Ping Identity PT-AM-CPE Dumps - Pass Certified Professional - PingAM Exam in 2026

The OAuth2 May Act script type in PingAM 8.0.2 allows administrators to programmatically determine if a token exchange request (impersonation or delegation) should be allowed by adding a may_act claim to the token.

According to the 'Scripting' and 'Token Exchange Scripting API' documentation, when this script is executed, the AM engine provides a specific set of 'Bindings' or variables. These allow the script to inspect the context of the request before deciding to modify the token. The documented variables for the OAuth2 May Act script are:

clientProperties: A map of the OAuth2 client's configuration properties.

identity: The identity object for the user/subject.

logger: The logging object for debugging within the script.

requestProperties: Properties of the incoming HTTP request.

scopes: The set of scopes requested or associated with the token.

scriptName: The name of the script being executed.

session: The user's SSO session (if available).

requestedToken: This is the most important variable; it represents the token being issued. Methods like .addMayAct() or .setMayAct() are called on this specific object.

Why other options are incorrect:

Option B correctly lists the bindings.

Options A and D are incorrect because they use the variable name token. While token is a common variable name in other OAuth2 script types (like the Access Token Modification script), the Token Exchange script specifically uses requestedToken to distinguish the new token from the subject_token or actor_token provided in the request.

Option C uses scopeList, which is not the standard variable name for the scopes in this specific script context; the documentation defines it as scopes.

PingAM 8.0.2 is highly extensible through its Scripting Engine, which supports Groovy and JavaScript. However, scripts can only be applied to specific 'hooks' or 'extension points' defined by the platform.

According to the 'Scripting' and 'Script Types' reference in the PingAM 8.0.2 documentation, the standard supported script types are:

Decision node script (A): Used within Authentication Trees via the 'Scripted Decision Node.' These scripts allow for complex logic, such as checking user attributes, calling external APIs, or evaluating risk before deciding which path a user should take in their journey.

OpenID Connect claims script (C): This script type is used to customize the claims returned in OIDC ID Tokens or at the UserInfo endpoint. It allows administrators to transform internal LDAP attributes into the specific JSON format required by OIDC clients.

Policy condition script (D): Used within Authorization Policies. These scripts define custom logic for granting or denying access (e.g., 'Allow access only if the user is connecting from a specific IP range and it is between 9 AM and 5 PM').

Why Statement B is incorrect: There is no such thing as an 'End User user interface theme script' in the PingAM scripting engine. UI customization (Themeing) in PingAM 8.0.2 is handled through the XUI framework using CSS, HTML templates, and configuration JSON files, or by building a custom UI using the Ping SDKs. It does not use the server-side Groovy/JavaScript scripting engine that governs authentication and authorization logic. Therefore, the valid script types are A, C, and D, making Option D the correct choice.

In PingAM 8.0.2, once a user successfully completes an authentication journey, the server issues a session token. For browser-based clients, this token is typically delivered via an HTTP cookie. The server-side property that defines the name of this specific cookie is com.iplanet.am.cookie.name.

According to the 'Global Properties' and 'System Configuration' documentation, this property is found under the Session service settings. By default, its value is set to iPlanetDirectoryPro (Option B). While iPlanetDirectoryPro is the default value of the cookie name, the question asks for the name of the property used to configure it.

Administrators often modify this property for security reasons to hide the fact that they are using PingAM or to avoid conflicts with other legacy systems. It is important to note that if this property is changed in the AM server, the corresponding configuration in all Policy Agents (Web or Java Agents) must also be updated to look for the new cookie name, otherwise, the agents will not be able to find the user's session and will redirect them to login repeatedly. Option D refers to an agent-side configuration key, but the central 'Source of Truth' for the session cookie name within the AM platform is the server-side property com.iplanet.am.cookie.name.

In PingAM 8.0.2, especially when utilizing File-Based Configuration (FBC), the startup sequence relies on a 'bootstrap' phase to locate the system's configuration. According to the 'Installation Guide' and 'Configuration Directory Structure,' the primary file involved in this process is named boot.json.

The boot.json file contains the essential connection details required for the AM binaries to find and unlock the configuration store (usually PingDS). This includes the LDAP host, port, bind DN, and references to the secret stores needed to decrypt the configuration.

The location of this file is determined by the Configuration Directory path specified during the initial setup. By default, PingAM creates its configuration directory in the home directory of the user running the web container. The standard path structure is <user-home>//. Therefore, the boot.json file is located at the root of this instance directory: <user-home>//boot.json.

Options A and D are incorrect because they place the file inside a /config subdirectory; while AM has many config files in subdirectories, the boot.json sits at the root to be accessible as the first point of entry.

Option B is incorrect because it suggests the file is stored within the Tomcat webapps folder. PingAM specifically avoids storing configuration data within the web application binaries to ensure that configuration persists even if the .war file is deleted or redeployed.

Understanding the location of boot.json is vital for DevOps engineers who need to automate the deployment of PingAM using tools like Amster or when troubleshooting a 'Failed to connect to the configuration store' error during server startup.

In PingAM 8.0.2, Multi-Factor Authentication (MFA) using the OATH standard supports two primary algorithms: TOTP (Time-based One-Time Password) and HOTP (HMAC-based One-Time Password).14 For an authentication journey to function correctly, the 'Registration' phase (where the user's device and AM agree on a secret and algorithm) and the 'Verification' phase (where AM checks the submitted code) must be perfectly synchronized.

According to the 'Authentication Node Reference' for the OATH Token Verifier node and OATH Registration node:

Both nodes contain a configuration property named OATH Algorithm.15 This property determines how the six- or eight-digit code is generated and validated. If the OATH Registration node is configured to set up a user for TOTP, it will generate a QR code containing the TOTP parameters for the user's authenticator app.

When that user later attempts to log in, the OATH Token Verifier node (Option A) must also be set to TOTP.16 If the verifier is accidentally set to HOTP (which uses a counter rather than a time step), the validation will consistently fail because the server will be looking for a counter-based value while the app is providing a time-based value.

Other nodes like the Recovery Code Collector Decision node (Option B) or OATH Device Storage node (Option D) handle subsequent or separate tasks (like account recovery or writing the final profile to LDAP) and do not directly participate in the real-time OATH mathematical validation logic. Thus, the OATH Token Verifier is the mandatory counterpart that must match the registration's algorithm setting.