Most Recent Ping Identity PT-AM-CPE Exam Dumps

The Cloud Developer Kit (CDK), part of the forgeops repository, represents the modern approach to deploying the Ping Identity Platform (including PingAM 8.0.2) in a containerized, Kubernetes-native environment. According to the PingAM deployment and ForgeOps documentation, the platform has transitioned from a monolithic architecture---where the user interface was embedded within the AM web application---to a decoupled, microservices-aligned architecture. In a standard CDK deployment, the user interface components are separated into their own distinct pods to allow for independent scaling, updates, and management.

The three specific pods that provide user interface functionality in a default CDK environment are:

admin-ui: This pod hosts the administrative console. It is the centralized interface that administrators use to configure realms, manage identity stores, define authentication trees, and oversee the general health of both PingAM and PingIDM. By separating the administrative UI from the core engine, the platform reduces the attack surface and allows for more granular resource allocation.

end-user-ui: This pod serves the self-service portal for end-users. It is responsible for providing the interface where users can manage their own profiles, update passwords, register Multi-Factor Authentication (MFA) devices, and manage their consent for OAuth2/UMA applications. This UI interacts with the back-end via REST APIs to ensure a seamless and responsive user experience.

login-ui: This is a specialized pod dedicated to the authentication journey. When a user interacts with an 'Intelligent Access' tree, the login-ui pod renders the callbacks (such as username prompts, password fields, or MFA challenges). This pod ensures that the presentation layer of the authentication process is modernized and distinct from the heavy processing logic of the PingAM core.

Collectively, these three pods ensure that the 'User Interface' layer of the deployment is modular. This architecture is a prerequisite for high-availability deployments and is the standard configuration verified in the ForgeOps documentation for version 8.0.2 deployments.

============

The Push Result Verifier node is a core component of the 'MFA: Push Authentication' journey in PingAM 8.0.2. Its primary function is to check the status of a push notification that was previously dispatched to a user's mobile device (usually via the Push Sender node).22

According to the 'Authentication Node Reference' for version 8.0.2, the node evaluates the state of the push request and yields exactly four distinct outcomes:

Success: This path is followed if the user has actively approved the push notification on their registered device using the ForgeRock/Ping Authenticator app.

Failure: This path is taken if the user explicitly denies or rejects the push notification on their device, indicating a potential unauthorized login attempt.

Expired: This outcome occurs if the notification reaches its 'Message Timeout' limit (defined in the Push Sender node) without any response from the user.23 In standard trees, this path often loops back to allow the user to try a different MFA method or resend the push.

Waiting: This outcome is triggered if a response has not yet been received but the timeout has not yet been reached. This is used in conjunction with a Push Wait or Polling mechanism to create a 'check-and-loop' logic until a final result (Success, Failure, or Expired) is determined.

The Retry outcome (mentioned in other options) is notably absent from this specific node's metadata. While a 'Retry' might be implemented in the overall tree logic (for example, by using a Retry Limit Decision node after an Expired outcome), the Push Result Verifier node itself only reports the state of the specific push transaction it is tracking. Understanding these four discrete states is vital for designing resilient authentication journeys that handle user delays or network issues gracefully.

PingAM 8.0.2 supports various Multi-Factor Authentication (MFA) methods, each with different hardware and software requirements.7 The question asks specifically for methods that require both a separate device and a specific application.

Push Authentication: This requires a mobile device (separate from the computer used to log in) and the ForgeRock/Ping Authenticator app (or a custom app using the SDK) to receive and approve the notification.8

Open Authentication (OATH): This refers to TOTP (Time-based One-Time Password). It requires a separate device (smartphone or hardware token) and an application (like ForgeRock Authenticator, Google Authenticator, or Authy) to generate the 6-digit rotating codes.

Why WebAuthn is excluded: While WebAuthn (Option A, B, and C) can use separate devices (like a YubiKey or a secondary phone), it is specifically designed to work natively with the browser and the operating system (using the FIDO2 standard). It does not require a specific 'Authenticator Application' to be installed by the user; instead, it uses the platform's built-in authenticators (like TouchID, FaceID, or Windows Hello) or a hardware key handled directly by the browser's WebAuthn API.

Therefore, the two methods that strictly fit the 'Separate Device + App' criteria in the PingAM ecosystem are Open Authentication and Push, making Option D the correct answer.

When a client requests an OpenID Connect (OIDC) scope (like profile), PingAM 8.0.2 may present a Consent Screen to the user, asking permission to share specific claims. To make this screen user-friendly, PingAM allows administrators to map technical claim names to human-readable labels and specify localizations.

According to the PingAM documentation on 'Supported Claims' in the OAuth2/OIDC Provider settings:

The format for the Supported Claims property entry is:

ClaimName|Locale|DisplayName

In this syntax:

ClaimName: The technical OIDC claim (e.g., name, email, given_name).

Locale: The ISO language code (e.g., en, fr).

DisplayName: The text that will actually appear on the UI (the 'Full name' label).

Therefore, the string name|en|Full name (Option A) is the correct configuration.

Option B is incorrect because it reverses the technical name and the display name.

Option C is incorrect as it lacks the required locale component and uses full_name (which is not the standard OIDC claim name; the standard is name).

Option D attempts to perform a logic operation (+) within a configuration field where only static mapping strings are allowed. Claim composition (concatenating first and last names) is handled by the OIDC Claims Script, not by the Supported Claims UI property.

Session Denylisting is a critical security feature in PingAM 8.0.2, primarily used when a realm is configured for client-side sessions.9 In a client-side session model, the session state is stored in a signed and encrypted JWT within the user's browser cookie rather than in the server's memory or the Core Token Service (CTS).10 Because the server does not 'own' the session state, a logout event typically only involves deleting the cookie from the browser. However, if a malicious actor had previously copied that cookie, they could still use it until it naturally expires.

To solve this, PingAM uses Session Denylisting to keep track of logged out sessions.11 When a user logs out, or when a session is invalidated (e.g., during a session upgrade or administrative action), AM records the session identifier in a denylist stored within the Core Token Service (CTS).12 For every subsequent request, AM checks the incoming client-side session token against this denylist.13 If the session ID is found in the denylist, AM rejects the token as invalid, even if the cryptographic signature is correct and the expiration time has not passed.

The documentation emphasizes that this feature is essential for 'tracking session logouts across multiple AM servers' in a cluster. Without denylisting, there would be no way to perform a 'global logout' for client-side sessions that is immediately effective across all nodes.14 Administrators can configure properties such as the Denylist Purge Delay (to account for clock skew) and the Denylist Poll Interval (to balance security speed with system performance).15 By effectively managing the lifecycle of revoked tokens, session denylisting ensures that a logout is a cryptographically and operationally certain event.