect Login Type)is correct — must be set to “Authorization Code.”

In Log4j2, theLoggerelement controls the log level (INFO,DEBUG,ERROR, etc.) for specific packages or classes.

Exact Extract:

“To modify logging levels, edit theelement inlog4j2.xmland change the level attribute.”

Option A (AsyncLogger)is a performance optimization, not for changing levels.

Option B (RollingFile)defines file rotation, not log levels.

Option C (Logger)is correct — this is where log levels are defined.

Option D (Appenders)define output destinations, not severity levels.

Publicly trusted Certificate Authorities are already included in theJava Trust Store Certificate Group, which PingAccess can use directly. This avoids importing the certificate manually.

Exact Extract:

“If the target site uses a certificate from a well-known public CA, configure the site to use the Java Trust Store Certificate Group.”

Option Ais incorrect — Key Pairs store private keys for SSL termination, not public CA trust anchors.

Option Bis correct — Java Trust Store already contains trusted public CAs.

Option Cis incorrect — again, Key Pairs are not used for trust validation.

Option Dis unnecessary for public CAs — only internal/self-signed certs must be imported.

When configuring PingAccess to use PingFederate as theStandard Token Providerfor runtime engines, PingAccess must know how to contact PingFederate. The configuration requires theHost(PingFederate base URL).

Exact Extract:

“When configuring the Standard Token Provider, specify the PingFederate host to which PingAccess engines will connect for token validation.”

Option A (Issuer)is part of OIDC metadata but not required explicitly in this configuration.

Option B (Client ID)is needed for OAuth clients but not when defining the token provider connection itself.

Option C (Host)is correct — this is required to connect to PingFederate.

Option D (Port)may be included within the host definition (host:port) but is not the required field.

For SSL termination, PingAccess requires aKey Pair(certificate + private key). During a POC/demo, when aself-signed certificateis used, the administrator can create it directly in theKey Pairssection of the console.

Exact Extract:

“Use the Key Pairs section to create self-signed certificates for testing or proof-of-concept deployments. For production, import a PKCS#12 file containing a certificate chain and private key.”

Option Ais incorrect — Certificates store trust anchors (CAs), not SSL termination certs.

Option Bis incorrect — an internal CA-signed cert requires PKCS#12 import, not self-signed creation.

Option Cis incorrect — a publicly trusted CA is not used for a demo phase.

Option Dis correct — creating a new certificate in Key Pairs generates a self-signed cert suitable for demos.

When a back-end site requires HTTP Basic Authentication, PingAccess supports this via aBasic Authentication Site Authenticator. The authenticator is configured with credentials so that PingAccess can successfully authenticate to the target site.

Exact Extract:

“PingAccess can authenticate to target sites using a Site Authenticator. Use the Basic Authentication Site Authenticator when the site requires a username and password.”

Option Ais incorrect — identity mappings are used to forward user attributes, not for site-to-site authentication.

Option Bis incorrect — web sessions represent end-user sessions, not back-end credentials.

Option Cis correct — the Basic Authentication Site Authenticator should be configured on the Site.

Option Dis incorrect — mTLS authenticates with certificates, not username/password.

The pattern/images/sitel/*matches all subpaths and files under the/images/sitel/directory, including nested paths.

Exact Extract:

“The asterisk (*) matches zero or more characters within the path. For example,/images/sitel/*matches all resources under thesitelfolder.”

Option Ais incorrect — it references/aitel/instead of/sitel/.

Option Bis incorrect —/site*matches strings beginning with “site”, but may also match “siteX” incorrectly.

Option Cis incorrect — it only matches resources under/english/, missing other folders.

Option Dis correct —/images/sitel/*covers all given examples.

To pass user attributes into HTTP headers for applications, PingAccess usesIdentity Mappings. When attributes need to be passed specifically as headers, the administrator must update theHeader Identity Mapping.

Exact Extract:

“Header identity mappings map attributes from a user’s web session to HTTP headers that are then sent to the back-end application.”

Option A (HTTP Request Header Rule)is incorrect — this adds or modifies static request headers, not user attributes.

Option B (Header Identity Mapping)is correct — this maps identity attributes into headers dynamically.

Option C (JWT Identity Mapping)is incorrect — that’s used for passing attributes as claims in JWTs.

Option D (Web Session Attribute Rule)is incorrect — that is for access control evaluation, not propagation of attributes.

PingAccess enforces step-up or multi-factor authentication usingAuthentication Requirements, which can be applied to specific resources within an application.

Exact Extract:

“Authentication requirements allow administrators to configure additional authentication (for example, MFA) when accessing sensitive application resources.”

Option A (UI Authentication)applies to access to theadmin console, not application resources.

Option B (Auth Token Management)relates to OAuth token lifetimes and refresh, not MFA enforcement.

Option C (Authentication Requirements)is correct — these rules enforce MFA or step-up auth for specific URLs/resources.

Option D (Authentication Challenge Policy)governs how failed auth challenges are presented but does not enforce MFA.

PingAccess validates access tokens usingAccess Token Managers, which are typically backed byPingFederateor ageneric OIDC provider.

Exact Extract:

“PingAccess validates tokens through Access Token Managers, which can be configured against PingFederate or a common OIDC provider.”

Option A (PingFederate)is correct — the most common token provider.

Option B (Kerberos)is not supported for token validation.

Option C (SAML provider)is incorrect — PingAccess does not natively consume SAML assertions.

Option D (Common OIDC provider)is correct — tokens can be validated against any OIDC-compliant IdP.

Option E (PingAuthorize)is an authorization engine, not a token provider.

All administrative API calls that change PingAccess configuration are logged inpingaccess_api_audit.log. This allows administrators to track who made configuration changes.

Exact Extract:

“Thepingaccess_api_audit.logfile contains entries for all administrative API calls and is used to audit configuration changes.”

Option A (pingaccess.log)contains runtime system messages but not detailed API audit entries.

Option B (pingaccess_engine_audit.log)is specific to engine request/response audit logging.

Option C (pingaccess_agent_audit.log)is used for PingAccess Agent traffic auditing, not administrative changes.

Option D (pingaccess_api_audit.log)is correct — it tracks admin API modifications.

To prevent CORS errors, administrators must configure aCross-Origin Request (CORS) Processing Rule. The secure practice is to allow thespecific trusted domain( ) and, when cookies or credentials are required, to enableAllow Credentials.

Exact Extract:

“For secure CORS, specify exact origins rather than wildcards. Enable ‘Allow Credentials’ when client-side resources must include cookies or authentication data.”

Option Ais incomplete — multiple values are possible, but in this case only is required.

Option Bis less secure — using a wildcard (*.anycompany.com) broadens exposure unnecessarily.

Option Cis insecure —*with credentials is disallowed by CORS specifications.

Option Dis correct — restricts access to the trusted domain and allows credentialed requests.

Modern browsers enforce stricter cookie handling rules. If cookies are not configured correctly with theSameSiteattribute, behavior can differ across browsers, leading to inconsistent authentication and access denials. Security exceptions may appear when session cookies are blocked.

Exact Extract:

“The SameSite cookie setting defines how browsers send cookies in cross-site requests. Misconfigured SameSite values can lead to inconsistent application behavior across browsers.”

Option A (Enable PKCE)is related to OAuth flow security, not browser cookie behavior.

Option B (SameSite Cookie)is correct — this directly explains the inconsistent browser issues.

Option C (Request Preservation)ensures query parameters are kept, not related to cross-browser session handling.

Option D (Validate Session)checks session state but does not address browser inconsistencies.

To enforcestep-up authenticationfor selected resources, PingAccess usesAuthentication Challenge Policies. These policies allow different challenge methods to be applied depending on the resource.

Exact Extract:

“Authentication challenge policies define how PingAccess challenges users for authentication and are often applied when step-up authentication is required for specific resources.”

Option A (Authentication Challenge Policy)is correct — it ensures only certain resources trigger step-up MFA.

Option Bis incorrect; the reserved resource base path is unrelated to authentication.

Option Cis incorrect; changing the context root just changes the URL path prefix.

Option Dis incorrect; manual ordering of resources is unrelated to enforcing MFA.

When APIs are remote, latency is introduced by frequent token validation requests. EnablingCache Tokenon the OAuth Resource Server reduces repeated validation calls and improves performance.

Exact Extract:

“The OAuth Resource Server configuration includes aCache Tokenoption that improves performance by reducing round trips for token validation.”

Option Ais incorrect — key rolling affects cryptographic keys, not API latency.

Option Bis incorrect — virtual hosts control external FQDNs, not performance.

Option Cis incorrect — token attribute size does not significantly affect remote latency.

Option Dis correct — caching tokens reduces validation overhead.

PingAccess allows administrators to configurecustom error pages or messagesat theRoot Resource levelof an application. This ensures that when rule violations (e.g., authorization failures) occur, the application can display tailored error responses.

Exact Extract:

“Custom error handling for rule violations is configured within the Root Resource of an application.”

Option Ais incorrect — assigning a rule to a resource does not allow defining custom errors.

Option Bis correct — the Root Resource is where administrators define custom error handling for the entire application.

Option Cis incorrect — Rule Sets only combine rules; they do not handle error responses.

Option Dis incorrect — individual rule definitions do not contain custom error configurations.

PingAccess retains backup archives of its configuration in thedata/archivedirectory. The number of retained backups is controlled in therun.propertiesfile.

Exact Extract:

“The number of configuration backups retained in thedata/archivedirectory is controlled by thearchive.maxCountproperty inrun.properties.”

Option A (log4j2.db.properties)is incorrect; this file controls database logging, not archive retention.

Option B (jvm-memory.options)is incorrect; this file sets JVM heap and memory arguments.

Option C (run.properties)is correct — it contains system-level settings includingarchive.maxCount.

Option D (log4j2.xml)is incorrect; this file configures log appenders and levels, not archive backups.