Most Recent Ping Identity PT-AM-CPE Exam Dumps

In a high-availability PingAM 8.0.2 cluster, the Load Balancer (LB) is responsible for distributing traffic across multiple AM instances. Session Stickiness (also known as session affinity) ensures that all requests from a specific user session are routed to the same AM server that initially created the session.

According to the PingAM 'Deployment Planning' and 'Load Balancing' documentation, PingAM is designed to be 'sticky-preferred' but not 'sticky-required' if the Core Token Service (CTS) is used. If stickiness is not ensured:

Performance Impact: Every time a user request lands on a different AM server (Server B) than the one that holds the session in local memory (Server A), Server B must query the CTS (External Store) to retrieve the session details, deserialize the object, and reconstruct the session state. This cross-server look-up introduces significant latency and increases the load on the PingDS instances hosting the CTS.

CTS Load: Without stickiness, every single request becomes a 'Global' session lookup. This drastically increases the I/O and CPU overhead on the back-end directory servers, potentially leading to performance degradation of the entire identity platform.

Why other options are incorrect:

Option A: Session failover requires the CTS, but stickiness actually minimizes the need for failover logic during normal operation. Failover still works without stickiness, it just becomes the 'default' behavior for every request.

Option B: AM servers in a cluster share the same encryption keys and back-end stores. Any server can technically validate a session by looking it up in the CTS; the browser doesn't 'know' which server is correct.

Option C: Redirects are handled at the application logic level. While some internal processing changes, it doesn't necessarily result in extra browser-level HTTP redirects.

Thus, the primary negative impact of lacking stickiness in a correctly configured cluster is a decrease in performance (Option D) due to the constant session synchronization overhead.

============

The connection string format HOST:PORT|SERVERID|SITEID is a specific syntax used in PingAM 8.0.2 for Affinity Load Balancing, a feature almost exclusively associated with the Core Token Service (CTS). In high-volume deployments, the CTS handles thousands of session updates per second. To avoid replication lag issues---where an AM server might try to read a session token from a directory server (DS) before the update has replicated from another DS node---PingAM uses 'Affinity.'16

According to the 'CtsDataStoreProperties' and 'CTS Deployment Architectures' documentation, this specialized string allows the AM instance to prioritize connections based on the Server ID and Site ID.17 The pipe (|) characters signify the optional affinity parameters:

01/02: These represent the Server IDs of the underlying Directory Servers.

Affinity Logic: By providing these IDs, PingAM can ensure that it always routes requests for the same CTS token to the same directory server node.18

While standard Identity Stores (Option A) and the Configuration Data Store (Option C) use LDAP connection strings, they typically utilize a comma-separated list of host:port pairs or rely on a hardware load balancer. The specific use of server and site IDs within the connection string itself to manage LDAP request routing is a hallmark of the CTS affinity configuration.19 The documentation explicitly states that 'Each connection string is composed as follows: HOST:PORT[|SERVERID[|SITEID]]' within the context of CTS external store configuration.20 Therefore, this complex string is specifically designed for the Core Token Service to ensure data consistency and high performance in clustered environments.

When PingAM 8.0.2 evaluates an authorization policy, the primary output is a 'Permit' or 'Deny' decision. However, applications and Policy Enforcement Points (PEPs)---like PingGateway or a Web Agent---often require additional metadata about the user or the session to function correctly (e.g., the user's employee ID, department, or a specific preference).

According to the PingAM documentation on 'Policies' and 'Requesting Decisions':

The mechanism used to provide this extra information is Response Attributes. When defining a policy in the PingAM UI or via REST, an administrator can configure 'Response Attributes' which map internal attributes (from the User Profile or the Session) to keys that are sent back in the policy decision payload.

How it works: If a policy is configured with a response attribute mapping uid to User-ID, when PingGateway asks 'Can user X access resource Y?', PingAM responds with 'Permit' AND a map containing User-ID: X.

Consumption: PingGateway or the Web Agent can then take these attributes and inject them into HTTP headers (e.g., X-User-ID) so the downstream application can consume them without having to query AM again.

Subjects (Option A), Resources (Option B), and Actions (Option D) are all input components used to define the scope of a policy; they are not used to return data to the enforcer. Only Response Attributes serve the purpose of enriching the decision response with additional context.

============

Auto-federation is a feature in PingAM 8.0.2 designed to simplify the user experience by automatically linking an IdP identity to an SP identity without manual intervention or a specialized 'linking' page.12

According to the PingAM documentation on 'Link Identities Automatically with Auto-Federation':

Linking Mechanism (Statement B): Auto-federation does not rely on the SAML NameID. Instead, it uses a common attribute value found in both the SAML assertion and the SP's local identity store. For example, if both systems share an 'Email' attribute, the SP can be configured to use the mail attribute from the incoming assertion to search its own datastore. If a match is found, the accounts are linked. This is significantly more flexible than relying on NameID formats (disproving Statement A).

User Experience (Statement C): One of the primary benefits of auto-federation is that it supports a 'Just-in-Time' experience. The user only needs to log in to the Identity Provider (IdP). When they are redirected to the SP, the SP performs the attribute-based lookup and creates the session immediately. The user is never prompted to log in at the SP side just to 'prove' who they are for the linking process (disproving Statement D).

Because auto-federation relies on matching attributes and only requires a single login at the IdP, the correct statements are B and C. This makes Option B the correct choice. This feature is particularly useful in Large-Scale B2B or B2C scenarios where pre-mapping thousands of users manually would be impossible.

While OpenID Connect (OIDC) is built on top of OAuth2, it introduces specific endpoints for handling ID Tokens (the identity layer). In PingAM 8.0.2, when a client receives an ID Token, it is recommended to validate it locally using the provider's public keys. However, PingAM also provides a convenience endpoint for validation.

According to the 'OpenID Connect 1.0 Endpoints' documentation:

/oauth2/idtokeninfo (Option A): This is the dedicated endpoint designed to receive an ID Token as a parameter.8 It validates the token's signature, checks the expiration and audience, and returns the claims contained within the token in a JSON format. This is specifically used for unencrypted ID tokens.

/oauth2/userinfo (Option B): This endpoint returns claims about the authenticated user but requires a valid Access Token in the authorization header, not an ID Token.9

/oauth2/introspect (Option C): This is a standard OAuth2 endpoint (RFC 7662) used to check the metadata and 'activeness' of Access Tokens or Refresh Tokens, not the internal identity claims of an OIDC ID Token.10

/oauth2/tokeninfo (Option D): This is a legacy/non-standard endpoint that was used in older versions for Access Token validation and is not the primary OIDC validation endpoint in version 8.0.2.11

Therefore, for the specific task of validating an ID Token and retrieving its claims, /oauth2/idtokeninfo is the correct and authoritative endpoint in the PingAM 8.0.2 OIDC implementation.